Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
tl-4.18.0-client-windows.exe

Overview

General Information

Sample name:tl-4.18.0-client-windows.exe
Analysis ID:1618437
MD5:168280ae119955b0e9eff6716951e5da
SHA1:9d67c4960345e2aecb8cee06995f1120d8695ef9
SHA256:8167a4f6de980e5e3a3bfc09460de80c8d16f1a8bb4cdd6633d69d96c9a5e1fc
Infos:

Detection

Score:13
Range:0 - 100
Confidence:60%

Compliance

Score:33
Range:0 - 100

Signatures

Uses regedit.exe to modify the Windows registry
Binary contains a suspicious time stamp
Drops PE files
EXE planting / hijacking vulnerabilities found
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious desktop.ini Action
Stores files to the Windows start menu directory
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • tl-4.18.0-client-windows.exe (PID: 3744 cmdline: "C:\Users\user\Desktop\tl-4.18.0-client-windows.exe" MD5: 168280AE119955B0E9EFF6716951E5DA)
    • regedit.exe (PID: 4876 cmdline: regedit.exe /s "C:\Program Files\ThinLinc client\settings.reg" MD5: 999A30979F6195BF562068639FFC4426)
    • tlclient.exe (PID: 3180 cmdline: "C:\Program Files\ThinLinc client\tlclient.exe" MD5: 96E3878B529F456C5C38E2F22EF6B53B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Source: File createdAuthor: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO): Data: EventID: 11, Image: C:\Users\user\Desktop\tl-4.18.0-client-windows.exe, ProcessId: 3744, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ThinLinc\desktop.ini

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • Privilege Escalation
  • Compliance
  • Networking
  • System Summary
  • Data Obfuscation
  • Persistence and Installation Behavior
  • Boot Survival
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeEXE: regedit.exeJump to behavior

Compliance

barindex
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeEXE: regedit.exeJump to behavior
Source: tl-4.18.0-client-windows.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeWindow detected: < &Back&Next >CancelNullsoft Install System v11-Oct-2021.cvs Nullsoft Install System v11-Oct-2021.cvsLicense AgreementPlease review the license terms before installing ThinLinc client 4.18.0.Press Page Down to see the rest of the agreement. CENDIO END USER LICENSE AGREEMENT 3.5 IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. INSTALLING OR USING CENDIO SOFTWARE CONSTITUTES ACCEPTANCE OF THIS AGREEMENT.This License Agreement ("License") is entered into by you the Licensed User or representative of the Licensed User ("Licensee") and Cendio AB. THIS IS A LICENSE AND NOT A SALE 1. License1.1 Subject to the terms and conditions of this License Cendio grants solely for use by Licensee a non-exclusive non-transferable license to use the software programs ("Program(s)") and related user guides ("Documentation") solely for its own internal business purposes including for the provision of offering hosting solutions where you remain the Licensee at the site specified in the applicable Cendio business records and solely in accordance with the accompanying Documentation.1.2 All proprietary rights and trade secrets in the Program(s) and the Documentation and all copies (in whole or part) shall be the exclusive property of Cendio (and its licensors) and are protected by copyright laws and international treaty provisions. Licensee shall have no right title or interest therein except for the rights expressly granted under this License.1.3 Licensee may not use copy alter merge adapt modify rent or lease the Program(s) or the Documentation or any copy thereof in whole or in part except as expressly provided in this License or under applicable statutes.1.4 Licensee acknowledges that the Program(s) contains certain third party software for which Cendio has obtained the right to sub-license to Licensee under all the terms hereof save as set out expressly in the license agreements accompanying such products.1.5 The Program(s) may consist of software that provide services on a computer ("Server Program(s)") and software that allows a computer to access or utilize the services provided by the Server Program(s) ("Client Program(s)"). The Server Program(s) are provided free of charge and may be redistributed and downloaded provided all copyright notices and the terms of this License are not altered in any way or removed. The Client Program(s) are also provided free of charge and may be redistributed and downloaded provided all copyright notices and the terms of this License are not altered in any way or removed. Subject to Sections 1.6 and 1.7 Licensee may connect the Client Program(s) to the Server Program(s).1.6 With exception of what is stated in Section 1.7 Licensee must have user licenses provided by Cendio ("User License(s)") corresponding to the number of physical persons that have Server Program(s) or that have other software that is being monitored by the Server Program(s) running on
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc clientJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsm677F.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\uninstall.exeJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsf6F7F.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsu6F8F.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsk6FA0.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsa6FFF.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsa7000.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsp7010.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsk708E.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsq7235.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsv7255.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsq7285.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsg7296.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsb72C6.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsq72D6.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsg72E7.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsw72F8.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsw72F9.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsl7309.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsl730A.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsb731B.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsr732C.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsg733C.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsl735C.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsg73DA.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\localeJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\deJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\de\LC_MESSAGESJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\de\LC_MESSAGES\nsm7449.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\esJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\es\LC_MESSAGESJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\es\LC_MESSAGES\nsb7459.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\frJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\fr\LC_MESSAGESJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\fr\LC_MESSAGES\nsb745A.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\nlJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\nl\LC_MESSAGESJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\nl\LC_MESSAGES\nsr746B.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\pt_BRJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\pt_BR\LC_MESSAGESJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\pt_BR\LC_MESSAGES\nsh747C.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\ruJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\ru\LC_MESSAGESJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\ru\LC_MESSAGES\nsh747D.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\svJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\sv\LC_MESSAGESJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\sv\LC_MESSAGES\nsw748D.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\trJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\tr\LC_MESSAGESJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\tr\LC_MESSAGES\nsm749E.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\tlclientJump to behavior
Source: tl-4.18.0-client-windows.exeStatic PE information: certificate valid
Source: global trafficHTTP traffic detected: GET /downloads/clients/clientupdate.conf HTTP/1.1Host: www.cendio.comKeep-Alive: Connection: TE, Keep-AliveTE: trailers
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /downloads/clients/clientupdate.conf HTTP/1.1Host: www.cendio.comKeep-Alive: Connection: TE, Keep-AliveTE: trailers
Source: global trafficDNS traffic detected: DNS query: www.cendio.com
Source: nsh29B8.tmp.0.drString found in binary or memory: http://apache.org/dav/propset/fs/1
Source: tl-4.18.0-client-windows.exe, 00000000.00000002.2394759665.000000000320F000.00000004.00000020.00020000.00000000.sdmp, nsg73DA.tmp.0.drString found in binary or memory: http://cairographics.org)
Source: nsg73DA.tmp.0.drString found in binary or memory: http://cairographics.org))
Source: nsh29B8.tmp.0.drString found in binary or memory: http://creativecommons.org/licenses/by-sa/3.0/
Source: tl-4.18.0-client-windows.exeString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: tl-4.18.0-client-windows.exeString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: tl-4.18.0-client-windows.exeString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: nsh29B8.tmp.0.drString found in binary or memory: http://fsf.org/
Source: tl-4.18.0-client-windows.exe, 00000000.00000002.2394759665.000000000320F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://gcc.gnu.org/bugs.html):
Source: nsh29B8.tmp.0.drString found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: tl-4.18.0-client-windows.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: tl-4.18.0-client-windows.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: tl-4.18.0-client-windows.exeString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: tl-4.18.0-client-windows.exeString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: tl-4.18.0-client-windows.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: tl-4.18.0-client-windows.exe, 00000000.00000002.2394759665.0000000002DFE000.00000004.00000020.00020000.00000000.sdmp, nsg73DA.tmp.0.drString found in binary or memory: http://poppler.freedesktop.org
Source: tl-4.18.0-client-windows.exe, 00000000.00000002.2394759665.0000000002DFE000.00000004.00000020.00020000.00000000.sdmp, nsg73DA.tmp.0.drString found in binary or memory: http://poppler.freedesktop.org%s
Source: tl-4.18.0-client-windows.exeString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: tl-4.18.0-client-windows.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: nsr746B.tmp.0.drString found in binary or memory: http://www.cendio.com
Source: nsh29B8.tmp.0.drString found in binary or memory: http://www.cendio.com/downloads/clients/clientupdate.conf
Source: tlclient.exe, 00000007.00000002.3382984767.000000000067C000.00000002.00000001.01000000.0000000A.sdmp, nsh29B8.tmp.0.drString found in binary or memory: http://www.cendio.com/downloads/clients/clientupdate.confUPDATE_URLUPDATE_ENABLEDChecking
Source: tlclient.exe, 00000007.00000002.3382278420.00000000000EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cendio.com/downloads/clients/clientupdate.confZL
Source: nsh29B8.tmp.0.drString found in binary or memory: http://www.core-sdi.com
Source: nsh29B8.tmp.0.drString found in binary or memory: http://www.cs.hut.fi/crypto
Source: nsh29B8.tmp.0.drString found in binary or memory: http://www.freetype.org
Source: nsh29B8.tmp.0.drString found in binary or memory: http://www.sgi.com/software/opensource/cid/license.html
Source: nsh29B8.tmp.0.drString found in binary or memory: http://www.sgi.com/software/opensource/glx/license.html.
Source: nsr746B.tmp.0.drString found in binary or memory: https://app.transifex.com/cendio-ab/teams/92560/nl/)
Source: nsh29B8.tmp.0.drString found in binary or memory: https://daringfireball.net/projects/smartypants/)
Source: nsh29B8.tmp.0.drString found in binary or memory: https://jquery.com/
Source: nsh29B8.tmp.0.drString found in binary or memory: https://www.apache.org/licenses/
Source: tl-4.18.0-client-windows.exe, 00000000.00000003.2393387123.00000000007A3000.00000004.00000020.00020000.00000000.sdmp, tl-4.18.0-client-windows.exe, 00000000.00000002.2394155401.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, nsh29B8.tmp.0.drString found in binary or memory: https://www.cendio.com
Source: tl-4.18.0-client-windows.exeString found in binary or memory: https://www.cendio.com/0
Source: tlclient.exe, 00000007.00000002.3382278420.00000000000EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cendio.com/downloads/clients/tl-latest-client-windows.exe
Source: tlclient.exe, 00000007.00000002.3382278420.00000000000EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cendio.com/thinlinc/download/
Source: tlclient.exe, 00000007.00000002.3382278420.00000000000EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cendio.com/thinlinc/download/Name
Source: tlclient.exe, 00000007.00000002.3382278420.00000000000EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cendio.com/thinlinc/download/TLEP
Source: tlclient.exe, 00000007.00000002.3382278420.00000000000EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cendio.com/thinlinc/download/onName
Source: tl-4.18.0-client-windows.exe, 00000000.00000003.2393387123.00000000007A3000.00000004.00000020.00020000.00000000.sdmp, tl-4.18.0-client-windows.exe, 00000000.00000002.2394155401.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, nsh29B8.tmp.0.drString found in binary or memory: https://www.cendio.com/thinlinc/support
Source: tl-4.18.0-client-windows.exe, 00000000.00000003.2393387123.00000000007A3000.00000004.00000020.00020000.00000000.sdmp, tl-4.18.0-client-windows.exe, 00000000.00000002.2394155401.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, nsh29B8.tmp.0.drString found in binary or memory: https://www.cendio.comHelpLinkhttps://www.cendio.com/thinlinc/supportNoModifyNoRepairuninstall.exe
Source: tl-4.18.0-client-windows.exe, 00000000.00000003.2312441594.0000000000819000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cendio.comU
Source: tl-4.18.0-client-windows.exeString found in binary or memory: https://www.globalsign.com/repository/0

System Summary

barindex
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeProcess created: C:\Windows\regedit.exe regedit.exe /s "C:\Program Files\ThinLinc client\settings.reg"
Source: nsg7296.tmp.0.drStatic PE information: Number of sections : 12 > 10
Source: nsl730A.tmp.0.drStatic PE information: Number of sections : 12 > 10
Source: nsl735C.tmp.0.drStatic PE information: Number of sections : 13 > 10
Source: nsb72C6.tmp.0.drStatic PE information: Number of sections : 12 > 10
Source: nsq72D6.tmp.0.drStatic PE information: Number of sections : 12 > 10
Source: nsl7309.tmp.0.drStatic PE information: Number of sections : 12 > 10
Source: nsw72F8.tmp.0.drStatic PE information: Number of sections : 12 > 10
Source: nsq7235.tmp.0.drStatic PE information: Number of sections : 12 > 10
Source: nsg73DA.tmp.0.drStatic PE information: Number of sections : 12 > 10
Source: nsg72E7.tmp.0.drStatic PE information: Number of sections : 12 > 10
Source: nsk708E.tmp.0.drStatic PE information: Number of sections : 13 > 10
Source: nsw72F9.tmp.0.drStatic PE information: Number of sections : 12 > 10
Source: nsk6FA0.tmp.0.drStatic PE information: Number of sections : 12 > 10
Source: nsq7285.tmp.0.drStatic PE information: Number of sections : 12 > 10
Source: nsv7255.tmp.0.drStatic PE information: Number of sections : 12 > 10
Source: tl-4.18.0-client-windows.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: classification engineClassification label: clean13.evad.winEXE@5/79@1/1
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc clientJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeFile created: C:\Users\user\AppData\Roaming\fltk.orgJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Users\user\AppData\Local\Temp\nsh2969.tmpJump to behavior
Source: tl-4.18.0-client-windows.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile read: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\tl-4.18.0-client-windows.exe "C:\Users\user\Desktop\tl-4.18.0-client-windows.exe"
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeProcess created: C:\Windows\regedit.exe regedit.exe /s "C:\Program Files\ThinLinc client\settings.reg"
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeProcess created: C:\Program Files\ThinLinc client\tlclient.exe "C:\Program Files\ThinLinc client\tlclient.exe"
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeProcess created: C:\Windows\regedit.exe regedit.exe /s "C:\Program Files\ThinLinc client\settings.reg"Jump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeProcess created: C:\Program Files\ThinLinc client\tlclient.exe "C:\Program Files\ThinLinc client\tlclient.exe"Jump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\regedit.exeSection loaded: authz.dllJump to behavior
Source: C:\Windows\regedit.exeSection loaded: aclui.dllJump to behavior
Source: C:\Windows\regedit.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\regedit.exeSection loaded: clb.dllJump to behavior
Source: C:\Windows\regedit.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\regedit.exeSection loaded: ntdsapi.dllJump to behavior
Source: C:\Windows\regedit.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Program Files\ThinLinc client\tlclient.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: Loop ThinLinc client.lnk.0.drLNK file: ..\..\..\..\..\..\Program Files\ThinLinc client\tlclient.exe
Source: ThinLinc license.lnk.0.drLNK file: ..\..\..\..\..\..\Program Files\ThinLinc client\EULA.txt
Source: ThinLinc client.lnk.0.drLNK file: ..\..\..\..\..\..\Program Files\ThinLinc client\tlclient.exe
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile written: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ThinLinc\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeAutomated click: Next >
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeAutomated click: I accept the terms of the License Agreement
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeAutomated click: Next >
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeAutomated click: Install
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeWindow detected: < &Back&Next >CancelNullsoft Install System v11-Oct-2021.cvs Nullsoft Install System v11-Oct-2021.cvsLicense AgreementPlease review the license terms before installing ThinLinc client 4.18.0.Press Page Down to see the rest of the agreement. CENDIO END USER LICENSE AGREEMENT 3.5 IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. INSTALLING OR USING CENDIO SOFTWARE CONSTITUTES ACCEPTANCE OF THIS AGREEMENT.This License Agreement ("License") is entered into by you the Licensed User or representative of the Licensed User ("Licensee") and Cendio AB. THIS IS A LICENSE AND NOT A SALE 1. License1.1 Subject to the terms and conditions of this License Cendio grants solely for use by Licensee a non-exclusive non-transferable license to use the software programs ("Program(s)") and related user guides ("Documentation") solely for its own internal business purposes including for the provision of offering hosting solutions where you remain the Licensee at the site specified in the applicable Cendio business records and solely in accordance with the accompanying Documentation.1.2 All proprietary rights and trade secrets in the Program(s) and the Documentation and all copies (in whole or part) shall be the exclusive property of Cendio (and its licensors) and are protected by copyright laws and international treaty provisions. Licensee shall have no right title or interest therein except for the rights expressly granted under this License.1.3 Licensee may not use copy alter merge adapt modify rent or lease the Program(s) or the Documentation or any copy thereof in whole or in part except as expressly provided in this License or under applicable statutes.1.4 Licensee acknowledges that the Program(s) contains certain third party software for which Cendio has obtained the right to sub-license to Licensee under all the terms hereof save as set out expressly in the license agreements accompanying such products.1.5 The Program(s) may consist of software that provide services on a computer ("Server Program(s)") and software that allows a computer to access or utilize the services provided by the Server Program(s) ("Client Program(s)"). The Server Program(s) are provided free of charge and may be redistributed and downloaded provided all copyright notices and the terms of this License are not altered in any way or removed. The Client Program(s) are also provided free of charge and may be redistributed and downloaded provided all copyright notices and the terms of this License are not altered in any way or removed. Subject to Sections 1.6 and 1.7 Licensee may connect the Client Program(s) to the Server Program(s).1.6 With exception of what is stated in Section 1.7 Licensee must have user licenses provided by Cendio ("User License(s)") corresponding to the number of physical persons that have Server Program(s) or that have other software that is being monitored by the Server Program(s) running on
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc clientJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsm677F.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\uninstall.exeJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsf6F7F.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsu6F8F.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsk6FA0.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsa6FFF.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsa7000.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsp7010.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsk708E.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsq7235.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsv7255.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsq7285.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsg7296.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsb72C6.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsq72D6.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsg72E7.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsw72F8.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsw72F9.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsl7309.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsl730A.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsb731B.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsr732C.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsg733C.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsl735C.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\nsg73DA.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\localeJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\deJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\de\LC_MESSAGESJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\de\LC_MESSAGES\nsm7449.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\esJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\es\LC_MESSAGESJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\es\LC_MESSAGES\nsb7459.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\frJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\fr\LC_MESSAGESJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\fr\LC_MESSAGES\nsb745A.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\nlJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\nl\LC_MESSAGESJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\nl\LC_MESSAGES\nsr746B.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\pt_BRJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\pt_BR\LC_MESSAGESJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\pt_BR\LC_MESSAGES\nsh747C.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\ruJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\ru\LC_MESSAGESJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\ru\LC_MESSAGES\nsh747D.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\svJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\sv\LC_MESSAGESJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\sv\LC_MESSAGES\nsw748D.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\trJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\tr\LC_MESSAGESJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDirectory created: C:\Program Files\ThinLinc client\locale\tr\LC_MESSAGES\nsm749E.tmpJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\tlclientJump to behavior
Source: tl-4.18.0-client-windows.exeStatic PE information: certificate valid
Source: tl-4.18.0-client-windows.exeStatic file information: File size 15451168 > 1048576
Source: tl-4.18.0-client-windows.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: nsk708E.tmp.0.drStatic PE information: 0xA620A618 [Sat Apr 27 18:25:28 2058 UTC]
Source: uninstall.exe.0.drStatic PE information: real checksum: 0xecac06 should be: 0x31886
Source: tl-4.18.0-client-windows.exeStatic PE information: section name: .buildid
Source: System.dll.0.drStatic PE information: section name: .buildid
Source: nsDialogs.dll.0.drStatic PE information: section name: .buildid
Source: uninstall.exe.0.drStatic PE information: section name: .buildid
Source: nsk6FA0.tmp.0.drStatic PE information: section name: .rodata
Source: nsk6FA0.tmp.0.drStatic PE information: section name: .buildid
Source: nsk6FA0.tmp.0.drStatic PE information: section name: .xdata
Source: nsp7010.tmp.0.drStatic PE information: section name: .buildid
Source: nsp7010.tmp.0.drStatic PE information: section name: .xdata
Source: nsk708E.tmp.0.drStatic PE information: section name: .buildid
Source: nsk708E.tmp.0.drStatic PE information: section name: .xdata
Source: nsq7235.tmp.0.drStatic PE information: section name: .buildid
Source: nsq7235.tmp.0.drStatic PE information: section name: .xdata
Source: nsv7255.tmp.0.drStatic PE information: section name: .buildid
Source: nsv7255.tmp.0.drStatic PE information: section name: .xdata
Source: nsq7285.tmp.0.drStatic PE information: section name: .buildid
Source: nsq7285.tmp.0.drStatic PE information: section name: .xdata
Source: nsg7296.tmp.0.drStatic PE information: section name: .buildid
Source: nsg7296.tmp.0.drStatic PE information: section name: .xdata
Source: nsb72C6.tmp.0.drStatic PE information: section name: .buildid
Source: nsb72C6.tmp.0.drStatic PE information: section name: .xdata
Source: nsq72D6.tmp.0.drStatic PE information: section name: .buildid
Source: nsq72D6.tmp.0.drStatic PE information: section name: .xdata
Source: nsg72E7.tmp.0.drStatic PE information: section name: .buildid
Source: nsg72E7.tmp.0.drStatic PE information: section name: .xdata
Source: nsw72F8.tmp.0.drStatic PE information: section name: .buildid
Source: nsw72F8.tmp.0.drStatic PE information: section name: .xdata
Source: nsw72F9.tmp.0.drStatic PE information: section name: .buildid
Source: nsw72F9.tmp.0.drStatic PE information: section name: .xdata
Source: nsl7309.tmp.0.drStatic PE information: section name: .buildid
Source: nsl7309.tmp.0.drStatic PE information: section name: .xdata
Source: nsl730A.tmp.0.drStatic PE information: section name: .buildid
Source: nsl730A.tmp.0.drStatic PE information: section name: .xdata
Source: nsb731B.tmp.0.drStatic PE information: section name: .buildid
Source: nsb731B.tmp.0.drStatic PE information: section name: .xdata
Source: nsr732C.tmp.0.drStatic PE information: section name: .buildid
Source: nsr732C.tmp.0.drStatic PE information: section name: .xdata
Source: nsg733C.tmp.0.drStatic PE information: section name: .buildid
Source: nsg733C.tmp.0.drStatic PE information: section name: .xdata
Source: nsl735C.tmp.0.drStatic PE information: section name: .buildid
Source: nsl735C.tmp.0.drStatic PE information: section name: .xdata
Source: nsg73DA.tmp.0.drStatic PE information: section name: .buildid
Source: nsg73DA.tmp.0.drStatic PE information: section name: .xdata
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\nsg72E7.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\nsk6FA0.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\module-always-sink.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\unfsd.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\nsp7010.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\ssh.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\pcsctun.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\vncviewer.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\sercd.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\nsl7309.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\nsr732C.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\module-null-sink.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\uninstall.exeJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\nsb731B.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\nsl730A.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\nsl735C.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\nsg73DA.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\nsw72F8.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\nsb72C6.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\libpulsecore-6.0.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\nsg733C.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\nsv7255.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\libpulse-0.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\nsq7235.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\nsk708E.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\libpulsecommon-6.0.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Users\user\AppData\Local\Temp\nsx29C9.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\module-waveout.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\nsw72F9.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\nsg7296.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\libprotocol-native.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\module-native-protocol-tcp.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\module-rescue-streams.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\opensc-pkcs11.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\module-suspend-on-idle.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\tlclient.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\pdftocairo.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Users\user\AppData\Local\Temp\nsx29C9.tmp\nsDialogs.dllJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\pulseaudio.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\nsq7285.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\Program Files\ThinLinc client\nsq72D6.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ThinLincJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ThinLinc\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ThinLinc\ThinLinc license.lnkJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ThinLinc\ThinLinc client.lnkJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ThinLinc\Loop ThinLinc client.lnkJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\regedit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\regedit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\nsg72E7.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\module-always-sink.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\unfsd.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\nsp7010.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\ssh.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\pcsctun.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\vncviewer.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\sercd.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\nsl7309.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\nsr732C.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\uninstall.exeJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\nsb731B.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\nsl730A.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\nsl735C.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\nsg73DA.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\nsw72F8.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\nsb72C6.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\libpulsecore-6.0.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\nsg733C.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\libpulse-0.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\nsv7255.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\nsq7235.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\nsk708E.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\libpulsecommon-6.0.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsx29C9.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\module-waveout.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\nsw72F9.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\nsg7296.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\libprotocol-native.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\module-rescue-streams.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\opensc-pkcs11.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\module-native-protocol-tcp.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\module-suspend-on-idle.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\pdftocairo.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsx29C9.tmp\nsDialogs.dllJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\pulseaudio.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\nsq7285.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeDropped PE file which has not been started: C:\Program Files\ThinLinc client\nsq72D6.tmpJump to dropped file
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile Volume queried: C:\Program Files FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeFile Volume queried: C:\Program Files FullSizeInformationJump to behavior
Source: tlclient.exe, 00000007.00000002.3382474905.0000000000161000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQQh
Source: nsg7296.tmp.0.drBinary or memory string: VMwareVMware
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\tl-4.18.0-client-windows.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
Windows Service		1
Windows Service		3
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
Registry Run Keys / Startup Folder		1
Process Injection		1
Modify Registry		LSASS Memory2
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		1
Registry Run Keys / Startup Folder		1
Process Injection		Security Account Manager12
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron1
DLL Search Order Hijacking		1
DLL Side-Loading		1
Timestomp		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
DLL Search Order Hijacking		1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Search Order Hijacking		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1618437 Sample: tl-4.18.0-client-windows.exe Startdate: 18/02/2025 Architecture: WINDOWS Score: 13 23 www.cendio.com 2->23 6 tl-4.18.0-client-windows.exe 17 96 2->6         started        process3 file4 15 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 6->15 dropped 17 C:\Users\user\AppData\Local\...\System.dll, PE32 6->17 dropped 19 C:\Program Files\...\vncviewer.exe (copy), PE32+ 6->19 dropped 21 38 other files (none is malicious) 6->21 dropped 27 Uses regedit.exe to modify the Windows registry 6->27 10 tlclient.exe 4 6 6->10         started        13 regedit.exe 58 6->13         started        signatures5 process6 dnsIp7 25 www.cendio.com 193.12.253.124, 49835, 80 TELE2EU Sweden 10->25

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
tl-4.18.0-client-windows.exe0%ReversingLabs
tl-4.18.0-client-windows.exe1%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files\ThinLinc client\libprotocol-native.dll (copy)0%ReversingLabs
C:\Program Files\ThinLinc client\libpulse-0.dll (copy)0%ReversingLabs
C:\Program Files\ThinLinc client\libpulsecommon-6.0.dll (copy)0%ReversingLabs
C:\Program Files\ThinLinc client\libpulsecore-6.0.dll (copy)0%ReversingLabs
C:\Program Files\ThinLinc client\module-always-sink.dll (copy)0%ReversingLabs
C:\Program Files\ThinLinc client\module-native-protocol-tcp.dll (copy)0%ReversingLabs
C:\Program Files\ThinLinc client\module-null-sink.dll (copy)0%ReversingLabs
C:\Program Files\ThinLinc client\module-rescue-streams.dll (copy)0%ReversingLabs
C:\Program Files\ThinLinc client\module-suspend-on-idle.dll (copy)0%ReversingLabs
C:\Program Files\ThinLinc client\module-waveout.dll (copy)0%ReversingLabs
C:\Program Files\ThinLinc client\nsb72C6.tmp0%ReversingLabs
C:\Program Files\ThinLinc client\nsb731B.tmp0%ReversingLabs
C:\Program Files\ThinLinc client\nsg7296.tmp0%ReversingLabs
C:\Program Files\ThinLinc client\nsg72E7.tmp0%ReversingLabs
C:\Program Files\ThinLinc client\nsg733C.tmp0%ReversingLabs
C:\Program Files\ThinLinc client\nsg73DA.tmp0%ReversingLabs
C:\Program Files\ThinLinc client\nsk6FA0.tmp0%ReversingLabs
C:\Program Files\ThinLinc client\nsk708E.tmp0%ReversingLabs
C:\Program Files\ThinLinc client\nsl7309.tmp0%ReversingLabs
C:\Program Files\ThinLinc client\nsl730A.tmp0%ReversingLabs
C:\Program Files\ThinLinc client\nsl735C.tmp0%ReversingLabs
C:\Program Files\ThinLinc client\nsp7010.tmp0%ReversingLabs
C:\Program Files\ThinLinc client\nsq7235.tmp0%ReversingLabs
C:\Program Files\ThinLinc client\nsq7285.tmp0%ReversingLabs
C:\Program Files\ThinLinc client\nsq72D6.tmp0%ReversingLabs
C:\Program Files\ThinLinc client\nsr732C.tmp0%ReversingLabs
C:\Program Files\ThinLinc client\nsv7255.tmp0%ReversingLabs
C:\Program Files\ThinLinc client\nsw72F8.tmp0%ReversingLabs
C:\Program Files\ThinLinc client\nsw72F9.tmp0%ReversingLabs
C:\Program Files\ThinLinc client\opensc-pkcs11.dll (copy)0%ReversingLabs
C:\Program Files\ThinLinc client\pcsctun.exe (copy)0%ReversingLabs
C:\Program Files\ThinLinc client\pdftocairo.exe (copy)0%ReversingLabs
C:\Program Files\ThinLinc client\pulseaudio.exe (copy)0%ReversingLabs
C:\Program Files\ThinLinc client\sercd.exe (copy)0%ReversingLabs
C:\Program Files\ThinLinc client\ssh.exe (copy)0%ReversingLabs
C:\Program Files\ThinLinc client\tlclient.exe (copy)0%ReversingLabs
C:\Program Files\ThinLinc client\unfsd.exe (copy)0%ReversingLabs
C:\Program Files\ThinLinc client\uninstall.exe3%ReversingLabs
C:\Program Files\ThinLinc client\vncviewer.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsx29C9.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsx29C9.tmp\nsDialogs.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://www.cendio.com/00%Avira URL Cloudsafe
http://www.core-sdi.com0%Avira URL Cloudsafe
http://cairographics.org)0%Avira URL Cloudsafe
https://www.cendio.comHelpLinkhttps://www.cendio.com/thinlinc/supportNoModifyNoRepairuninstall.exe0%Avira URL Cloudsafe
http://cairographics.org))0%Avira URL Cloudsafe
http://poppler.freedesktop.org0%Avira URL Cloudsafe
https://www.cendio.com/thinlinc/support0%Avira URL Cloudsafe
https://www.cendio.com/thinlinc/download/onName0%Avira URL Cloudsafe
https://app.transifex.com/cendio-ab/teams/92560/nl/)0%Avira URL Cloudsafe
https://www.cendio.com/thinlinc/download/TLEP0%Avira URL Cloudsafe
https://www.cendio.com0%Avira URL Cloudsafe
http://www.cendio.com/downloads/clients/clientupdate.conf0%Avira URL Cloudsafe
https://www.cendio.com/thinlinc/download/0%Avira URL Cloudsafe
http://www.sgi.com/software/opensource/glx/license.html.0%Avira URL Cloudsafe
http://www.cendio.com/downloads/clients/clientupdate.confUPDATE_URLUPDATE_ENABLEDChecking0%Avira URL Cloudsafe
http://poppler.freedesktop.org%s0%Avira URL Cloudsafe
https://www.cendio.comU0%Avira URL Cloudsafe
http://www.cs.hut.fi/crypto0%Avira URL Cloudsafe
http://www.cendio.com0%Avira URL Cloudsafe
http://www.freetype.org0%Avira URL Cloudsafe
https://www.cendio.com/thinlinc/download/Name0%Avira URL Cloudsafe
http://www.sgi.com/software/opensource/cid/license.html0%Avira URL Cloudsafe
https://www.cendio.com/downloads/clients/tl-latest-client-windows.exe0%Avira URL Cloudsafe
http://www.cendio.com/downloads/clients/clientupdate.confZL0%Avira URL Cloudsafe

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.cendio.com
193.12.253.124
truefalse
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://www.cendio.com/downloads/clients/clientupdate.conffalse
    • Avira URL Cloud: safe
    		unknown
    NameSourceMaliciousAntivirus DetectionReputation
    https://www.cendio.com/thinlinc/download/TLEPtlclient.exe, 00000007.00000002.3382278420.00000000000EB000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://www.cendio.comHelpLinkhttps://www.cendio.com/thinlinc/supportNoModifyNoRepairuninstall.exetl-4.18.0-client-windows.exe, 00000000.00000003.2393387123.00000000007A3000.00000004.00000020.00020000.00000000.sdmp, tl-4.18.0-client-windows.exe, 00000000.00000002.2394155401.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, nsh29B8.tmp.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    https://www.cendio.com/thinlinc/download/onNametlclient.exe, 00000007.00000002.3382278420.00000000000EB000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://cairographics.org))nsg73DA.tmp.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    https://www.apache.org/licenses/nsh29B8.tmp.0.drfalse
      		high
      https://www.cendio.com/thinlinc/supporttl-4.18.0-client-windows.exe, 00000000.00000003.2393387123.00000000007A3000.00000004.00000020.00020000.00000000.sdmp, tl-4.18.0-client-windows.exe, 00000000.00000002.2394155401.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, nsh29B8.tmp.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://app.transifex.com/cendio-ab/teams/92560/nl/)nsr746B.tmp.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.core-sdi.comnsh29B8.tmp.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://nsis.sf.net/NSIS_ErrorErrortl-4.18.0-client-windows.exefalse
        		high
        http://creativecommons.org/licenses/by-sa/3.0/nsh29B8.tmp.0.drfalse
          		high
          http://gcc.gnu.org/bugs.html):tl-4.18.0-client-windows.exe, 00000000.00000002.2394759665.000000000320F000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://www.cendio.com/0tl-4.18.0-client-windows.exefalse
            • Avira URL Cloud: safe
            		unknown
            http://mozilla.org/MPL/2.0/.nsh29B8.tmp.0.drfalse
              		high
              http://poppler.freedesktop.orgtl-4.18.0-client-windows.exe, 00000000.00000002.2394759665.0000000002DFE000.00000004.00000020.00020000.00000000.sdmp, nsg73DA.tmp.0.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://cairographics.org)tl-4.18.0-client-windows.exe, 00000000.00000002.2394759665.000000000320F000.00000004.00000020.00020000.00000000.sdmp, nsg73DA.tmp.0.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://nsis.sf.net/NSIS_Errortl-4.18.0-client-windows.exefalse
                		high
                https://www.cendio.com/thinlinc/download/tlclient.exe, 00000007.00000002.3382278420.00000000000EB000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://jquery.com/nsh29B8.tmp.0.drfalse
                  		high
                  https://daringfireball.net/projects/smartypants/)nsh29B8.tmp.0.drfalse
                    		high
                    https://www.cendio.comtl-4.18.0-client-windows.exe, 00000000.00000003.2393387123.00000000007A3000.00000004.00000020.00020000.00000000.sdmp, tl-4.18.0-client-windows.exe, 00000000.00000002.2394155401.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, nsh29B8.tmp.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://apache.org/dav/propset/fs/1nsh29B8.tmp.0.drfalse
                      		high
                      http://www.cendio.com/downloads/clients/clientupdate.confUPDATE_URLUPDATE_ENABLEDCheckingtlclient.exe, 00000007.00000002.3382984767.000000000067C000.00000002.00000001.01000000.0000000A.sdmp, nsh29B8.tmp.0.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://poppler.freedesktop.org%stl-4.18.0-client-windows.exe, 00000000.00000002.2394759665.0000000002DFE000.00000004.00000020.00020000.00000000.sdmp, nsg73DA.tmp.0.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.cendio.comUtl-4.18.0-client-windows.exe, 00000000.00000003.2312441594.0000000000819000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.cs.hut.fi/cryptonsh29B8.tmp.0.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.freetype.orgnsh29B8.tmp.0.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.cendio.comnsr746B.tmp.0.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.sgi.com/software/opensource/glx/license.html.nsh29B8.tmp.0.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://fsf.org/nsh29B8.tmp.0.drfalse
                        		high
                        https://www.cendio.com/thinlinc/download/Nametlclient.exe, 00000007.00000002.3382278420.00000000000EB000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.cendio.com/downloads/clients/tl-latest-client-windows.exetlclient.exe, 00000007.00000002.3382278420.00000000000EB000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.cendio.com/downloads/clients/clientupdate.confZLtlclient.exe, 00000007.00000002.3382278420.00000000000EB000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.sgi.com/software/opensource/cid/license.htmlnsh29B8.tmp.0.drfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        193.12.253.124
                        		www.cendio.comSweden
                        		1257TELE2EUfalse

                        General Information

                        Joe Sandbox version:42.0.0 Malachite
                        Analysis ID:1618437
                        Start date and time:2025-02-18 20:43:47 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 20s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:10
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:tl-4.18.0-client-windows.exe
                        Detection:CLEAN
                        Classification:clean13.evad.winEXE@5/79@1/1
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                        • Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
                        • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        TELE2EUz3hir.x86Get hashmaliciousMiraiBrowse
                        • 159.78.206.114
                        Yboats.x86.elfGet hashmaliciousMirai, OkiruBrowse
                        • 83.184.232.62
                        Hilix.sh4.elfGet hashmaliciousUnknownBrowse
                        • 37.198.247.130
                        Hilix.arm.elfGet hashmaliciousUnknownBrowse
                        • 213.103.44.154
                        res.arm5.elfGet hashmaliciousUnknownBrowse
                        • 176.69.209.240
                        res.x86.elfGet hashmaliciousUnknownBrowse
                        • 193.234.24.221
                        Hilix.spc.elfGet hashmaliciousMiraiBrowse
                        • 91.131.212.203
                        armv5l.elfGet hashmaliciousUnknownBrowse
                        • 83.184.160.3
                        Hilix.mpsl.elfGet hashmaliciousMiraiBrowse
                        • 91.131.88.126
                        Hilix.arm.elfGet hashmaliciousMiraiBrowse
                        • 91.131.88.138

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Program Files\ThinLinc client\EULA.txt (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):19261
                        Entropy (8bit):4.832292360798636
                        Encrypted:false
                        SSDEEP:384:Bu0EgRvLjSeOShSEkMAAcfVViXhV3C93FomRXXadm8a61eYGKT:BusJmUmMAAcforI/ad1eYZ
                        MD5:FE82D4FDE6F366A2DFBBDAED185FCE8B
                        SHA1:8B3A97F66BD4B7E82084290574C90C4723A37F34
                        SHA-256:65080162C5567E86E95554BC7017ADE9E58EA90908B91CBAD91962168C38D16C
                        SHA-512:5B306EF53BA1B4C357AD4DBD17287FBB98648F152A4AF80158809052E81A3E5B0E55F7B8A88D3D294DC465AA76407E295A2CBA713E4422DDC8DEE3A4814CF98F
                        Malicious:false
                        Reputation:low
                        Preview: CENDIO END USER LICENSE AGREEMENT 3.5......IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT..CAREFULLY. INSTALLING OR USING CENDIO SOFTWARE CONSTITUTES..ACCEPTANCE OF THIS AGREEMENT.....This License Agreement ("License") is entered into by you, the Licensed..User or representative of the Licensed User ("Licensee") and Cendio AB....... THIS IS A LICENSE AND NOT A SALE......1. License....1.1 Subject to the terms and conditions of this License, Cendio..grants solely for use by Licensee a non-exclusive, non-transferable..license to use the software programs ("Program(s)") and related user..guides ("Documentation") solely for its own internal business purposes,..including for the provision of offering hosting solutions where you..remain the Licensee, at the site specified in the applicable Cendio..business records and solely in accordance with the accompanying..Documentation.....1.2 All proprietary rights and trade secrets in the Program

                        C:\Program Files\ThinLinc client\altlang.cmd (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):138
                        Entropy (8bit):4.650116481458659
                        Encrypted:false
                        SSDEEP:3:mKDDEf8NiIEmIrKmEfraWELTrgWAar44ovW8pku2n9+/PIJM8Sn:hQf8NnEDr1WE3cWd+4LJM8Sn
                        MD5:3BDF52A18B9468C5AFDC9AD3D13F10BF
                        SHA1:40A02534D3AD01DEC994CBA06D8143E58D6B9524
                        SHA-256:01D7A809685A2BDC81EED198CE58AE8CBA9A683EAF96AC7D8341436D42CC9529
                        SHA-512:B61C743DC874BE9C7AFB39C0528A8FAE68E2C7A7EAB60522B1655E6DD58053D8E1F62C33EB10E93C0BD12B2BA6B0D8C9479425DC512B36FFEC34A99226109F15
                        Malicious:false
                        Reputation:low
                        Preview:@echo off..rem..rem This file demonstrates how to override the Windows language setting..rem ..set LANG=C..start "" "%~dp0\tlclient.exe"..

                        C:\Program Files\ThinLinc client\libprotocol-native.dll (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):123904
                        Entropy (8bit):5.904569826043691
                        Encrypted:false
                        SSDEEP:3072:/a/PIJ2CLfCFxGqDXpn1Suw1Wqv6+4s5Ppxn4:/a/AJff8PZnw26BS
                        MD5:7C2529532218EFD37D65B8E907C44016
                        SHA1:BF424432B2D521413E70685D06AF15108E42C106
                        SHA-256:CA5BC79BAFA6E5D4CD5F2B4B389305DA23E2161B92559E0E9235DEF57E65E0C4
                        SHA-512:6167C0C0E218516AE20EF6B744DA0065B0B3979BCFB93378A6BE5F0C912F812C9317B6A478FF71751E5110635853B38C1BD873C923982FF9A7E9A068CB8EC398
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Reputation:low
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...pa_n...........".....J....................$p.............................p......j......... .................................................4:...........................`.............................. P..(.......................`............................text...8I.......J..................`.P`.data...X....`.......N..............@.P..rdata...9...p...:...P..............@.`@.buildid5...........................@.0@.pdata..............................@.0@.xdata..,...........................@.0@.bss....0.............................`..edata..............................@.0@.idata..4:.......<..................@.0..CRT....X....@......................@.@..tls....h....P......................@.`..reloc.......`......................@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\libpulse-0.dll (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):304640
                        Entropy (8bit):6.0583618122868454
                        Encrypted:false
                        SSDEEP:6144:XVtfQK6gMK7zMKlKvxg9gXXEb3EfywvIvF7IssGH9/NW3:XPoKbpcxg9ga3EawvIvF7IssGH9/NW
                        MD5:82D9BA1580A5298B4071637D6BF6C198
                        SHA1:A6FCECFA5F7D754B5FC91B7F4ADEE81B16D1EF1B
                        SHA-256:9967692DE8A7BF9293AA87948C26BF0F61C2092C834F8E8C8505C64AF51E1208
                        SHA-512:BB7189076ADA2E3AE8A0BD045AA99615A7572FB7D55DF85B77D32E8AF9DD4FD401493A45355BD811F7215AE7D5EE30246A82E5DDE47D16BDA0F586F06153E0F3
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Reputation:low
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".....L....................@f.............................0....../B........ ........................................."2.......)...........@..D............ .......0...................... ...(....................................................text....J.......L..................`.P`.data...h....`.......P..............@.P..rdata.......p.......R..............@.`@.buildid5....0......................@.0@.pdata..D....@......................@.0@.xdata.......`.......(..............@.0@.bss..................................`..edata.."2.......4...B..............@.0@.idata...).......*...v..............@.0..CRT....X...........................@.@..tls....h...........................@.`..reloc....... ......................@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\libpulsecommon-6.0.dll (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):1917440
                        Entropy (8bit):7.009139816631496
                        Encrypted:false
                        SSDEEP:24576:zQeNIJU8UMeAwi3nhFmLBAUZLYb9MfbbT7Gavkg3NyTlQKuHf11fJuinPtU:1Ia5XAhFmLBAUZLYb9MXGaXYQKuHvIU
                        MD5:AE6506552F539C14BD66B9ABD471D9F8
                        SHA1:3C96468BE7828E4F0E9F9FDD7360DB6C5197D5EC
                        SHA-256:4A1BE90E0E8367A0CC5FFA6118D4FB4BFFED9F791D3BC666AEF30CAF96D210C3
                        SHA-512:BBE68FE223BA3F7E74168E04E45BD3CEBEFA87818132FA2E3E58109138AF66C5EF778828F8F30295BDE960BB3F940CB8706ACC923541D76FCAB3753EE2631EB7
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Reputation:low
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...H.X............".........>...j.............c............................. ................ ......................................0..........X ...........@...9...................0...................... ...(.......................p............................text...`...........................`.P`.data....8.......:..................@.`..rdata...=.......>..................@.`@.buildid5....0......................@.0@.pdata...9...@...:..................@.0@.xdata..,5.......6...R..............@.0@.bss.....j............................`..edata.......0......................@.0@.idata..X ......."..................@.0..CRT....X............0..............@.@..tls....h............2..............@.`..reloc...............4..............@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\libpulsecore-6.0.dll (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):642560
                        Entropy (8bit):6.2207476156079835
                        Encrypted:false
                        SSDEEP:12288:Ft+5wCHeZXabzr5WawFWscW0O/Kh+BqbI7immKgB7BSjxbqp:FtIwC9rfwFYWn++BqbI07B0bq
                        MD5:FBA3680D5D8455DAD6503350B96095A1
                        SHA1:A0688072FE5CC6B9A5E46924222F00646FF00E0E
                        SHA-256:E493E282DD31D32E4BB69EBCB68B7B47BA54C5913ECDD9C7DEA987400D4FB2E4
                        SHA-512:5A2BBCE5EFC11611D3FC60B6279BA3C0A1A4D1D8DE6F44B2490D8746B756F58203A21DE73FC48941BBBFBC437B1D3350AD605FAE5E843EB9E6406671EC8B55EB
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................"..........................$b.............................@......%......... ......................................p...\......x4...........................0.............................. ..(.......................x............................text...............................`.P`.data...X.... ......................@.`..rdata.......0......................@.`@.buildid5...........................@.0@.pdata...........0..................@.0@.xdata.../...0...0..................@.0@.bss....`....`........................`..edata...\...p...^...2..............@.0@.idata..x4.......6..................@.0..CRT....X...........................@.@..tls....h.... ......................@.`..reloc.......0......................@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\locale\de\LC_MESSAGES\nsm7449.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:GNU message catalog (little endian), revision 0.0, 502 messages, Project-Id-Version: PACKAGE VERSION '%s'
                        Category:dropped
                        Size (bytes):53430
                        Entropy (8bit):5.13284122091314
                        Encrypted:false
                        SSDEEP:1536:Ow8IFaQ1UPxI2RtMdamZaYgiLdzScu46UmkR:Ow591UNqvSfE
                        MD5:57C98AFD57CE7FD594E429EE31297C54
                        SHA1:D57332BBBDF8250C496617C7C7F6A0F734A0DC0A
                        SHA-256:3EBC707BB4C8FA82E1E0F161DB44BA3A67840B72E419E05A660B7B34E620704E
                        SHA-512:C8CBBAC67DF4715FC45BB20E701872AF71AEBBA24CE223BD07C7B550F606B495BD586C403D945693D5F149AB106FF2BA5E03051508FD6A084FF3C4C004959D5E
                        Malicious:false
                        Preview:........................|........*.......*.......*..,...0*......]*......c*......s*.......*......~+.......,......4,......>,..F...O,.......,..d...F-..Y....-..............................!.......7.......@.......D...=...U...................................................2.......+..../..D...=/......./..&..../......./......./..+..../.......0..(...,0......U0......a0..1....1......>1......[1..7...t1.......1.......1.......1.......1.......1.......1.......2......$2..?....2..^....2..*...F3..A...q3..&....3..'....3..,....4..2.../4......b4......z4.......4.......4.......4.......4..-....4.......4.......4.......5..0....5......K5..#...h5.......5.......5.......5.......5.."....5.......6......"6..9...36......m6.......6.......6.......6.......6..&....6.. ....7......*7......C7..&...Z7.......7.......7.......7..'....7.......7..(....8......+8..4...C8..$...x8.......8.......8.......8..&....8.......9....../9......^9......t9.......9.......9.......9.......9..,....9..2....:..#...R:..0...v:..1....:.......:.......:......

                        C:\Program Files\ThinLinc client\locale\de\LC_MESSAGES\tlclient.mo (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:GNU message catalog (little endian), revision 0.0, 502 messages, Project-Id-Version: PACKAGE VERSION '%s'
                        Category:dropped
                        Size (bytes):53430
                        Entropy (8bit):5.13284122091314
                        Encrypted:false
                        SSDEEP:1536:Ow8IFaQ1UPxI2RtMdamZaYgiLdzScu46UmkR:Ow591UNqvSfE
                        MD5:57C98AFD57CE7FD594E429EE31297C54
                        SHA1:D57332BBBDF8250C496617C7C7F6A0F734A0DC0A
                        SHA-256:3EBC707BB4C8FA82E1E0F161DB44BA3A67840B72E419E05A660B7B34E620704E
                        SHA-512:C8CBBAC67DF4715FC45BB20E701872AF71AEBBA24CE223BD07C7B550F606B495BD586C403D945693D5F149AB106FF2BA5E03051508FD6A084FF3C4C004959D5E
                        Malicious:false
                        Preview:........................|........*.......*.......*..,...0*......]*......c*......s*.......*......~+.......,......4,......>,..F...O,.......,..d...F-..Y....-..............................!.......7.......@.......D...=...U...................................................2.......+..../..D...=/......./..&..../......./......./..+..../.......0..(...,0......U0......a0..1....1......>1......[1..7...t1.......1.......1.......1.......1.......1.......1.......2......$2..?....2..^....2..*...F3..A...q3..&....3..'....3..,....4..2.../4......b4......z4.......4.......4.......4.......4..-....4.......4.......4.......5..0....5......K5..#...h5.......5.......5.......5.......5.."....5.......6......"6..9...36......m6.......6.......6.......6.......6..&....6.. ....7......*7......C7..&...Z7.......7.......7.......7..'....7.......7..(....8......+8..4...C8..$...x8.......8.......8.......8..&....8.......9....../9......^9......t9.......9.......9.......9.......9..,....9..2....:..#...R:..0...v:..1....:.......:.......:......

                        C:\Program Files\ThinLinc client\locale\es\LC_MESSAGES\nsb7459.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:GNU message catalog (little endian), revision 0.0, 502 messages, Project-Id-Version: PACKAGE VERSION '%s'
                        Category:dropped
                        Size (bytes):53373
                        Entropy (8bit):5.061193524141032
                        Encrypted:false
                        SSDEEP:1536:OwrBPoaQ1UPxI2Rti9zbG4ZHbfBj7LW/ddWZSV:OwrBPo91UNIbLr7sT
                        MD5:04F4167605416EFF4D3F58C6C01E611F
                        SHA1:CD46F6ECFD2E07A2035BD34D0E7ABE8CDF26778A
                        SHA-256:C51F08923941FE32762FA3AFF22CCAA30950F99DFA40DF65ADF6FC38F9AA168A
                        SHA-512:9263CB8DC1D04D4ABB0767319893865CAF53D569A7940D4021A11AAF441A0C68F1B7D0443F9B2688174DD05FB31E9C81E16CB1689BFB40F266D74B5385F2B81C
                        Malicious:false
                        Preview:........................|........*.......*.......*..,...0*......]*......c*......s*.......*......~+.......,......4,......>,..F...O,.......,..d...F-..Y....-..............................!.......7.......@.......D...=...U...................................................2.......+..../..D...=/......./..&..../......./......./..+..../.......0..(...,0......U0......a0..1....1......>1......[1..7...t1.......1.......1.......1.......1.......1.......1.......2......$2..?....2..^....2..*...F3..A...q3..&....3..'....3..,....4..2.../4......b4......z4.......4.......4.......4.......4..-....4.......4.......4.......5..0....5......K5..#...h5.......5.......5.......5.......5.."....5.......6......"6..9...36......m6.......6.......6.......6.......6..&....6.. ....7......*7......C7..&...Z7.......7.......7.......7..'....7.......7..(....8......+8..4...C8..$...x8.......8.......8.......8..&....8.......9....../9......^9......t9.......9.......9.......9.......9..,....9..2....:..#...R:..0...v:..1....:.......:.......:......

                        C:\Program Files\ThinLinc client\locale\es\LC_MESSAGES\tlclient.mo (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:GNU message catalog (little endian), revision 0.0, 502 messages, Project-Id-Version: PACKAGE VERSION '%s'
                        Category:dropped
                        Size (bytes):53373
                        Entropy (8bit):5.061193524141032
                        Encrypted:false
                        SSDEEP:1536:OwrBPoaQ1UPxI2Rti9zbG4ZHbfBj7LW/ddWZSV:OwrBPo91UNIbLr7sT
                        MD5:04F4167605416EFF4D3F58C6C01E611F
                        SHA1:CD46F6ECFD2E07A2035BD34D0E7ABE8CDF26778A
                        SHA-256:C51F08923941FE32762FA3AFF22CCAA30950F99DFA40DF65ADF6FC38F9AA168A
                        SHA-512:9263CB8DC1D04D4ABB0767319893865CAF53D569A7940D4021A11AAF441A0C68F1B7D0443F9B2688174DD05FB31E9C81E16CB1689BFB40F266D74B5385F2B81C
                        Malicious:false
                        Preview:........................|........*.......*.......*..,...0*......]*......c*......s*.......*......~+.......,......4,......>,..F...O,.......,..d...F-..Y....-..............................!.......7.......@.......D...=...U...................................................2.......+..../..D...=/......./..&..../......./......./..+..../.......0..(...,0......U0......a0..1....1......>1......[1..7...t1.......1.......1.......1.......1.......1.......1.......2......$2..?....2..^....2..*...F3..A...q3..&....3..'....3..,....4..2.../4......b4......z4.......4.......4.......4.......4..-....4.......4.......4.......5..0....5......K5..#...h5.......5.......5.......5.......5.."....5.......6......"6..9...36......m6.......6.......6.......6.......6..&....6.. ....7......*7......C7..&...Z7.......7.......7.......7..'....7.......7..(....8......+8..4...C8..$...x8.......8.......8.......8..&....8.......9....../9......^9......t9.......9.......9.......9.......9..,....9..2....:..#...R:..0...v:..1....:.......:.......:......

                        C:\Program Files\ThinLinc client\locale\fr\LC_MESSAGES\nsb745A.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:GNU message catalog (little endian), revision 0.0, 502 messages, Project-Id-Version: PACKAGE VERSION '%s'
                        Category:dropped
                        Size (bytes):54506
                        Entropy (8bit):5.126181725592684
                        Encrypted:false
                        SSDEEP:768:HFQLb4t1mOEidqm4f0+cd1UPxI/ORcRa9LyrFwOIVe0Vjs2jylPV62Rt4Jt4tOlZ:OwDPzaQ1UPxI2RtlNnyaKC
                        MD5:81D54CC43F60F125992FF8812AE04CF5
                        SHA1:91057A33613852EF220049788512525FBC58D113
                        SHA-256:A020F710DE343ADA3EA5D5A17EBDDB41E26D7AC67A8D1D5588D4F3770AD0114C
                        SHA-512:01DC610570542936ADE842791E5EA435B4E4BA73DB5F9827D64AECFE6DA7178C37C83BACC8FD8D8539D086EE2FBFBB6EE3B62671AD34A77C30DF4C911F74AD53
                        Malicious:false
                        Preview:........................|........*.......*.......*..,...0*......]*......c*......s*.......*......~+.......,......4,......>,..F...O,.......,..d...F-..Y....-..............................!.......7.......@.......D...=...U...................................................2.......+..../..D...=/......./..&..../......./......./..+..../.......0..(...,0......U0......a0..1....1......>1......[1..7...t1.......1.......1.......1.......1.......1.......1.......2......$2..?....2..^....2..*...F3..A...q3..&....3..'....3..,....4..2.../4......b4......z4.......4.......4.......4.......4..-....4.......4.......4.......5..0....5......K5..#...h5.......5.......5.......5.......5.."....5.......6......"6..9...36......m6.......6.......6.......6.......6..&....6.. ....7......*7......C7..&...Z7.......7.......7.......7..'....7.......7..(....8......+8..4...C8..$...x8.......8.......8.......8..&....8.......9....../9......^9......t9.......9.......9.......9.......9..,....9..2....:..#...R:..0...v:..1....:.......:.......:......

                        C:\Program Files\ThinLinc client\locale\fr\LC_MESSAGES\tlclient.mo (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:GNU message catalog (little endian), revision 0.0, 502 messages, Project-Id-Version: PACKAGE VERSION '%s'
                        Category:dropped
                        Size (bytes):54506
                        Entropy (8bit):5.126181725592684
                        Encrypted:false
                        SSDEEP:768:HFQLb4t1mOEidqm4f0+cd1UPxI/ORcRa9LyrFwOIVe0Vjs2jylPV62Rt4Jt4tOlZ:OwDPzaQ1UPxI2RtlNnyaKC
                        MD5:81D54CC43F60F125992FF8812AE04CF5
                        SHA1:91057A33613852EF220049788512525FBC58D113
                        SHA-256:A020F710DE343ADA3EA5D5A17EBDDB41E26D7AC67A8D1D5588D4F3770AD0114C
                        SHA-512:01DC610570542936ADE842791E5EA435B4E4BA73DB5F9827D64AECFE6DA7178C37C83BACC8FD8D8539D086EE2FBFBB6EE3B62671AD34A77C30DF4C911F74AD53
                        Malicious:false
                        Preview:........................|........*.......*.......*..,...0*......]*......c*......s*.......*......~+.......,......4,......>,..F...O,.......,..d...F-..Y....-..............................!.......7.......@.......D...=...U...................................................2.......+..../..D...=/......./..&..../......./......./..+..../.......0..(...,0......U0......a0..1....1......>1......[1..7...t1.......1.......1.......1.......1.......1.......1.......2......$2..?....2..^....2..*...F3..A...q3..&....3..'....3..,....4..2.../4......b4......z4.......4.......4.......4.......4..-....4.......4.......4.......5..0....5......K5..#...h5.......5.......5.......5.......5.."....5.......6......"6..9...36......m6.......6.......6.......6.......6..&....6.. ....7......*7......C7..&...Z7.......7.......7.......7..'....7.......7..(....8......+8..4...C8..$...x8.......8.......8.......8..&....8.......9....../9......^9......t9.......9.......9.......9.......9..,....9..2....:..#...R:..0...v:..1....:.......:.......:......

                        C:\Program Files\ThinLinc client\locale\nl\LC_MESSAGES\nsr746B.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:GNU message catalog (little endian), revision 0.0, 502 messages, Project-Id-Version: PACKAGE VERSION '%s'
                        Category:dropped
                        Size (bytes):51504
                        Entropy (8bit):5.058109182197532
                        Encrypted:false
                        SSDEEP:768:HFQLb4tlPQh97fm4f0+cd1UPxI/ORcRa9Lzk2QjgRQzfwibeNiZMUl4P:Ow/QH7uaQ1UPxI2RtWL/bG
                        MD5:9D7DD603DD53A31C09009EEF2E740A40
                        SHA1:76B3277C8FE6A6A83C4C33C6744D50B9BB45D194
                        SHA-256:7DEC5B5C6EC17056444CA319ACA7F48F788FB94F0B1E8ED77B4A9BBC05F15392
                        SHA-512:463DDD6148684E1AF5CF819E1ECE29CBEBEFDFB8F74CACF84BC2B6171E64814A3C0C89067555C8D23133D5D22099DC8157B7CB41FABC9664DE847E02278240DD
                        Malicious:false
                        Preview:........................|........*.......*.......*..,...0*......]*......c*......s*.......*......~+.......,......4,......>,..F...O,.......,..d...F-..Y....-..............................!.......7.......@.......D...=...U...................................................2.......+..../..D...=/......./..&..../......./......./..+..../.......0..(...,0......U0......a0..1....1......>1......[1..7...t1.......1.......1.......1.......1.......1.......1.......2......$2..?....2..^....2..*...F3..A...q3..&....3..'....3..,....4..2.../4......b4......z4.......4.......4.......4.......4..-....4.......4.......4.......5..0....5......K5..#...h5.......5.......5.......5.......5.."....5.......6......"6..9...36......m6.......6.......6.......6.......6..&....6.. ....7......*7......C7..&...Z7.......7.......7.......7..'....7.......7..(....8......+8..4...C8..$...x8.......8.......8.......8..&....8.......9....../9......^9......t9.......9.......9.......9.......9..,....9..2....:..#...R:..0...v:..1....:.......:.......:......

                        C:\Program Files\ThinLinc client\locale\nl\LC_MESSAGES\tlclient.mo (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:GNU message catalog (little endian), revision 0.0, 502 messages, Project-Id-Version: PACKAGE VERSION '%s'
                        Category:dropped
                        Size (bytes):51504
                        Entropy (8bit):5.058109182197532
                        Encrypted:false
                        SSDEEP:768:HFQLb4tlPQh97fm4f0+cd1UPxI/ORcRa9Lzk2QjgRQzfwibeNiZMUl4P:Ow/QH7uaQ1UPxI2RtWL/bG
                        MD5:9D7DD603DD53A31C09009EEF2E740A40
                        SHA1:76B3277C8FE6A6A83C4C33C6744D50B9BB45D194
                        SHA-256:7DEC5B5C6EC17056444CA319ACA7F48F788FB94F0B1E8ED77B4A9BBC05F15392
                        SHA-512:463DDD6148684E1AF5CF819E1ECE29CBEBEFDFB8F74CACF84BC2B6171E64814A3C0C89067555C8D23133D5D22099DC8157B7CB41FABC9664DE847E02278240DD
                        Malicious:false
                        Preview:........................|........*.......*.......*..,...0*......]*......c*......s*.......*......~+.......,......4,......>,..F...O,.......,..d...F-..Y....-..............................!.......7.......@.......D...=...U...................................................2.......+..../..D...=/......./..&..../......./......./..+..../.......0..(...,0......U0......a0..1....1......>1......[1..7...t1.......1.......1.......1.......1.......1.......1.......2......$2..?....2..^....2..*...F3..A...q3..&....3..'....3..,....4..2.../4......b4......z4.......4.......4.......4.......4..-....4.......4.......4.......5..0....5......K5..#...h5.......5.......5.......5.......5.."....5.......6......"6..9...36......m6.......6.......6.......6.......6..&....6.. ....7......*7......C7..&...Z7.......7.......7.......7..'....7.......7..(....8......+8..4...C8..$...x8.......8.......8.......8..&....8.......9....../9......^9......t9.......9.......9.......9.......9..,....9..2....:..#...R:..0...v:..1....:.......:.......:......

                        C:\Program Files\ThinLinc client\locale\pt_BR\LC_MESSAGES\nsh747C.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:GNU message catalog (little endian), revision 0.0, 502 messages, Project-Id-Version: PACKAGE VERSION '%s'
                        Category:dropped
                        Size (bytes):52948
                        Entropy (8bit):5.129453664868298
                        Encrypted:false
                        SSDEEP:768:HFQLb4tEjHm4f0+cd1UPxI/ORcRa9LxbzwqIBVtufXLrjXuv/FQd1MUvA:Owe6aQ1UPxI2RtuGE/FQJA
                        MD5:B9977DCA6439646FA9090F251A6A149E
                        SHA1:6B7100F4904698CFCF5F907930F1664560400A66
                        SHA-256:2073C1A4CDB19EDADA60CE918D00BA2E9F52B3E9038BFA334FACBC5071B15D40
                        SHA-512:DF11867356EF385B0DB9807897107ABC61164C44FDCFD910BF39465D4E527D34B1E0981662EC534295BAC56196EB2E96FB927F2FE5AC40FFAE28FA3D1AFD936D
                        Malicious:false
                        Preview:........................|........*.......*.......*..,...0*......]*......c*......s*.......*......~+.......,......4,......>,..F...O,.......,..d...F-..Y....-..............................!.......7.......@.......D...=...U...................................................2.......+..../..D...=/......./..&..../......./......./..+..../.......0..(...,0......U0......a0..1....1......>1......[1..7...t1.......1.......1.......1.......1.......1.......1.......2......$2..?....2..^....2..*...F3..A...q3..&....3..'....3..,....4..2.../4......b4......z4.......4.......4.......4.......4..-....4.......4.......4.......5..0....5......K5..#...h5.......5.......5.......5.......5.."....5.......6......"6..9...36......m6.......6.......6.......6.......6..&....6.. ....7......*7......C7..&...Z7.......7.......7.......7..'....7.......7..(....8......+8..4...C8..$...x8.......8.......8.......8..&....8.......9....../9......^9......t9.......9.......9.......9.......9..,....9..2....:..#...R:..0...v:..1....:.......:.......:......

                        C:\Program Files\ThinLinc client\locale\pt_BR\LC_MESSAGES\tlclient.mo (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:GNU message catalog (little endian), revision 0.0, 502 messages, Project-Id-Version: PACKAGE VERSION '%s'
                        Category:dropped
                        Size (bytes):52948
                        Entropy (8bit):5.129453664868298
                        Encrypted:false
                        SSDEEP:768:HFQLb4tEjHm4f0+cd1UPxI/ORcRa9LxbzwqIBVtufXLrjXuv/FQd1MUvA:Owe6aQ1UPxI2RtuGE/FQJA
                        MD5:B9977DCA6439646FA9090F251A6A149E
                        SHA1:6B7100F4904698CFCF5F907930F1664560400A66
                        SHA-256:2073C1A4CDB19EDADA60CE918D00BA2E9F52B3E9038BFA334FACBC5071B15D40
                        SHA-512:DF11867356EF385B0DB9807897107ABC61164C44FDCFD910BF39465D4E527D34B1E0981662EC534295BAC56196EB2E96FB927F2FE5AC40FFAE28FA3D1AFD936D
                        Malicious:false
                        Preview:........................|........*.......*.......*..,...0*......]*......c*......s*.......*......~+.......,......4,......>,..F...O,.......,..d...F-..Y....-..............................!.......7.......@.......D...=...U...................................................2.......+..../..D...=/......./..&..../......./......./..+..../.......0..(...,0......U0......a0..1....1......>1......[1..7...t1.......1.......1.......1.......1.......1.......1.......2......$2..?....2..^....2..*...F3..A...q3..&....3..'....3..,....4..2.../4......b4......z4.......4.......4.......4.......4..-....4.......4.......4.......5..0....5......K5..#...h5.......5.......5.......5.......5.."....5.......6......"6..9...36......m6.......6.......6.......6.......6..&....6.. ....7......*7......C7..&...Z7.......7.......7.......7..'....7.......7..(....8......+8..4...C8..$...x8.......8.......8.......8..&....8.......9....../9......^9......t9.......9.......9.......9.......9..,....9..2....:..#...R:..0...v:..1....:.......:.......:......

                        C:\Program Files\ThinLinc client\locale\ru\LC_MESSAGES\nsh747D.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:GNU message catalog (little endian), revision 0.0, 502 messages, Project-Id-Version: PACKAGE VERSION '%s'
                        Category:dropped
                        Size (bytes):66842
                        Entropy (8bit):5.381938099630591
                        Encrypted:false
                        SSDEEP:768:HFQLb4tzfC19c7m4f0+cd1UPxI/ORcRa9L/VJQPadZzWTLwNx8op8ij:OwpC19LaQ1UPxI2RtKamXwNx8op8ij
                        MD5:17535C8F393078F0D81B6D342D73B32B
                        SHA1:61C0EBC21C14084C6538BDBD83F9C3944C49F74A
                        SHA-256:9830D6FA61C5DD85DCAABDC7F6C896828A0A4023BE9575A7359FE8CF76A068EC
                        SHA-512:0ECFE9C1F2120DF8B0C60EB74962BCEBC01FA7F7043791F505ADE5CB7F3C649170CFACF7D8877EBD2DE64400E104659FF4EDA69219230D7DF0A15DD6EFAA3E76
                        Malicious:false
                        Preview:........................|........*.......*.......*..,...0*......]*......c*......s*.......*......~+.......,......4,......>,..F...O,.......,..d...F-..Y....-..............................!.......7.......@.......D...=...U...................................................2.......+..../..D...=/......./..&..../......./......./..+..../.......0..(...,0......U0......a0..1....1......>1......[1..7...t1.......1.......1.......1.......1.......1.......1.......2......$2..?....2..^....2..*...F3..A...q3..&....3..'....3..,....4..2.../4......b4......z4.......4.......4.......4.......4..-....4.......4.......4.......5..0....5......K5..#...h5.......5.......5.......5.......5.."....5.......6......"6..9...36......m6.......6.......6.......6.......6..&....6.. ....7......*7......C7..&...Z7.......7.......7.......7..'....7.......7..(....8......+8..4...C8..$...x8.......8.......8.......8..&....8.......9....../9......^9......t9.......9.......9.......9.......9..,....9..2....:..#...R:..0...v:..1....:.......:.......:......

                        C:\Program Files\ThinLinc client\locale\ru\LC_MESSAGES\tlclient.mo (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:GNU message catalog (little endian), revision 0.0, 502 messages, Project-Id-Version: PACKAGE VERSION '%s'
                        Category:dropped
                        Size (bytes):66842
                        Entropy (8bit):5.381938099630591
                        Encrypted:false
                        SSDEEP:768:HFQLb4tzfC19c7m4f0+cd1UPxI/ORcRa9L/VJQPadZzWTLwNx8op8ij:OwpC19LaQ1UPxI2RtKamXwNx8op8ij
                        MD5:17535C8F393078F0D81B6D342D73B32B
                        SHA1:61C0EBC21C14084C6538BDBD83F9C3944C49F74A
                        SHA-256:9830D6FA61C5DD85DCAABDC7F6C896828A0A4023BE9575A7359FE8CF76A068EC
                        SHA-512:0ECFE9C1F2120DF8B0C60EB74962BCEBC01FA7F7043791F505ADE5CB7F3C649170CFACF7D8877EBD2DE64400E104659FF4EDA69219230D7DF0A15DD6EFAA3E76
                        Malicious:false
                        Preview:........................|........*.......*.......*..,...0*......]*......c*......s*.......*......~+.......,......4,......>,..F...O,.......,..d...F-..Y....-..............................!.......7.......@.......D...=...U...................................................2.......+..../..D...=/......./..&..../......./......./..+..../.......0..(...,0......U0......a0..1....1......>1......[1..7...t1.......1.......1.......1.......1.......1.......1.......2......$2..?....2..^....2..*...F3..A...q3..&....3..'....3..,....4..2.../4......b4......z4.......4.......4.......4.......4..-....4.......4.......4.......5..0....5......K5..#...h5.......5.......5.......5.......5.."....5.......6......"6..9...36......m6.......6.......6.......6.......6..&....6.. ....7......*7......C7..&...Z7.......7.......7.......7..'....7.......7..(....8......+8..4...C8..$...x8.......8.......8.......8..&....8.......9....../9......^9......t9.......9.......9.......9.......9..,....9..2....:..#...R:..0...v:..1....:.......:.......:......

                        C:\Program Files\ThinLinc client\locale\sv\LC_MESSAGES\nsw748D.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:GNU message catalog (little endian), revision 0.0, 502 messages, Project-Id-Version: PACKAGE VERSION '%s'
                        Category:dropped
                        Size (bytes):50827
                        Entropy (8bit):5.1553597531468816
                        Encrypted:false
                        SSDEEP:1536:OwMJfszaQ1UPxI2RtDQXCAuF97EnUkKeyjyS:OwMw91UNgCAuH7EnUkNVS
                        MD5:EA88D7D37F5D346238A377BC2703802B
                        SHA1:AFD18DBB6231A5303321EB25A51E44D32A93B082
                        SHA-256:6931AE567E950E4039D4A9C32B601E4A34843149AE90E45A70FAB011D37ABF2C
                        SHA-512:B0E1E70416447ADF0BE0477903E6987FB24D783918BF3AC242D6C54D483023E371A217A5017FFB1210856B3F55212D7291A37A01024062614EFA4228B6631C85
                        Malicious:false
                        Preview:........................|........*.......*.......*..,...0*......]*......c*......s*.......*......~+.......,......4,......>,..F...O,.......,..d...F-..Y....-..............................!.......7.......@.......D...=...U...................................................2.......+..../..D...=/......./..&..../......./......./..+..../.......0..(...,0......U0......a0..1....1......>1......[1..7...t1.......1.......1.......1.......1.......1.......1.......2......$2..?....2..^....2..*...F3..A...q3..&....3..'....3..,....4..2.../4......b4......z4.......4.......4.......4.......4..-....4.......4.......4.......5..0....5......K5..#...h5.......5.......5.......5.......5.."....5.......6......"6..9...36......m6.......6.......6.......6.......6..&....6.. ....7......*7......C7..&...Z7.......7.......7.......7..'....7.......7..(....8......+8..4...C8..$...x8.......8.......8.......8..&....8.......9....../9......^9......t9.......9.......9.......9.......9..,....9..2....:..#...R:..0...v:..1....:.......:.......:......

                        C:\Program Files\ThinLinc client\locale\sv\LC_MESSAGES\tlclient.mo (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:GNU message catalog (little endian), revision 0.0, 502 messages, Project-Id-Version: PACKAGE VERSION '%s'
                        Category:dropped
                        Size (bytes):50827
                        Entropy (8bit):5.1553597531468816
                        Encrypted:false
                        SSDEEP:1536:OwMJfszaQ1UPxI2RtDQXCAuF97EnUkKeyjyS:OwMw91UNgCAuH7EnUkNVS
                        MD5:EA88D7D37F5D346238A377BC2703802B
                        SHA1:AFD18DBB6231A5303321EB25A51E44D32A93B082
                        SHA-256:6931AE567E950E4039D4A9C32B601E4A34843149AE90E45A70FAB011D37ABF2C
                        SHA-512:B0E1E70416447ADF0BE0477903E6987FB24D783918BF3AC242D6C54D483023E371A217A5017FFB1210856B3F55212D7291A37A01024062614EFA4228B6631C85
                        Malicious:false
                        Preview:........................|........*.......*.......*..,...0*......]*......c*......s*.......*......~+.......,......4,......>,..F...O,.......,..d...F-..Y....-..............................!.......7.......@.......D...=...U...................................................2.......+..../..D...=/......./..&..../......./......./..+..../.......0..(...,0......U0......a0..1....1......>1......[1..7...t1.......1.......1.......1.......1.......1.......1.......2......$2..?....2..^....2..*...F3..A...q3..&....3..'....3..,....4..2.../4......b4......z4.......4.......4.......4.......4..-....4.......4.......4.......5..0....5......K5..#...h5.......5.......5.......5.......5.."....5.......6......"6..9...36......m6.......6.......6.......6.......6..&....6.. ....7......*7......C7..&...Z7.......7.......7.......7..'....7.......7..(....8......+8..4...C8..$...x8.......8.......8.......8..&....8.......9....../9......^9......t9.......9.......9.......9.......9..,....9..2....:..#...R:..0...v:..1....:.......:.......:......

                        C:\Program Files\ThinLinc client\locale\tr\LC_MESSAGES\nsm749E.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:GNU message catalog (little endian), revision 0.0, 502 messages, Project-Id-Version: PACKAGE VERSION '%s'
                        Category:dropped
                        Size (bytes):51677
                        Entropy (8bit):5.280607834695986
                        Encrypted:false
                        SSDEEP:768:HFQLb4tmRRQwxOm4f0+cd1UPxI/ORcRa9L+2OfZGJH8GA3Ma9sVqL3clkg6:OwIR7HaQ1UPxI2RtYhl3996qWkg6
                        MD5:48EB8028F9CD59D5AB406F1864A62287
                        SHA1:20054AE8FD4DA77C46F4F8B6390BCCFE4C79F82D
                        SHA-256:B6A779045688B939A4ACAE6E301DEE0EE129FE56D2E3624D9759C1A9CCDC61CF
                        SHA-512:B87DA3974FC82F7E69BBA677FE0844572BAD87EC2F1EB5AA186DCA810A05A40F80F40F8AB271760515030BED4ADDAFC9B4C875567B35E7C1AB97D299946D106F
                        Malicious:false
                        Preview:........................|........*.......*.......*..,...0*......]*......c*......s*.......*......~+.......,......4,......>,..F...O,.......,..d...F-..Y....-..............................!.......7.......@.......D...=...U...................................................2.......+..../..D...=/......./..&..../......./......./..+..../.......0..(...,0......U0......a0..1....1......>1......[1..7...t1.......1.......1.......1.......1.......1.......1.......2......$2..?....2..^....2..*...F3..A...q3..&....3..'....3..,....4..2.../4......b4......z4.......4.......4.......4.......4..-....4.......4.......4.......5..0....5......K5..#...h5.......5.......5.......5.......5.."....5.......6......"6..9...36......m6.......6.......6.......6.......6..&....6.. ....7......*7......C7..&...Z7.......7.......7.......7..'....7.......7..(....8......+8..4...C8..$...x8.......8.......8.......8..&....8.......9....../9......^9......t9.......9.......9.......9.......9..,....9..2....:..#...R:..0...v:..1....:.......:.......:......

                        C:\Program Files\ThinLinc client\locale\tr\LC_MESSAGES\tlclient.mo (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:GNU message catalog (little endian), revision 0.0, 502 messages, Project-Id-Version: PACKAGE VERSION '%s'
                        Category:dropped
                        Size (bytes):51677
                        Entropy (8bit):5.280607834695986
                        Encrypted:false
                        SSDEEP:768:HFQLb4tmRRQwxOm4f0+cd1UPxI/ORcRa9L+2OfZGJH8GA3Ma9sVqL3clkg6:OwIR7HaQ1UPxI2RtYhl3996qWkg6
                        MD5:48EB8028F9CD59D5AB406F1864A62287
                        SHA1:20054AE8FD4DA77C46F4F8B6390BCCFE4C79F82D
                        SHA-256:B6A779045688B939A4ACAE6E301DEE0EE129FE56D2E3624D9759C1A9CCDC61CF
                        SHA-512:B87DA3974FC82F7E69BBA677FE0844572BAD87EC2F1EB5AA186DCA810A05A40F80F40F8AB271760515030BED4ADDAFC9B4C875567B35E7C1AB97D299946D106F
                        Malicious:false
                        Preview:........................|........*.......*.......*..,...0*......]*......c*......s*.......*......~+.......,......4,......>,..F...O,.......,..d...F-..Y....-..............................!.......7.......@.......D...=...U...................................................2.......+..../..D...=/......./..&..../......./......./..+..../.......0..(...,0......U0......a0..1....1......>1......[1..7...t1.......1.......1.......1.......1.......1.......1.......2......$2..?....2..^....2..*...F3..A...q3..&....3..'....3..,....4..2.../4......b4......z4.......4.......4.......4.......4..-....4.......4.......4.......5..0....5......K5..#...h5.......5.......5.......5.......5.."....5.......6......"6..9...36......m6.......6.......6.......6.......6..&....6.. ....7......*7......C7..&...Z7.......7.......7.......7..'....7.......7..(....8......+8..4...C8..$...x8.......8.......8.......8..&....8.......9....../9......^9......t9.......9.......9.......9.......9..,....9..2....:..#...R:..0...v:..1....:.......:.......:......

                        C:\Program Files\ThinLinc client\module-always-sink.dll (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):20480
                        Entropy (8bit):4.937104551275748
                        Encrypted:false
                        SSDEEP:384:IIJzEEvgZmAcsuqI03ggRk3jldzzqAWAhm9:7b4ZFvVA36Aph
                        MD5:ED600884B573173B2899F6F7B312081D
                        SHA1:CBE782A1AB3A95C2895695E805F0D89485E31038
                        SHA-256:A9C9CB300EA7277FE0DDAC8CD90AB3C57DEA5E0083B5672C5EBD9287A1F93383
                        SHA-512:8B56DE9AC159572C38268C9FB44E8422F5E4E8E17D27FB9FEB25B4B7A79325320E96FD415BACCE5378545480186C7E1EE65F7772E85FF9090C68D1211820B88A
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".....&...L.................e....................................)......... .................................................d............p..|...............l....`...................... ...(...................`................................text...H$.......&..................`.P`.data...X....@.......*..............@.P..rdata.......P.......,..............@.`@.buildid5....`.......6..............@.0@.pdata..|....p.......8..............@.0@.xdata...............<..............@.0@.bss....0.............................`..edata...............>..............@.0@.idata..d............@..............@.0..CRT....X............J..............@.@..tls....h............L..............@.`..reloc..l............N..............@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\module-native-protocol-tcp.dll (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):20480
                        Entropy (8bit):4.951909976709553
                        Encrypted:false
                        SSDEEP:384:lXaeQ55uwc8gd5OjdqLGp3vlj0VxGlB8c9:EeQ1gv+tMxsB8
                        MD5:00F6855D5B83E1F70C92FA08D03CD1A8
                        SHA1:194D27BAE4AAE8690D86D11AA9AA204910DF1F72
                        SHA-256:31CFD7ED06BF4A937E10A4A28190C8B64BA5E3DCE3459104C4C1C4CC6793F042
                        SHA-512:B136571A819D79873563497490D36CDB73F01D161EDF96AF330B5572D320C29E13A810830F2D692A6AD9F693682465A0DBF810A29155F96362D39341C36DBC74
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".....$...L.................f.............................................. ..............................................................p..d...............x....`...................... ...(.......................0............................text....".......$..................`.P`.data...X....@.......(..............@.P..rdata.......P.......*..............@.`@.buildid5....`.......4..............@.0@.pdata..d....p.......6..............@.0@.xdata...............:..............@.0@.bss....0.............................`..edata...............<..............@.0@.idata...............>..............@.0..CRT....X............J..............@.@..tls....h............L..............@.`..reloc..x............N..............@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\module-null-sink.dll (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):24064
                        Entropy (8bit):5.138009874942021
                        Encrypted:false
                        SSDEEP:384:sJ1BmaajySHJfjGNCas4NaPy3ol2w2tjHNDM63Ge63G/WSq9:mBmbjpLGNiYZtjtDM63Ge63G
                        MD5:628E42D36183F5167AD7659FCAA788C1
                        SHA1:330E421FBC302BF98BE1E29AA9DC443A27B44A27
                        SHA-256:17ABBD11317026D900549FF768BF2B4E202306AA49BAADDEFF1C4561A68879B7
                        SHA-512:1CFDC981FB4D3F9AD41DA2EDEC39F7365DEBA4D6E89693B2E04F9A856E9CA97B2484E0D4E6B290409527ADB94F26D9DE775DFE2F1B8443385C38BBD879493B1E
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d... (.............".....*...Z.................l....................................oU........ ..............................................................p..................|....`...................... ...(....................................................text....).......*..................`.P`.data...X....@......................@.P..rdata.......P.......0..............@.`@.buildid5....`.......<..............@.0@.pdata.......p.......>..............@.0@.xdata...............B..............@.0@.bss....0.............................`..edata...............F..............@.0@.idata...............H..............@.0..CRT....X............X..............@.@..tls....h............Z..............@.`..reloc..|............\..............@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\module-rescue-streams.dll (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):24064
                        Entropy (8bit):5.03223751576577
                        Encrypted:false
                        SSDEEP:384:DpyyD58Z8H9sC8jGL6H95th3ZDljXBJYr9:UyDCZ8iCM7fzY
                        MD5:4A1E3F82B541CB716531EFDEACD52D8F
                        SHA1:99A436EAC2822857ED524EA5D35F785E7D2CA3EF
                        SHA-256:8B58781A57D3EF4EDBF0CCC615EA4BA6138064D4F1851E82A52ABF0350207DF5
                        SHA-512:9EF216269130CA5CB930D7DCF0A2FC695B32CE23BE2E464BD0569AA9771C7F1F9F6EAACBC5EA11427F39259A865B30FDAEFFDB0DE554ABE5A4E7CC9838939863
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".........Z................Pl.....................................6........ .........................................m....................p..................l....`...................... ...(.......................@............................text....,..........................`.P`.data...X....@.......2..............@.P..rdata.......P.......4..............@.`@.buildid5....`.......@..............@.0@.pdata.......p.......B..............@.0@.xdata..8............F..............@.0@.bss....0.............................`..edata..m............J..............@.0@.idata...............L..............@.0..CRT....X............X..............@.@..tls....h............Z..............@.`..reloc..l............\..............@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\module-suspend-on-idle.dll (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):31744
                        Entropy (8bit):5.298132394788944
                        Encrypted:false
                        SSDEEP:384:ynAWlSzSKm6NzE2DUpbYUIpQpqf3Z/ZFQiXk0h3ZlZKsw2ZeJ79D9:slSzXm2zNDUpbYEkf3Ggx6AeJ7
                        MD5:A78A04EC107C5A1B204119410A430ED7
                        SHA1:D6F247B8134854F882A5BB1C9E12BFDA13CADD22
                        SHA-256:40BBE253E6369FBD72539E8CAE2786B2C7F8DD363166100F57A1BB4FA3A3D580
                        SHA-512:311ECFC616A18728CD1A307786968E227035C2B7E0659515C96F3183AE3C0FE36DBE5A4557499492AEA47DAD145ADEE2A816AA399A0417DF2C0DB4807FF4A756
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...j..............".....F...x.................l............................................. .................................................p...............0...............t........................... ...(.......................x............................text....D.......F..................`.P`.data...X....`.......J..............@.P..rdata.......p.......L..............@.`@.buildid5............\..............@.0@.pdata..0............^..............@.0@.xdata...............b..............@.0@.bss....0.............................`..edata...............f..............@.0@.idata..p............h..............@.0..CRT....X............v..............@.@..tls....h............x..............@.`..reloc..t............z..............@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\module-waveout.dll (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):33280
                        Entropy (8bit):5.330004404917276
                        Encrypted:false
                        SSDEEP:768:MmbWcWU8jGeiNldftayi1LnXIJvoT9Gh0p:JWxbj9ilfW1Lwohjp
                        MD5:5E66523BABB51D683D09188F60E7773B
                        SHA1:DDB72804F882FD6B3CB57500BEB3099DE3ECBE57
                        SHA-256:D4BD58542CA03CE40BBF7F4D28AE418212FE6694E719288B61E779780385A726
                        SHA-512:72117E9F4903196608C66340FEEBFCD8B271EA1061C0D64A448B7122A9AED94C2F6B84F8FDCA01B4389BD55BA42BC109304B8D46F340DBB34040052CD7761C8A
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".....B...~.................a.............................0................ .........................................h.................................... .............................. ...(.......................@............................text...X@.......B..................`.P`.data...X....`.......F..............@.P..rdata..<....p.......H..............@.`@.buildid5............Z..............@.0@.pdata...............\..............@.0@.xdata..(............`..............@.0@.bss....0.............................`..edata..h............d..............@.0@.idata...............f..............@.0..CRT....X............|..............@.@..tls....h............~..............@.`..reloc....... ......................@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\nsa6FFF.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):204
                        Entropy (8bit):4.348164440286857
                        Encrypted:false
                        SSDEEP:6:hYoC/JHEtUEPFiA2C/HLJM8S58FHLJM8SFlFDv:yoCBAUE9jH/LCpUHLCjR
                        MD5:2C97BE449BB48C06652F3596A4783EC5
                        SHA1:EE991FE64C8730BEF02A7A5475B2A4BE7136402E
                        SHA-256:B142E7E5CF568DE518682ECC5C615D6BEB36A1486BD85ED2092F6D98E15863FF
                        SHA-512:EFF234AEBBA554AD00544944C7768E864811D9F087CA0FE12D2F8FFFA8B9A352992710B2244442B7C04522C09883A0631CA081244E9723FB3DDCCBF1319712B9
                        Malicious:false
                        Preview:@echo off..if not x%2 == x (.. echo Usage: %~dpn0 [configfile]..) else (.. if x%1 == x (.. start "" "%~dp0\tlclient.exe".. ) else (.. start "" "%~dp0\tlclient.exe" -C %1.. )..)..

                        C:\Program Files\ThinLinc client\nsa7000.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):138
                        Entropy (8bit):4.650116481458659
                        Encrypted:false
                        SSDEEP:3:mKDDEf8NiIEmIrKmEfraWELTrgWAar44ovW8pku2n9+/PIJM8Sn:hQf8NnEDr1WE3cWd+4LJM8Sn
                        MD5:3BDF52A18B9468C5AFDC9AD3D13F10BF
                        SHA1:40A02534D3AD01DEC994CBA06D8143E58D6B9524
                        SHA-256:01D7A809685A2BDC81EED198CE58AE8CBA9A683EAF96AC7D8341436D42CC9529
                        SHA-512:B61C743DC874BE9C7AFB39C0528A8FAE68E2C7A7EAB60522B1655E6DD58053D8E1F62C33EB10E93C0BD12B2BA6B0D8C9479425DC512B36FFEC34A99226109F15
                        Malicious:false
                        Preview:@echo off..rem..rem This file demonstrates how to override the Windows language setting..rem ..set LANG=C..start "" "%~dp0\tlclient.exe"..

                        C:\Program Files\ThinLinc client\nsb72C6.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):123904
                        Entropy (8bit):5.904569826043691
                        Encrypted:false
                        SSDEEP:3072:/a/PIJ2CLfCFxGqDXpn1Suw1Wqv6+4s5Ppxn4:/a/AJff8PZnw26BS
                        MD5:7C2529532218EFD37D65B8E907C44016
                        SHA1:BF424432B2D521413E70685D06AF15108E42C106
                        SHA-256:CA5BC79BAFA6E5D4CD5F2B4B389305DA23E2161B92559E0E9235DEF57E65E0C4
                        SHA-512:6167C0C0E218516AE20EF6B744DA0065B0B3979BCFB93378A6BE5F0C912F812C9317B6A478FF71751E5110635853B38C1BD873C923982FF9A7E9A068CB8EC398
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...pa_n...........".....J....................$p.............................p......j......... .................................................4:...........................`.............................. P..(.......................`............................text...8I.......J..................`.P`.data...X....`.......N..............@.P..rdata...9...p...:...P..............@.`@.buildid5...........................@.0@.pdata..............................@.0@.xdata..,...........................@.0@.bss....0.............................`..edata..............................@.0@.idata..4:.......<..................@.0..CRT....X....@......................@.@..tls....h....P......................@.`..reloc.......`......................@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\nsb731B.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):142848
                        Entropy (8bit):6.025250434798064
                        Encrypted:false
                        SSDEEP:3072:Iuruj65XFTTTArNPWWVFHViyGPGeaQ+DAjj11E2DDc+:Ri2ZFTArH9G+eR0AjnESD
                        MD5:72FB4D03DAB41E3C5A296EE5B590318F
                        SHA1:7298DD48673D9F0563B755CC9593C9B1E3FAD1E3
                        SHA-256:5EFAAED92A84D79F53C6E6B715E8E78B05C09468999438B594AA773F172C1A27
                        SHA-512:3A6F5BDA778D009467960FDB31C19D81A4A00436EA4E85FA3D9AA32A74A4F6233FBAFB70941B6496CA502480A3218CEC569E48BC8472C1B92E3C18C151B2C2D5
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....N.........../..........*...PL...........@...............................N............... ...............................................N.8...............(........................................... .N.(................... .N..............................text...(...........................`.P`.data...............................@.`..rdata.. >.......@..................@.`@.buildid5...........................@.0@.pdata..(...........................@.0@.xdata.......0......................@.0@.bss.....OL..P........................`..idata..8.....N.....................@.0..CRT....h.....N......*..............@.@..tls....h.....N......,..............@.`.................................................................................................................................................................................................................

                        C:\Program Files\ThinLinc client\nsf6F7F.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):19261
                        Entropy (8bit):4.832292360798636
                        Encrypted:false
                        SSDEEP:384:Bu0EgRvLjSeOShSEkMAAcfVViXhV3C93FomRXXadm8a61eYGKT:BusJmUmMAAcforI/ad1eYZ
                        MD5:FE82D4FDE6F366A2DFBBDAED185FCE8B
                        SHA1:8B3A97F66BD4B7E82084290574C90C4723A37F34
                        SHA-256:65080162C5567E86E95554BC7017ADE9E58EA90908B91CBAD91962168C38D16C
                        SHA-512:5B306EF53BA1B4C357AD4DBD17287FBB98648F152A4AF80158809052E81A3E5B0E55F7B8A88D3D294DC465AA76407E295A2CBA713E4422DDC8DEE3A4814CF98F
                        Malicious:false
                        Preview: CENDIO END USER LICENSE AGREEMENT 3.5......IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT..CAREFULLY. INSTALLING OR USING CENDIO SOFTWARE CONSTITUTES..ACCEPTANCE OF THIS AGREEMENT.....This License Agreement ("License") is entered into by you, the Licensed..User or representative of the Licensed User ("Licensee") and Cendio AB....... THIS IS A LICENSE AND NOT A SALE......1. License....1.1 Subject to the terms and conditions of this License, Cendio..grants solely for use by Licensee a non-exclusive, non-transferable..license to use the software programs ("Program(s)") and related user..guides ("Documentation") solely for its own internal business purposes,..including for the provision of offering hosting solutions where you..remain the Licensee, at the site specified in the applicable Cendio..business records and solely in accordance with the accompanying..Documentation.....1.2 All proprietary rights and trade secrets in the Program

                        C:\Program Files\ThinLinc client\nsg7296.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):1917440
                        Entropy (8bit):7.009139816631496
                        Encrypted:false
                        SSDEEP:24576:zQeNIJU8UMeAwi3nhFmLBAUZLYb9MfbbT7Gavkg3NyTlQKuHf11fJuinPtU:1Ia5XAhFmLBAUZLYb9MXGaXYQKuHvIU
                        MD5:AE6506552F539C14BD66B9ABD471D9F8
                        SHA1:3C96468BE7828E4F0E9F9FDD7360DB6C5197D5EC
                        SHA-256:4A1BE90E0E8367A0CC5FFA6118D4FB4BFFED9F791D3BC666AEF30CAF96D210C3
                        SHA-512:BBE68FE223BA3F7E74168E04E45BD3CEBEFA87818132FA2E3E58109138AF66C5EF778828F8F30295BDE960BB3F940CB8706ACC923541D76FCAB3753EE2631EB7
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...H.X............".........>...j.............c............................. ................ ......................................0..........X ...........@...9...................0...................... ...(.......................p............................text...`...........................`.P`.data....8.......:..................@.`..rdata...=.......>..................@.`@.buildid5....0......................@.0@.pdata...9...@...:..................@.0@.xdata..,5.......6...R..............@.0@.bss.....j............................`..edata.......0......................@.0@.idata..X ......."..................@.0..CRT....X............0..............@.@..tls....h............2..............@.`..reloc...............4..............@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\nsg72E7.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):24064
                        Entropy (8bit):5.03223751576577
                        Encrypted:false
                        SSDEEP:384:DpyyD58Z8H9sC8jGL6H95th3ZDljXBJYr9:UyDCZ8iCM7fzY
                        MD5:4A1E3F82B541CB716531EFDEACD52D8F
                        SHA1:99A436EAC2822857ED524EA5D35F785E7D2CA3EF
                        SHA-256:8B58781A57D3EF4EDBF0CCC615EA4BA6138064D4F1851E82A52ABF0350207DF5
                        SHA-512:9EF216269130CA5CB930D7DCF0A2FC695B32CE23BE2E464BD0569AA9771C7F1F9F6EAACBC5EA11427F39259A865B30FDAEFFDB0DE554ABE5A4E7CC9838939863
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".........Z................Pl.....................................6........ .........................................m....................p..................l....`...................... ...(.......................@............................text....,..........................`.P`.data...X....@.......2..............@.P..rdata.......P.......4..............@.`@.buildid5....`.......@..............@.0@.pdata.......p.......B..............@.0@.xdata..8............F..............@.0@.bss....0.............................`..edata..m............J..............@.0@.idata...............L..............@.0..CRT....X............X..............@.@..tls....h............Z..............@.`..reloc..l............\..............@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\nsg733C.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):1654784
                        Entropy (8bit):6.879283544884216
                        Encrypted:false
                        SSDEEP:24576:Fgewnrp6HVTwl9EYR2Y+IawBAUZLYb9MfbbT7Gavkg3NyTlQKuHf11f30YLQ:FupHEYR2Y+8BAUZLYb9MXGaXYQKuHvn
                        MD5:5174F9CCAE312EF1DD58BCE830E14A97
                        SHA1:F977E68584A0D69A42B68F9A0A468011112B5C42
                        SHA-256:DC61CDEA0FA2F8B16A064D80F5B0003018E5369BF8E3B2413373B56398F39463
                        SHA-512:CD23A4E80D810A8B08C684E7FCA24C9CA708F400056045B9725700183B3EB8A8A6A062757A1705D861A9AFAAC6BC3BE104327552ACF3A4186441DD79DEE8CBC5
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./......Z...<...,............@.............................................. .................................................4#..............|D.......................................... ...(....................................................text...PY.......Z..................`.P`.data....#...p...$...^..............@.`..rdata..............................@.`@.buildid5...........................@.0@.pdata..|D.......F..................@.0@.xdata...>.......@..................@.0@.bss.....*...P........................`..idata..4#.......$..................@.0..CRT....h............<..............@.@..tls....h............>..............@.`.................................................................................................................................................................................................................

                        C:\Program Files\ThinLinc client\nsg73DA.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):5423104
                        Entropy (8bit):6.273112975688776
                        Encrypted:false
                        SSDEEP:49152:pg3X9+rQu1B9qNUC6IVsE7yTwI+eCyG3c0CrYJUKarjanBJ8TpGsR4BM9x9qE3gd:pg3X0L7ZPszeCytVKU7HgE3gqYkFpkE
                        MD5:9D7FAEEE009120BD2762858605EE1831
                        SHA1:D7AE3D41E59A3A8048B5F03FDEFDA10500A85D54
                        SHA-256:EE589A04FD3730688F35A0CA6FE66CB674DAE2680572E7CA98DB0AC85327F92C
                        SHA-512:0DD1D234D5C5DEF080CA75744F9E603F34F5F19E184DE6D363B59A2AA102B151BA3B3234BFC5429CBE4D47E3472EF3A5BE068C96B499B66780766BC94BCE10AD
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........................;...R..2............@..............................pS......SS....... ......................................PR......pR..'............M.t.............R......M..................... .R.(....................yR.@............................text....;.......;.................`.``.data....i....;..j....;.............@.`..rdata...y....>..z....=.............@.`@.buildid5.....M......rM.............@.0@.pdata..t.....M......tM.............@.0@.xdata...I....O..J....O.............@.0@.bss.....0....R.......................`..edata.......PR.......Q.............@.0@.idata...'...pR..(....Q.............@.0..CRT....h.....R.......R.............@.@..tls....h.....R.......R.............@.`..reloc.......R.......R.............@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\nsk6FA0.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):4003328
                        Entropy (8bit):6.496001237219156
                        Encrypted:false
                        SSDEEP:49152:qZgmq5FmmXTKbF6S0aKX1EHqtimPjzo4BAUZLYb9MXGaXYQKuHvE:mvyT+FEI4BAUZL54
                        MD5:96E3878B529F456C5C38E2F22EF6B53B
                        SHA1:518657A61E5FCA5C8A64F7C5BE442C7148C96C6E
                        SHA-256:E815D8EA616396DBE61F1B67C82E267ACB734C8171C28F179AB1C949306A0E61
                        SHA-512:71FFA09387E8681FCE680CBCAFB88256E70F967AE1C75AD1419350D68D9D2F560415081D32B80789ECC85974B3EDA6CA353DCAD2C042C1C6D9F5AC05582ED7B4
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./.......'...=...............@..............................@>......8=....... ..............................................@=..>....=. .....9..T....................9..................... .=.(...................hO=.P............................text.....'.......'.................`.P`.data....... '.......'.............@.`..rodata.@.....'.......'.............@.P..rdata.......'.......'.............@.`@.buildid5.....9......T9.............@.0@.pdata...T....9..V...V9.............@.0@.xdata........:.......:.............@.0@.bss..........<.......................`..idata...>...@=..@...<<.............@.0..CRT....h.....=......|<.............@.@..tls....h.....=......~<.............@.`..rsrc... .....=.......<.............@.0.................................................................................................................................

                        C:\Program Files\ThinLinc client\nsk708E.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):4110848
                        Entropy (8bit):6.593767489296525
                        Encrypted:false
                        SSDEEP:49152:+gcDIvGaAk5YuLQOkgs2mOdJAjgUBs+B/o//Wn/9bCvd1UjdggT8BAUZLYb9MXGr:QM6Ngdyv/38BAUZL5XtsaU
                        MD5:1C463A6D3113C12FF2DE0F9926CC599D
                        SHA1:0DE4C5E179E0CBC85929872D27D6832C52CEC6D3
                        SHA-256:AC36C1D3A5445AF281D430BC614330B1462DEE6F85E026AD9C820120B73A2542
                        SHA-512:4EC8F606EE271E55390D21F010EA1991E0F2786B0CB13B5ECD349189A8C2D3B5C3C1F39C578835F56DBB25BEC296C804D3A01CE8874AE65B1D26381D1A48C83A
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..... ..................8(...>...............@..............................P@......?....... .......................................?.{.... ?..9....?.(.....:.X[............@..:....:..................... p?.(....................-?..............................text....7(......8(.................`.``.data....`...P(..b...<(.............@.`..rdata........(.......(.............@.`@.buildid5.....:.......:.............@.0@.pdata..X[....:..\....:.............@.0@.xdata......@<.......<.............@.0@.bss.... .....=.......................`..edata..{.....?.......=.............@.0@.idata...9... ?..:....=.............@.0..CRT....h....`?.......=.............@.@..tls....h....p?.......=.............@.`..rsrc...(.....?.......=.............@.0..reloc...:....@..<...~>.............@.0B........................................................................................

                        C:\Program Files\ThinLinc client\nsl7309.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):24064
                        Entropy (8bit):5.138009874942021
                        Encrypted:false
                        SSDEEP:384:sJ1BmaajySHJfjGNCas4NaPy3ol2w2tjHNDM63Ge63G/WSq9:mBmbjpLGNiYZtjtDM63Ge63G
                        MD5:628E42D36183F5167AD7659FCAA788C1
                        SHA1:330E421FBC302BF98BE1E29AA9DC443A27B44A27
                        SHA-256:17ABBD11317026D900549FF768BF2B4E202306AA49BAADDEFF1C4561A68879B7
                        SHA-512:1CFDC981FB4D3F9AD41DA2EDEC39F7365DEBA4D6E89693B2E04F9A856E9CA97B2484E0D4E6B290409527ADB94F26D9DE775DFE2F1B8443385C38BBD879493B1E
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d... (.............".....*...Z.................l....................................oU........ ..............................................................p..................|....`...................... ...(....................................................text....).......*..................`.P`.data...X....@......................@.P..rdata.......P.......0..............@.`@.buildid5....`.......<..............@.0@.pdata.......p.......>..............@.0@.xdata...............B..............@.0@.bss....0.............................`..edata...............F..............@.0@.idata...............H..............@.0..CRT....X............X..............@.@..tls....h............Z..............@.`..reloc..|............\..............@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\nsl730A.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):33280
                        Entropy (8bit):5.330004404917276
                        Encrypted:false
                        SSDEEP:768:MmbWcWU8jGeiNldftayi1LnXIJvoT9Gh0p:JWxbj9ilfW1Lwohjp
                        MD5:5E66523BABB51D683D09188F60E7773B
                        SHA1:DDB72804F882FD6B3CB57500BEB3099DE3ECBE57
                        SHA-256:D4BD58542CA03CE40BBF7F4D28AE418212FE6694E719288B61E779780385A726
                        SHA-512:72117E9F4903196608C66340FEEBFCD8B271EA1061C0D64A448B7122A9AED94C2F6B84F8FDCA01B4389BD55BA42BC109304B8D46F340DBB34040052CD7761C8A
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".....B...~.................a.............................0................ .........................................h.................................... .............................. ...(.......................@............................text...X@.......B..................`.P`.data...X....`.......F..............@.P..rdata..<....p.......H..............@.`@.buildid5............Z..............@.0@.pdata...............\..............@.0@.xdata..(............`..............@.0@.bss....0.............................`..edata..h............d..............@.0@.idata...............f..............@.0..CRT....X............|..............@.@..tls....h............~..............@.`..reloc....... ......................@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\nsl735C.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):5363200
                        Entropy (8bit):6.392905618746109
                        Encrypted:false
                        SSDEEP:98304:Wt4r9CyuNsQH8Md1YLuC+u9SCahkY1MSg8mFipGX:mDX8QCS1MSg8mFi8
                        MD5:0638E8BFCEED1055B7704BA6ACFBC4D1
                        SHA1:FFA89411A9D1F07313C30F33A125428505846EBB
                        SHA-256:3EFE482B8B095EE378C77B2EB23E4CD4A9DAA4572592E8097118C2251532E96C
                        SHA-512:21718BD19FE74DEA602A45C241672C5AC6D08829AFFAA1402D911D8A71CC527C6F597FD81FDE488F15729C0B3B178EB1AAAACB6F346D76ABF936CC30E4439085
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...H.h............"......:...Q...............he..............................R...../0R....... .......................................Q.......Q.\ ... R.......L..A...........0R......L..................... .R.(.....................Q.h............................text... .:.......:.................`..`.data.........:.......:.............@.`..rdata..P.....;.......;.............@.p@.buildid5.....L.......L.............@.0@.pdata...A....L..B....L.............@.0@.xdata..4.... O.......N.............@.@@.bss....@.... Q.......................`..edata........Q.......P.............@.0@.idata..\ ....Q.."....P.............@.0..CRT....X.....R.......Q.............@.@..tls....h.....R.......Q.............@.`..rsrc........ R.......Q.............@.0..reloc......0R......$Q.............@.0B........................................................................................

                        C:\Program Files\ThinLinc client\nsm677F.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:Windows Registry text (Win95 or above)
                        Category:dropped
                        Size (bytes):2663
                        Entropy (8bit):5.423307591439363
                        Encrypted:false
                        SSDEEP:48:z6HUK4TUADhoM3Z37AErv/44UsBmaNdmH2HmQm9m1mcmKWmz9abWFmLmmJ420AZ:zZKcnhhB744USNxFaKmF
                        MD5:9859CAC33E51402CDBD0D5F88038AE57
                        SHA1:E3A92A82A177A1AB528AA016679C86DC255B9DD8
                        SHA-256:DE3BB1637B297BC528428979EBB9DF2DF89FC198F8BC9D8F691E7593C1E020D3
                        SHA-512:3FF2D350F05A6B7D6A0E301A4BEF93575BC1CB232A18E606FE44646D4303878CEF476FC4B010F9FC1C8C794FC599DAFB9504DA323BF664A4461374A9BC7B5776
                        Malicious:false
                        Preview:REGEDIT4....;..; This file will be imported when the ThinLinc client installation program..; is executed. ..;..; Note: Existing user settings have precedence. To delete these,..; uncomment the following line. Please note that this only affects the..; current user...;[-HKEY_CURRENT_USER\Software\Cendio\ThinLinc\tlclient]....; tlclient settings..[HKEY_LOCAL_MACHINE\Software\Cendio\ThinLinc\tlclient].."ALLOW_HOSTKEY_UPDATE"=dword:00000001.."AUTHENTICATION_METHOD"="password".."AUTOLOGIN"=dword:00000000.."CERTIFICATE"="".."CERTIFICATE_NAMING"="subject_commonName, pin_label, issuer_commonName".."CUSTOM_COMPRESSION"=dword:00000000.."CUSTOM_COMPRESSION_LEVEL"=dword:00000002.."DISPLAY_MODE"="".."EMULATE_MIDDLE_BUTTON"=dword:00000000.."FULL_SCREEN_MODE"=dword:00000000.."FULL_SCREEN_MONITOR_MODE"="all".."FULL_SCREEN_SELECTED_MONITORS"="1".."HOST_ALIASES"="thinlinc1.example.com:22=fw.example.com:801 thinlinc2.example.com:22=fw.example.com:802".."JPEG_COMPRESSION"=dword:00000001.."JPEG_COMPRESSION_

                        C:\Program Files\ThinLinc client\nsp7010.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):4315648
                        Entropy (8bit):6.3334501485472074
                        Encrypted:false
                        SSDEEP:98304:qNMpFtWOaB7iRzdrHjBm69fb+Ksdahz1JM:Na6HL1K
                        MD5:1DB618B54192BF66FF95F4FB18EE38D6
                        SHA1:7AA7B2DA4C4F083E40D61FB2FAE105A00724F346
                        SHA-256:8D720362A3A38590A60E65A7A89F28200A794C01AF7238231C603073D35B1599
                        SHA-512:B14C98F28032A89C9928942BCD3D905D17AF4307521FE3D6A5423844BCE6580BBEAE8E172FD47AA182DD0824371B754C0ADDF4F9120C86AEEC2BA35A9D66E5DF
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...FhB.........../.......-...A..l............@...............................B......*B....... ..............................................PB..)............=..5....................=..................... .B.(...................XZB..............................text.....-.......-.................`..`.data....h....-..j....-.............@.`..rdata...X...P...X...J..............@.p@.buildid5.....=.......=.............@.0@.pdata...5....=..6....=.............@.0@.xdata........@.......?.............@.@@.bss....`k....A.......................`..idata...)...PB..*....A.............@.0..CRT....h.....B.......A.............@.@..tls....h.....B.......A.............@.`.................................................................................................................................................................................................................

                        C:\Program Files\ThinLinc client\nsq7235.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):67072
                        Entropy (8bit):5.710459492492241
                        Encrypted:false
                        SSDEEP:1536:JoHcXGjlXxLMijdY843teiK2XdxCCR+6W3ywT:Jo8olXxLMqdY843teiKWxW6dwT
                        MD5:BC5B6CBC5FC4EC80F8D401C797028A36
                        SHA1:F4C6B7734F4431DF1162AEBE5081BE1E2473B447
                        SHA-256:3894CF56EE8359F847AB2D05DA93A6E05FA6115834208B7F50DAEBA624722CF8
                        SHA-512:D50B4EC5460C37CBCFAB89B6129B68C6F482C2D471622B4AFF3BAF02AD15C970A1F08B6D1157D1F55772E05771BF0C0AD35CA24AC42BD28FC7615B516DEE54A8
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....pa_......................................@.....................................^......... ......................................@.......P..@........................................................... ...(...................lV...............................text...............................`.P`.data...............................@.`..rdata..xG.......H..................@.`@.buildid5...........................@.0@.pdata..............................@.0@.xdata..$.... ......................@.0@.bss.........0........................`..edata.......@......................@.0@.idata..@....P......................@.0..CRT....h....p......................@.@..tls....h...........................@.`..reloc..............................@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\nsq7285.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):642560
                        Entropy (8bit):6.2207476156079835
                        Encrypted:false
                        SSDEEP:12288:Ft+5wCHeZXabzr5WawFWscW0O/Kh+BqbI7immKgB7BSjxbqp:FtIwC9rfwFYWn++BqbI07B0bq
                        MD5:FBA3680D5D8455DAD6503350B96095A1
                        SHA1:A0688072FE5CC6B9A5E46924222F00646FF00E0E
                        SHA-256:E493E282DD31D32E4BB69EBCB68B7B47BA54C5913ECDD9C7DEA987400D4FB2E4
                        SHA-512:5A2BBCE5EFC11611D3FC60B6279BA3C0A1A4D1D8DE6F44B2490D8746B756F58203A21DE73FC48941BBBFBC437B1D3350AD605FAE5E843EB9E6406671EC8B55EB
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................"..........................$b.............................@......%......... ......................................p...\......x4...........................0.............................. ..(.......................x............................text...............................`.P`.data...X.... ......................@.`..rdata.......0......................@.`@.buildid5...........................@.0@.pdata...........0..................@.0@.xdata.../...0...0..................@.0@.bss....`....`........................`..edata...\...p...^...2..............@.0@.idata..x4.......6..................@.0..CRT....X...........................@.@..tls....h.... ......................@.`..reloc.......0......................@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\nsq72D6.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):20480
                        Entropy (8bit):4.951909976709553
                        Encrypted:false
                        SSDEEP:384:lXaeQ55uwc8gd5OjdqLGp3vlj0VxGlB8c9:EeQ1gv+tMxsB8
                        MD5:00F6855D5B83E1F70C92FA08D03CD1A8
                        SHA1:194D27BAE4AAE8690D86D11AA9AA204910DF1F72
                        SHA-256:31CFD7ED06BF4A937E10A4A28190C8B64BA5E3DCE3459104C4C1C4CC6793F042
                        SHA-512:B136571A819D79873563497490D36CDB73F01D161EDF96AF330B5572D320C29E13A810830F2D692A6AD9F693682465A0DBF810A29155F96362D39341C36DBC74
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".....$...L.................f.............................................. ..............................................................p..d...............x....`...................... ...(.......................0............................text....".......$..................`.P`.data...X....@.......(..............@.P..rdata.......P.......*..............@.`@.buildid5....`.......4..............@.0@.pdata..d....p.......6..............@.0@.xdata...............:..............@.0@.bss....0.............................`..edata...............<..............@.0@.idata...............>..............@.0..CRT....X............J..............@.@..tls....h............L..............@.`..reloc..x............N..............@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\nsr732C.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):43008
                        Entropy (8bit):5.656745458800695
                        Encrypted:false
                        SSDEEP:768:K2vQLOkn9QOlIk/THyVYOVs2LkVdO8PVL5JMuSMoh4V:FKXjIk/kYYsYCr
                        MD5:A72635687D027223B5BBAD3E2437B79E
                        SHA1:3B887446D931731F7C25B902CE8E23F40D2DCE43
                        SHA-256:A8970AF49B0AB12C986CFFDA5108672DE8725DDE8A50B8387E4C170D76FDAFBB
                        SHA-512:4C4FB1EDB29018E81C18A5A09CFAC0A4505BDBDC2555F87898438398750F0EEAD472F8FB0C861D2A17E0763D955EAB039C9E2AD0A803DF9CB65ADD47750C40C7
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....`............/......f....................@.............................. ......~......... ............................................................................................................. ...(.......................`............................text...8d.......f..................`.P`.data................j..............@.P..rdata..P............l..............@.`@.buildid5...........................@.0@.pdata..............................@.0@.xdata..............................@.0@.bss..................................`..idata..............................@.0..CRT....h...........................@.@..tls....h...........................@.`.................................................................................................................................................................................................................

                        C:\Program Files\ThinLinc client\nsu6F8F.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):222218
                        Entropy (8bit):5.0351577225981545
                        Encrypted:false
                        SSDEEP:3072:kW7o6xW3G1D81F+QUaKfbD8hKyc+rNQ5l9KH4Y/j52eTFkWz0I7zIez1B8bBsyeJ:kW7kGV81F+Q1KfC/j5RKjIXZcWWghv
                        MD5:E4B9C1C9D5A1665BD841C19578E5089D
                        SHA1:71C6B6356EB7F926C16E33C9A22E7CC3F53B2FFD
                        SHA-256:F8B5B8E916EAB1F72C620C00A612AC2F0651677E27E95A61B83E831B0ADE4EBE
                        SHA-512:553B79E0DDC40E2EA9BF3DC5D5BD5F829261DCA3379CF03B069B3266A78EB44078E01D03EB2F7D2C871290C90B28AD2D5DED9DCB089CCA4253CF5C6729CC652A
                        Malicious:false
                        Preview: Open Source License Usage Summary....The following licenses and copyright notices apply to various..components of ThinLinc as outlined below.....==== Components =========================================================....2-Clause BSD license:.... - noVNC .html and .css files....Apache License Version 2.0.... - OpenSSL....CheetahTemplate License (revised MIT):.... - CheetahTemplate....Creative Commons Attribution-ShareAlike 3.0:.... - noVNC images....The FreeType Project LICENSE:.... - FreeType (also available under GPL 2)....GNU General Public License version 2:.... - cyclades-serial-client.. - PulseAudio.. - RRDtool.. - rsync.. - sercd.. - TigerVNC.. - poppler....GNU Lesser General Public License version 2.1:.... - Cairo.. - FLTK.. - GLib.. - Hiveconf.. - libiconv.. - libintl.. - libsndfile.. - libtasn1.. - XmlRpc++.. - neon.. - OpenSC.. - Pango.. - PulseAudio.. - python-xlib.. - PyXD

                        C:\Program Files\ThinLinc client\nsv7255.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):304640
                        Entropy (8bit):6.0583618122868454
                        Encrypted:false
                        SSDEEP:6144:XVtfQK6gMK7zMKlKvxg9gXXEb3EfywvIvF7IssGH9/NW3:XPoKbpcxg9ga3EawvIvF7IssGH9/NW
                        MD5:82D9BA1580A5298B4071637D6BF6C198
                        SHA1:A6FCECFA5F7D754B5FC91B7F4ADEE81B16D1EF1B
                        SHA-256:9967692DE8A7BF9293AA87948C26BF0F61C2092C834F8E8C8505C64AF51E1208
                        SHA-512:BB7189076ADA2E3AE8A0BD045AA99615A7572FB7D55DF85B77D32E8AF9DD4FD401493A45355BD811F7215AE7D5EE30246A82E5DDE47D16BDA0F586F06153E0F3
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".....L....................@f.............................0....../B........ ........................................."2.......)...........@..D............ .......0...................... ...(....................................................text....J.......L..................`.P`.data...h....`.......P..............@.P..rdata.......p.......R..............@.`@.buildid5....0......................@.0@.pdata..D....@......................@.0@.xdata.......`.......(..............@.0@.bss..................................`..edata.."2.......4...B..............@.0@.idata...).......*...v..............@.0..CRT....X...........................@.@..tls....h...........................@.`..reloc....... ......................@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\nsw72F8.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):20480
                        Entropy (8bit):4.937104551275748
                        Encrypted:false
                        SSDEEP:384:IIJzEEvgZmAcsuqI03ggRk3jldzzqAWAhm9:7b4ZFvVA36Aph
                        MD5:ED600884B573173B2899F6F7B312081D
                        SHA1:CBE782A1AB3A95C2895695E805F0D89485E31038
                        SHA-256:A9C9CB300EA7277FE0DDAC8CD90AB3C57DEA5E0083B5672C5EBD9287A1F93383
                        SHA-512:8B56DE9AC159572C38268C9FB44E8422F5E4E8E17D27FB9FEB25B4B7A79325320E96FD415BACCE5378545480186C7E1EE65F7772E85FF9090C68D1211820B88A
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".....&...L.................e....................................)......... .................................................d............p..|...............l....`...................... ...(...................`................................text...H$.......&..................`.P`.data...X....@.......*..............@.P..rdata.......P.......,..............@.`@.buildid5....`.......6..............@.0@.pdata..|....p.......8..............@.0@.xdata...............<..............@.0@.bss....0.............................`..edata...............>..............@.0@.idata..d............@..............@.0..CRT....X............J..............@.@..tls....h............L..............@.`..reloc..l............N..............@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\nsw72F9.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):31744
                        Entropy (8bit):5.298132394788944
                        Encrypted:false
                        SSDEEP:384:ynAWlSzSKm6NzE2DUpbYUIpQpqf3Z/ZFQiXk0h3ZlZKsw2ZeJ79D9:slSzXm2zNDUpbYEkf3Ggx6AeJ7
                        MD5:A78A04EC107C5A1B204119410A430ED7
                        SHA1:D6F247B8134854F882A5BB1C9E12BFDA13CADD22
                        SHA-256:40BBE253E6369FBD72539E8CAE2786B2C7F8DD363166100F57A1BB4FA3A3D580
                        SHA-512:311ECFC616A18728CD1A307786968E227035C2B7E0659515C96F3183AE3C0FE36DBE5A4557499492AEA47DAD145ADEE2A816AA399A0417DF2C0DB4807FF4A756
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...j..............".....F...x.................l............................................. .................................................p...............0...............t........................... ...(.......................x............................text....D.......F..................`.P`.data...X....`.......J..............@.P..rdata.......p.......L..............@.`@.buildid5............\..............@.0@.pdata..0............^..............@.0@.xdata...............b..............@.0@.bss....0.............................`..edata...............f..............@.0@.idata..p............h..............@.0..CRT....X............v..............@.@..tls....h............x..............@.`..reloc..t............z..............@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\open_source_licenses.txt (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):222218
                        Entropy (8bit):5.0351577225981545
                        Encrypted:false
                        SSDEEP:3072:kW7o6xW3G1D81F+QUaKfbD8hKyc+rNQ5l9KH4Y/j52eTFkWz0I7zIez1B8bBsyeJ:kW7kGV81F+Q1KfC/j5RKjIXZcWWghv
                        MD5:E4B9C1C9D5A1665BD841C19578E5089D
                        SHA1:71C6B6356EB7F926C16E33C9A22E7CC3F53B2FFD
                        SHA-256:F8B5B8E916EAB1F72C620C00A612AC2F0651677E27E95A61B83E831B0ADE4EBE
                        SHA-512:553B79E0DDC40E2EA9BF3DC5D5BD5F829261DCA3379CF03B069B3266A78EB44078E01D03EB2F7D2C871290C90B28AD2D5DED9DCB089CCA4253CF5C6729CC652A
                        Malicious:false
                        Preview: Open Source License Usage Summary....The following licenses and copyright notices apply to various..components of ThinLinc as outlined below.....==== Components =========================================================....2-Clause BSD license:.... - noVNC .html and .css files....Apache License Version 2.0.... - OpenSSL....CheetahTemplate License (revised MIT):.... - CheetahTemplate....Creative Commons Attribution-ShareAlike 3.0:.... - noVNC images....The FreeType Project LICENSE:.... - FreeType (also available under GPL 2)....GNU General Public License version 2:.... - cyclades-serial-client.. - PulseAudio.. - RRDtool.. - rsync.. - sercd.. - TigerVNC.. - poppler....GNU Lesser General Public License version 2.1:.... - Cairo.. - FLTK.. - GLib.. - Hiveconf.. - libiconv.. - libintl.. - libsndfile.. - libtasn1.. - XmlRpc++.. - neon.. - OpenSC.. - Pango.. - PulseAudio.. - python-xlib.. - PyXD

                        C:\Program Files\ThinLinc client\opensc-pkcs11.dll (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):5363200
                        Entropy (8bit):6.392905618746109
                        Encrypted:false
                        SSDEEP:98304:Wt4r9CyuNsQH8Md1YLuC+u9SCahkY1MSg8mFipGX:mDX8QCS1MSg8mFi8
                        MD5:0638E8BFCEED1055B7704BA6ACFBC4D1
                        SHA1:FFA89411A9D1F07313C30F33A125428505846EBB
                        SHA-256:3EFE482B8B095EE378C77B2EB23E4CD4A9DAA4572592E8097118C2251532E96C
                        SHA-512:21718BD19FE74DEA602A45C241672C5AC6D08829AFFAA1402D911D8A71CC527C6F597FD81FDE488F15729C0B3B178EB1AAAACB6F346D76ABF936CC30E4439085
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...H.h............"......:...Q...............he..............................R...../0R....... .......................................Q.......Q.\ ... R.......L..A...........0R......L..................... .R.(.....................Q.h............................text... .:.......:.................`..`.data.........:.......:.............@.`..rdata..P.....;.......;.............@.p@.buildid5.....L.......L.............@.0@.pdata...A....L..B....L.............@.0@.xdata..4.... O.......N.............@.@@.bss....@.... Q.......................`..edata........Q.......P.............@.0@.idata..\ ....Q.."....P.............@.0..CRT....X.....R.......Q.............@.@..tls....h.....R.......Q.............@.`..rsrc........ R.......Q.............@.0..reloc......0R......$Q.............@.0B........................................................................................

                        C:\Program Files\ThinLinc client\pcsctun.exe (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):1654784
                        Entropy (8bit):6.879283544884216
                        Encrypted:false
                        SSDEEP:24576:Fgewnrp6HVTwl9EYR2Y+IawBAUZLYb9MfbbT7Gavkg3NyTlQKuHf11f30YLQ:FupHEYR2Y+8BAUZLYb9MXGaXYQKuHvn
                        MD5:5174F9CCAE312EF1DD58BCE830E14A97
                        SHA1:F977E68584A0D69A42B68F9A0A468011112B5C42
                        SHA-256:DC61CDEA0FA2F8B16A064D80F5B0003018E5369BF8E3B2413373B56398F39463
                        SHA-512:CD23A4E80D810A8B08C684E7FCA24C9CA708F400056045B9725700183B3EB8A8A6A062757A1705D861A9AFAAC6BC3BE104327552ACF3A4186441DD79DEE8CBC5
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./......Z...<...,............@.............................................. .................................................4#..............|D.......................................... ...(....................................................text...PY.......Z..................`.P`.data....#...p...$...^..............@.`..rdata..............................@.`@.buildid5...........................@.0@.pdata..|D.......F..................@.0@.xdata...>.......@..................@.0@.bss.....*...P........................`..idata..4#.......$..................@.0..CRT....h............<..............@.@..tls....h............>..............@.`.................................................................................................................................................................................................................

                        C:\Program Files\ThinLinc client\pdftocairo.exe (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):5423104
                        Entropy (8bit):6.273112975688776
                        Encrypted:false
                        SSDEEP:49152:pg3X9+rQu1B9qNUC6IVsE7yTwI+eCyG3c0CrYJUKarjanBJ8TpGsR4BM9x9qE3gd:pg3X0L7ZPszeCytVKU7HgE3gqYkFpkE
                        MD5:9D7FAEEE009120BD2762858605EE1831
                        SHA1:D7AE3D41E59A3A8048B5F03FDEFDA10500A85D54
                        SHA-256:EE589A04FD3730688F35A0CA6FE66CB674DAE2680572E7CA98DB0AC85327F92C
                        SHA-512:0DD1D234D5C5DEF080CA75744F9E603F34F5F19E184DE6D363B59A2AA102B151BA3B3234BFC5429CBE4D47E3472EF3A5BE068C96B499B66780766BC94BCE10AD
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........................;...R..2............@..............................pS......SS....... ......................................PR......pR..'............M.t.............R......M..................... .R.(....................yR.@............................text....;.......;.................`.``.data....i....;..j....;.............@.`..rdata...y....>..z....=.............@.`@.buildid5.....M......rM.............@.0@.pdata..t.....M......tM.............@.0@.xdata...I....O..J....O.............@.0@.bss.....0....R.......................`..edata.......PR.......Q.............@.0@.idata...'...pR..(....Q.............@.0..CRT....h.....R.......R.............@.@..tls....h.....R.......R.............@.`..reloc.......R.......R.............@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\pulseaudio.exe (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):67072
                        Entropy (8bit):5.710459492492241
                        Encrypted:false
                        SSDEEP:1536:JoHcXGjlXxLMijdY843teiK2XdxCCR+6W3ywT:Jo8olXxLMqdY843teiKWxW6dwT
                        MD5:BC5B6CBC5FC4EC80F8D401C797028A36
                        SHA1:F4C6B7734F4431DF1162AEBE5081BE1E2473B447
                        SHA-256:3894CF56EE8359F847AB2D05DA93A6E05FA6115834208B7F50DAEBA624722CF8
                        SHA-512:D50B4EC5460C37CBCFAB89B6129B68C6F482C2D471622B4AFF3BAF02AD15C970A1F08B6D1157D1F55772E05771BF0C0AD35CA24AC42BD28FC7615B516DEE54A8
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....pa_......................................@.....................................^......... ......................................@.......P..@........................................................... ...(...................lV...............................text...............................`.P`.data...............................@.`..rdata..xG.......H..................@.`@.buildid5...........................@.0@.pdata..............................@.0@.xdata..$.... ......................@.0@.bss.........0........................`..edata.......@......................@.0@.idata..@....P......................@.0..CRT....h....p......................@.@..tls....h...........................@.`..reloc..............................@.0B................................................................................................................................

                        C:\Program Files\ThinLinc client\sercd.exe (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):43008
                        Entropy (8bit):5.656745458800695
                        Encrypted:false
                        SSDEEP:768:K2vQLOkn9QOlIk/THyVYOVs2LkVdO8PVL5JMuSMoh4V:FKXjIk/kYYsYCr
                        MD5:A72635687D027223B5BBAD3E2437B79E
                        SHA1:3B887446D931731F7C25B902CE8E23F40D2DCE43
                        SHA-256:A8970AF49B0AB12C986CFFDA5108672DE8725DDE8A50B8387E4C170D76FDAFBB
                        SHA-512:4C4FB1EDB29018E81C18A5A09CFAC0A4505BDBDC2555F87898438398750F0EEAD472F8FB0C861D2A17E0763D955EAB039C9E2AD0A803DF9CB65ADD47750C40C7
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....`............/......f....................@.............................. ......~......... ............................................................................................................. ...(.......................`............................text...8d.......f..................`.P`.data................j..............@.P..rdata..P............l..............@.`@.buildid5...........................@.0@.pdata..............................@.0@.xdata..............................@.0@.bss..................................`..idata..............................@.0..CRT....h...........................@.@..tls....h...........................@.`.................................................................................................................................................................................................................

                        C:\Program Files\ThinLinc client\settings.reg (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:Windows Registry text (Win95 or above)
                        Category:dropped
                        Size (bytes):2663
                        Entropy (8bit):5.423307591439363
                        Encrypted:false
                        SSDEEP:48:z6HUK4TUADhoM3Z37AErv/44UsBmaNdmH2HmQm9m1mcmKWmz9abWFmLmmJ420AZ:zZKcnhhB744USNxFaKmF
                        MD5:9859CAC33E51402CDBD0D5F88038AE57
                        SHA1:E3A92A82A177A1AB528AA016679C86DC255B9DD8
                        SHA-256:DE3BB1637B297BC528428979EBB9DF2DF89FC198F8BC9D8F691E7593C1E020D3
                        SHA-512:3FF2D350F05A6B7D6A0E301A4BEF93575BC1CB232A18E606FE44646D4303878CEF476FC4B010F9FC1C8C794FC599DAFB9504DA323BF664A4461374A9BC7B5776
                        Malicious:false
                        Preview:REGEDIT4....;..; This file will be imported when the ThinLinc client installation program..; is executed. ..;..; Note: Existing user settings have precedence. To delete these,..; uncomment the following line. Please note that this only affects the..; current user...;[-HKEY_CURRENT_USER\Software\Cendio\ThinLinc\tlclient]....; tlclient settings..[HKEY_LOCAL_MACHINE\Software\Cendio\ThinLinc\tlclient].."ALLOW_HOSTKEY_UPDATE"=dword:00000001.."AUTHENTICATION_METHOD"="password".."AUTOLOGIN"=dword:00000000.."CERTIFICATE"="".."CERTIFICATE_NAMING"="subject_commonName, pin_label, issuer_commonName".."CUSTOM_COMPRESSION"=dword:00000000.."CUSTOM_COMPRESSION_LEVEL"=dword:00000002.."DISPLAY_MODE"="".."EMULATE_MIDDLE_BUTTON"=dword:00000000.."FULL_SCREEN_MODE"=dword:00000000.."FULL_SCREEN_MONITOR_MODE"="all".."FULL_SCREEN_SELECTED_MONITORS"="1".."HOST_ALIASES"="thinlinc1.example.com:22=fw.example.com:801 thinlinc2.example.com:22=fw.example.com:802".."JPEG_COMPRESSION"=dword:00000001.."JPEG_COMPRESSION_

                        C:\Program Files\ThinLinc client\ssh.exe (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):4315648
                        Entropy (8bit):6.3334501485472074
                        Encrypted:false
                        SSDEEP:98304:qNMpFtWOaB7iRzdrHjBm69fb+Ksdahz1JM:Na6HL1K
                        MD5:1DB618B54192BF66FF95F4FB18EE38D6
                        SHA1:7AA7B2DA4C4F083E40D61FB2FAE105A00724F346
                        SHA-256:8D720362A3A38590A60E65A7A89F28200A794C01AF7238231C603073D35B1599
                        SHA-512:B14C98F28032A89C9928942BCD3D905D17AF4307521FE3D6A5423844BCE6580BBEAE8E172FD47AA182DD0824371B754C0ADDF4F9120C86AEEC2BA35A9D66E5DF
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...FhB.........../.......-...A..l............@...............................B......*B....... ..............................................PB..)............=..5....................=..................... .B.(...................XZB..............................text.....-.......-.................`..`.data....h....-..j....-.............@.`..rdata...X...P...X...J..............@.p@.buildid5.....=.......=.............@.0@.pdata...5....=..6....=.............@.0@.xdata........@.......?.............@.@@.bss....`k....A.......................`..idata...)...PB..*....A.............@.0..CRT....h.....B.......A.............@.@..tls....h.....B.......A.............@.`.................................................................................................................................................................................................................

                        C:\Program Files\ThinLinc client\tlclient-openconf.cmd (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):204
                        Entropy (8bit):4.348164440286857
                        Encrypted:false
                        SSDEEP:6:hYoC/JHEtUEPFiA2C/HLJM8S58FHLJM8SFlFDv:yoCBAUE9jH/LCpUHLCjR
                        MD5:2C97BE449BB48C06652F3596A4783EC5
                        SHA1:EE991FE64C8730BEF02A7A5475B2A4BE7136402E
                        SHA-256:B142E7E5CF568DE518682ECC5C615D6BEB36A1486BD85ED2092F6D98E15863FF
                        SHA-512:EFF234AEBBA554AD00544944C7768E864811D9F087CA0FE12D2F8FFFA8B9A352992710B2244442B7C04522C09883A0631CA081244E9723FB3DDCCBF1319712B9
                        Malicious:false
                        Preview:@echo off..if not x%2 == x (.. echo Usage: %~dpn0 [configfile]..) else (.. if x%1 == x (.. start "" "%~dp0\tlclient.exe".. ) else (.. start "" "%~dp0\tlclient.exe" -C %1.. )..)..

                        C:\Program Files\ThinLinc client\tlclient.exe (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):4003328
                        Entropy (8bit):6.496001237219156
                        Encrypted:false
                        SSDEEP:49152:qZgmq5FmmXTKbF6S0aKX1EHqtimPjzo4BAUZLYb9MXGaXYQKuHvE:mvyT+FEI4BAUZL54
                        MD5:96E3878B529F456C5C38E2F22EF6B53B
                        SHA1:518657A61E5FCA5C8A64F7C5BE442C7148C96C6E
                        SHA-256:E815D8EA616396DBE61F1B67C82E267ACB734C8171C28F179AB1C949306A0E61
                        SHA-512:71FFA09387E8681FCE680CBCAFB88256E70F967AE1C75AD1419350D68D9D2F560415081D32B80789ECC85974B3EDA6CA353DCAD2C042C1C6D9F5AC05582ED7B4
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./.......'...=...............@..............................@>......8=....... ..............................................@=..>....=. .....9..T....................9..................... .=.(...................hO=.P............................text.....'.......'.................`.P`.data....... '.......'.............@.`..rodata.@.....'.......'.............@.P..rdata.......'.......'.............@.`@.buildid5.....9......T9.............@.0@.pdata...T....9..V...V9.............@.0@.xdata........:.......:.............@.0@.bss..........<.......................`..idata...>...@=..@...<<.............@.0..CRT....h.....=......|<.............@.@..tls....h.....=......~<.............@.`..rsrc... .....=.......<.............@.0.................................................................................................................................

                        C:\Program Files\ThinLinc client\unfsd.exe (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):142848
                        Entropy (8bit):6.025250434798064
                        Encrypted:false
                        SSDEEP:3072:Iuruj65XFTTTArNPWWVFHViyGPGeaQ+DAjj11E2DDc+:Ri2ZFTArH9G+eR0AjnESD
                        MD5:72FB4D03DAB41E3C5A296EE5B590318F
                        SHA1:7298DD48673D9F0563B755CC9593C9B1E3FAD1E3
                        SHA-256:5EFAAED92A84D79F53C6E6B715E8E78B05C09468999438B594AA773F172C1A27
                        SHA-512:3A6F5BDA778D009467960FDB31C19D81A4A00436EA4E85FA3D9AA32A74A4F6233FBAFB70941B6496CA502480A3218CEC569E48BC8472C1B92E3C18C151B2C2D5
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....N.........../..........*...PL...........@...............................N............... ...............................................N.8...............(........................................... .N.(................... .N..............................text...(...........................`.P`.data...............................@.`..rdata.. >.......@..................@.`@.buildid5...........................@.0@.pdata..(...........................@.0@.xdata.......0......................@.0@.bss.....OL..P........................`..idata..8.....N.....................@.0..CRT....h.....N......*..............@.@..tls....h.....N......,..............@.`.................................................................................................................................................................................................................

                        C:\Program Files\ThinLinc client\uninstall.exe

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                        Category:dropped
                        Size (bytes):144895
                        Entropy (8bit):6.6202994524479495
                        Encrypted:false
                        SSDEEP:3072:YE52Fcj8B3eh8wx9P/NQyxkANNNNNYNNNNNNNNNNNhVz9LjQG/6cfFSO:8FcYe9WakZVz1sw6cfFL
                        MD5:8B1945F81436E3087F2C8C072D5BBF62
                        SHA1:605618378241A6AD9091F3FF980DDEC5F062CDBE
                        SHA-256:5224EB3DAA355D886DAF09E00292F7B7C19DCA8E230B729BD399882704739DC3
                        SHA-512:784BFBDC9D87D6EB980FDBCAFBCEAC0C6929918DD768B517A6B47A93E3632B4DE5BA5A3A257A1ACA155B28BEBBE22A3BAE3C5F00B3D675AEA94E5F085A26F8ED
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 3%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8(da............................uC............@........................................... .................................|....P.................@"...........................................................................................text...$........................... .0`.data...............................@.`..rdata..0[.......\..................@.`@.buildid5...........................@.0@.bss......... ........................`..idata..|...........................@.0..ndata...`..........................@.`..rsrc........P......................@.0.................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ThinLinc client\vncviewer.exe (copy)

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):4110848
                        Entropy (8bit):6.593767489296525
                        Encrypted:false
                        SSDEEP:49152:+gcDIvGaAk5YuLQOkgs2mOdJAjgUBs+B/o//Wn/9bCvd1UjdggT8BAUZLYb9MXGr:QM6Ngdyv/38BAUZL5XtsaU
                        MD5:1C463A6D3113C12FF2DE0F9926CC599D
                        SHA1:0DE4C5E179E0CBC85929872D27D6832C52CEC6D3
                        SHA-256:AC36C1D3A5445AF281D430BC614330B1462DEE6F85E026AD9C820120B73A2542
                        SHA-512:4EC8F606EE271E55390D21F010EA1991E0F2786B0CB13B5ECD349189A8C2D3B5C3C1F39C578835F56DBB25BEC296C804D3A01CE8874AE65B1D26381D1A48C83A
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..... ..................8(...>...............@..............................P@......?....... .......................................?.{.... ?..9....?.(.....:.X[............@..:....:..................... p?.(....................-?..............................text....7(......8(.................`.``.data....`...P(..b...<(.............@.`..rdata........(.......(.............@.`@.buildid5.....:.......:.............@.0@.pdata..X[....:..\....:.............@.0@.xdata......@<.......<.............@.0@.bss.... .....=.......................`..edata..{.....?.......=.............@.0@.idata...9... ?..:....=.............@.0..CRT....h....`?.......=.............@.@..tls....h....p?.......=.............@.`..rsrc...(.....?.......=.............@.0..reloc...:....@..<...~>.............@.0B........................................................................................

                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ThinLinc\Loop ThinLinc client.lnk

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Dec 19 07:55:06 2024, mtime=Tue Feb 18 18:44:58 2025, atime=Thu Dec 19 07:55:06 2024, length=4003328, window=hide
                        Category:dropped
                        Size (bytes):1858
                        Entropy (8bit):3.2675803477184817
                        Encrypted:false
                        SSDEEP:24:8Eby8XdfwKIGJAtnd6dMUyAgdCGfdzJm:8n0dLIGKtnd6dPyXdCudd
                        MD5:B23A71F8EB07A518DBC5716880D87FEA
                        SHA1:810E3B3BF88360052F037DB5971BD60B174DB557
                        SHA-256:9898F1B640BF0ACF02A377DA31715B0F7F0718ED5D5AFD70F5C1BB973C2E8C21
                        SHA-512:5335E0D80C83410F808ED348DF950087E0E48547FA8CB4755841C3BE295F1D76E9CA0C7C780E3C445AC3F49E145979FB717EA90463B13F6ECEBC1C24DB505A7F
                        Malicious:false
                        Preview:L..................F.@.. ....Q...Q..v>t.=....Q...Q....=..........................P.O. .:i.....+00.../C:\.....................1.....RZ....PROGRA~1..t......O.IRZ......B...............J.....p..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....RZ....THINLI~1..P......RZ..RZ......p..................... A..T.h.i.n.L.i.n.c. .c.l.i.e.n.t.....f.2...=..Y.F .tlclient.exe..J......Y.FRZ................................t.l.c.l.i.e.n.t...e.x.e.......\...............-.......[.............X......C:\Program Files\ThinLinc client\tlclient.exe..<.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.h.i.n.L.i.n.c. .c.l.i.e.n.t.\.t.l.c.l.i.e.n.t...e.x.e.6.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.h.i.n.L.i.n.c. .c.l.i.e.n.t.\.l.o.c.a.l.e.\.t.r.\.L.C._.M.E.S.S.A.G.E.S...-.-.l.o.o.p.-.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.h.i.n.L.i.n.c. .c.l.i.e.n.t.\.t.l.c.l.i.e.n.t...e.x.e.........%SystemDrive%\Program Files\ThinLinc client\tlclient.exe...................................

                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ThinLinc\ThinLinc client.lnk

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu Dec 19 07:55:06 2024, mtime=Tue Feb 18 18:44:56 2025, atime=Thu Dec 19 07:55:06 2024, length=4003328, window=hide
                        Category:dropped
                        Size (bytes):1844
                        Entropy (8bit):3.2565362055879365
                        Encrypted:false
                        SSDEEP:12:8KX7lV00YX3h9A8mdpF4sXae5SSlZz5JGC9ptjAtDnbdpuwl6ftbdpuwl6UaEr0G:84E8XdfwKIGJAtnd6dMUPgdCGfdzJm
                        MD5:F010DD521DDAAE9874ECA0BFC86E4C68
                        SHA1:202474540F8449F21D72AC39C3C67848BB0B7851
                        SHA-256:30488D06E462A8709C31FBEE92D5E6DB1A71D55824FA31E50384AFBD5F3060D3
                        SHA-512:703ED471382D598EE391536CDA27D304484DD8A2C202C6F063AF45C07654F34574B7814BC1504FC0BD85DF66251A8C421140A2501C7166368A26A7427893E06A
                        Malicious:false
                        Preview:L..................F.@.. ....Q...Q...4..=....Q...Q....=..........................P.O. .:i.....+00.../C:\.....................1.....RZ....PROGRA~1..t......O.IRZ......B...............J.....p..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....RZ....THINLI~1..P......RZ..RZ......p..................... A..T.h.i.n.L.i.n.c. .c.l.i.e.n.t.....f.2...=..Y.F .tlclient.exe..J......Y.FRZ................................t.l.c.l.i.e.n.t...e.x.e.......\...............-.......[.............X......C:\Program Files\ThinLinc client\tlclient.exe..<.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.h.i.n.L.i.n.c. .c.l.i.e.n.t.\.t.l.c.l.i.e.n.t...e.x.e.6.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.h.i.n.L.i.n.c. .c.l.i.e.n.t.\.l.o.c.a.l.e.\.t.r.\.L.C._.M.E.S.S.A.G.E.S.-.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.h.i.n.L.i.n.c. .c.l.i.e.n.t.\.t.l.c.l.i.e.n.t...e.x.e.........%SystemDrive%\Program Files\ThinLinc client\tlclient.exe.................................................

                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ThinLinc\ThinLinc license.lnk

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Dec 19 07:55:06 2024, mtime=Tue Feb 18 18:44:56 2025, atime=Thu Dec 19 07:55:06 2024, length=19261, window=hide
                        Category:dropped
                        Size (bytes):940
                        Entropy (8bit):4.514602976915076
                        Encrypted:false
                        SSDEEP:12:8mHXWYDQg0YX3h9A8mdpF4sXae5SSlG4YxxjAxDgpSbdpuwlRabdpuwl6UaE8Yec:8mPl8XdfwBFAxpd+dMU4Jm
                        MD5:6CEE5E91EB670D351F8F65331CCC7B42
                        SHA1:C21A7DE4009E99BCAE660951F47CC32BBD32F0FD
                        SHA-256:895823BD16DD247E89E3880085E27BCF743449F0F212F1EB5297A7C0B0AA533A
                        SHA-512:E3C9F316D29C4FCFC81379D422FC977F6EA17B9E90889759D34FD6BD6E94A5334EEAD9A9F3744D3BA6F7C80B3FF0A92F3EB8866365DDC175F3889A4EDD892513
                        Malicious:false
                        Preview:L..................F.... ....Q...Q...o..=....Q...Q..=K......................}....P.O. .:i.....+00.../C:\.....................1.....RZ....PROGRA~1..t......O.IRZ......B...............J.....p..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....RZ....THINLI~1..P......RZ..RZ......p..................... A..T.h.i.n.L.i.n.c. .c.l.i.e.n.t.....Z.2.=K...Y.F .EULA.txt..B......Y.FRZ................................E.U.L.A...t.x.t.......X...............-.......W.............X......C:\Program Files\ThinLinc client\EULA.txt..8.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.h.i.n.L.i.n.c. .c.l.i.e.n.t.\.E.U.L.A...t.x.t.6.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.h.i.n.L.i.n.c. .c.l.i.e.n.t.\.l.o.c.a.l.e.\.t.r.\.L.C._.M.E.S.S.A.G.E.S.`.......X.......965543...........hT..CrF.f4... .H#..Jc...-...-$..hT..CrF.f4... .H#..Jc...-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ThinLinc\desktop.ini

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:Windows desktop.ini
                        Category:dropped
                        Size (bytes):357
                        Entropy (8bit):4.897245269221921
                        Encrypted:false
                        SSDEEP:6:0NwokQCVjD9gmQtcnltkkjD9gm7MkD91kkjD9gmsLLjD91kkjD9gmNn:0NwmC9D+tcnltkSDdDrkSDmDrkSD7n
                        MD5:81513363100306CEB8C0DFA235727A66
                        SHA1:C5B079149DF17065DF66C012962E372C74F915B0
                        SHA-256:73FF7582A87649150EDF52F777E85B19B84E8AFDE07C6E0A00ACCC4269A8E6C5
                        SHA-512:969F8CB96B5DB48F079EFB7526C8A320CEB528C16F7B44FD81B7864C04A06E80A4C0D8A7BB8C0487DFA04F93FD2BF2DD3B1647CD17410633D92AEC3DAA7308F9
                        Malicious:false
                        Preview:[.ShellClassInfo]..LocalizedResourceName=@"C:\Program Files\ThinLinc client\tlclient.exe",-10000..[LocalizedFileNames]..ThinLinc license.lnk=@"C:\Program Files\ThinLinc client\tlclient.exe",-10002..ThinLinc client.lnk=@"C:\Program Files\ThinLinc client\tlclient.exe",-10001..Loop ThinLinc client.lnk=@"C:\Program Files\ThinLinc client\tlclient.exe",-10004..

                        C:\ProgramData\fltk.org\fltk.prefs

                        Download File
                        Process:C:\Program Files\ThinLinc client\tlclient.exe
                        File Type:ASCII text
                        Category:dropped
                        Size (bytes):94
                        Entropy (8bit):4.592706974419628
                        Encrypted:false
                        SSDEEP:3:a1HGAW5Q9SnBI8KjdMQtVNR73:a9GtQeBHKjbVnL
                        MD5:794A14BDE47653E8E957F7074681833B
                        SHA1:0A135DB04B0872E50AA77A6F4A99471B13A96798
                        SHA-256:981AC30F046D7876E64CD0D413FDF994EA92E1C75D3C3CBD69A86FA4A4D9541A
                        SHA-512:5EE92AD46F910E397DF0B79283D36F4ED60FC3CB0A499C3993BC27A4A6992B7D4E6422598495E139EB92829BC19A3A41005BCEC9D83D51C548F3F44200B43C57
                        Malicious:false
                        Preview:; FLTK preferences file format 1.0.; vendor: fltk.org.; application: fltk..[.]...[./options]..

                        C:\Users\user\AppData\Local\Temp\nsh29B8.tmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):55094475
                        Entropy (8bit):6.6157427814975085
                        Encrypted:false
                        SSDEEP:
                        MD5:08CAC9275D557000309538784E7716B8
                        SHA1:A1BD3E03E29123D1CE2F452CB1829795E6975525
                        SHA-256:A63A969FF1CB4B8B0D1C6DC2CEBF14DEC14ED3E01539968CBEB365F3D10048B0
                        SHA-512:A44BB211F155E90A3F3527C3CA8CEE8FC2C64FF28BF3565461504BFAC8804625E48702DF8F65936DB5E1B548F7BD5BFE3FCED88CE57F3A225CBE8198CB6372FE
                        Malicious:false
                        Preview::m......,...............................*b.......l......................................................V.......................f...........................................................................................................................................................................n...................\...............................................l.......^...a...h...............................................g.......i...l...u...............................................j.......v...y...................................................................................................................................Z................................................U..........\...........................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\nsx29C9.tmp\System.dll

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):24576
                        Entropy (8bit):5.838117713516912
                        Encrypted:false
                        SSDEEP:384:bs+grkktWOB/MUhWK+MPeHvbcEVHYPS/9w00g530l/nl/1wrj:GIkoa/MUmMPibcOM99L9Cj
                        MD5:F5D3C33D2ECAF9C1D6AEABA2E0CFA333
                        SHA1:3B96841DBE299B1E743B79717BDEE7CB714E5FDA
                        SHA-256:CAF632D69C07B00353BFF7AD0D28EED0C320B4C2770400E68E01A8124AB6DA62
                        SHA-512:7F73558E9B0812C0FE79C4344FDAAD17CA60C4A457889F4C8FB590C207A98CCDB9E7B7998B7035844D7A08D19DA12D526FD29CF224CB98066CEC305CA2C84927
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....(da...........#.....<...\.......3.......P....\n................................H......... .................................H....................................p..............................................@................................text....;.......<..................`.P`.data...4....P.......@..............@.0..rdata..4....`.......B..............@.0@.buildid5....p.......J..............@.0@.bss..................................`..edata...............L..............@.0@.idata..H............N..............@.0..CRT....,............V..............@.0..tls.... ............X..............@.0..reloc...............Z..............@.0B................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\nsx29C9.tmp\divider.bmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PC bitmap, Windows 3.x format, 500 x 10 x 24, image size 15000, resolution 3779 x 3779 px/m, cbSize 15054, bits offset 54
                        Category:dropped
                        Size (bytes):15054
                        Entropy (8bit):3.4400264720948197
                        Encrypted:false
                        SSDEEP:24:/UaA27Tntnw+LRM09eMAfcIIny3MtxEs+vTsQ53lLqJ7fwG6Flw80cuPm:saBVpLRM00MRI7CCVvTsQ5lKcTw8Um
                        MD5:D45208B791EE5E730764FA9A9086A86A
                        SHA1:6D488A35C49126328AB0A98E1FA61C2486875AD4
                        SHA-256:2C90DF700593B5DEC2350CD78AEDD726C72543223D9EEBE66B5F5E41F768716F
                        SHA-512:C4F7B4EAC3980A9EB9FF13EC24EC49EE809F1C347BF71C322A097B4C845CE82A40B54B03B70C7CECB7D2406D73E421A3095820D3F9E63C047FCFF1987365FA3F
                        Malicious:false
                        Preview:BM.:......6...(....................:..................q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..{... ..$..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..'..(..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..*..-../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../..8..J..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..B.....)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..(..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..'..)..)..)..)..)..)..)..)..)..)..)..

                        C:\Users\user\AppData\Local\Temp\nsx29C9.tmp\modern-header.bmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PC bitmap, Windows 3.x format, 497 x 67 x 24, image size 99964, cbSize 100018, bits offset 54
                        Category:dropped
                        Size (bytes):100018
                        Entropy (8bit):0.8625170021854195
                        Encrypted:false
                        SSDEEP:48:7kcBUzie+5gfu38CO2Q7yngcHRK3wr99rp9r2+gdhRWWfhKzz:Y5+gfuRgcxiwr99rp9r2+AbxKn
                        MD5:9DE4190AA7CE7AF2D6A7DBF598528C41
                        SHA1:6024FCE2356F578E7EFE1651CFB0FCC0797DCB86
                        SHA-256:20CE334784F4098EE22FEF44D65460FD047571C360729F3CDC7D06049079291B
                        SHA-512:74711BCF6A5A477A2DBA211522AE4C2405438B8E02D95C3D3CBAACE9296F73644C9602242053CF1150120FFE0341B09E520CDB3D1220F2A7F671B4C625D283BE
                        Malicious:false
                        Preview:BM........6...(.......C...........|...................q..q..q..q..q..q..q..q..p..{...$..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..&..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..0..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..@..H..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..J..A..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..>..+..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..".r..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..p..|...$..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..4..?..?..?..?..?..?..?..?..?..?..?..?..?..?..?..E..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..K..L..A..&..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..)..E..K..K..K..K..

                        C:\Users\user\AppData\Local\Temp\nsx29C9.tmp\modern-wizard.bmp

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PC bitmap, Windows 3.x format, 164 x 314 x 24, image size 154488, resolution 10972 x 10972 px/m, cbSize 154542, bits offset 54
                        Category:dropped
                        Size (bytes):154542
                        Entropy (8bit):0.3159522712147747
                        Encrypted:false
                        SSDEEP:96:4HwEceV/6dwou1JiOgdE5u962hBSCGhCmiEMVRhT:CZB1JB25GDO
                        MD5:77233A1632E0060CEEC6F57B424AACDD
                        SHA1:A74E2A8D172A0493042B4AE81F2E012EF275DC7F
                        SHA-256:06C3A756E8A70BD6FB7F49D922F1AA34DD29C7C9BF2F238C110955FABD9E9190
                        SHA-512:6862F8B7FA2C367FF756B53DAA260D3FA4C12F56EF9017972B490EFD6D91276A0E80D29A021D9E0579CE13C55F470F6CBA805D889F5FB0D94A323E1257F4402E
                        Malicious:false
                        Preview:BM.[......6...(.......:...........x[...*...*............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\nsx29C9.tmp\nsDialogs.dll

                        Download File
                        Process:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):11776
                        Entropy (8bit):5.341148311945214
                        Encrypted:false
                        SSDEEP:192:VrZUzW5PrQrEtKWoseMW9udUuPdIgbtKSrZrTFQmhs:1ZUz0rztJodMW97uP9tPrZrZ
                        MD5:6493FD9C2B31E4457040D2370FB2F0AA
                        SHA1:3F9C888829EEF07B87C1B3FD6D7276A739B3F1A5
                        SHA-256:1E351D9FC507F19B9BB3013B25EBE1B3E790647D6CF14E4E32D2D27701C4EF7F
                        SHA-512:7DB7FFCEA19634C7D862BAB9B41CFDF6F88FC844AA014BDDBA407538326CC048E37EA2C2868C2A2BF9175CE874D99BCBE63C7EB5E98513AAC44CB84C351493C2
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)(da...........#................l"........L....n.......................................... ......................p..k............................................@..............................................x................................text............................... .0`.rdata.......0......................@.0@.buildid5....@......................@.0@.bss....0....P........................`..edata..k....p....... ..............@.0@.idata..............."..............@.0..rsrc................*..............@.0..reloc...............,..............@.0B................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\tlclient.log

                        Download File
                        Process:C:\Program Files\ThinLinc client\tlclient.exe
                        File Type:ASCII text
                        Category:dropped
                        Size (bytes):145
                        Entropy (8bit):4.7177004321088605
                        Encrypted:false
                        SSDEEP:3:tQIVYU8fFpKj9PbUiLSe9R2oduW8P9QTU8fFxNKiLSe9V4mrJX:io5OFpKxbUoD9QWoyYOFxUoD9V1X
                        MD5:C3AF9E54C4DCD1A6A21E6D7FB84BB608
                        SHA1:0CDAB580FB41A592223F31150FD98BE98F7731A4
                        SHA-256:10BD453B05C41C08EA59149034079B3AD64176975217613D205FF749E0973602
                        SHA-512:1DE45D54832BDFE2845F6A6DB25CD6FF2761AA9B16C221645E5B9A0636787D8C3247F0FBB7BDBFAF426BEC299FCC4E043FFB1C35EE55723CF412E88403AB382B
                        Malicious:false
                        Preview:2025-02-18T14:45:03: Log file created for ThinLinc client running on process 3180.2025-02-18T14:45:03: ThinLinc client release 4.18.0 build 3768.

                        C:\Users\user\AppData\Local\Temp\update2

                        Download File
                        Process:C:\Program Files\ThinLinc client\tlclient.exe
                        File Type:ASCII text
                        Category:dropped
                        Size (bytes):288
                        Entropy (8bit):5.083279435171463
                        Encrypted:false
                        SSDEEP:6:jS2eGLNmaehv8CM1Jr/BLeGLNpVFj5paeGLNpVGbLEDHYUQ/:jSldb6Catk0VtR0VGbLB/
                        MD5:D5D3C3E231EA1E4AB0A97C0CEEE15FD9
                        SHA1:46FDABC02FCBD4FEABB504D736EA8FB6FA504EA3
                        SHA-256:AE05D09B26B60E6E91FD786C908304BC9A30058B9B2C586277620689670EDA16
                        SHA-512:FECA6E7A12D0A13D06126CB71EE4DC15727E272C9D5485912A611581507956365D69926446C96974E2183E0C141046265F3880109B9FBD1C77C68A99D03FECD7
                        Malicious:false
                        Preview:WINDOWSINSTALLER = https://www.cendio.com/downloads/clients/tl-latest-client-windows.exe.LINUXINSTALLER = https://www.cendio.com/thinlinc/download/.DEFAULTINSTALLER = https://www.cendio.com/thinlinc/download/.OKVERSIONS = 4.18.0 4.18.0post 4.18.1 4.18.2 4.19.0 4.19.1 4.20.0 4.20.1 5.0.0.

                        C:\Users\user\AppData\Roaming\fltk.org\fltk.prefs

                        Download File
                        Process:C:\Program Files\ThinLinc client\tlclient.exe
                        File Type:ASCII text
                        Category:dropped
                        Size (bytes):94
                        Entropy (8bit):4.592706974419628
                        Encrypted:false
                        SSDEEP:3:a1HGAW5Q9SnBI8KjdMQtVNR73:a9GtQeBHKjbVnL
                        MD5:794A14BDE47653E8E957F7074681833B
                        SHA1:0A135DB04B0872E50AA77A6F4A99471B13A96798
                        SHA-256:981AC30F046D7876E64CD0D413FDF994EA92E1C75D3C3CBD69A86FA4A4D9541A
                        SHA-512:5EE92AD46F910E397DF0B79283D36F4ED60FC3CB0A499C3993BC27A4A6992B7D4E6422598495E139EB92829BC19A3A41005BCEC9D83D51C548F3F44200B43C57
                        Malicious:false
                        Preview:; FLTK preferences file format 1.0.; vendor: fltk.org.; application: fltk..[.]...[./options]..

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                        Entropy (8bit):7.999276830196618
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:tl-4.18.0-client-windows.exe
                        File size:15'451'168 bytes
                        MD5:168280ae119955b0e9eff6716951e5da
                        SHA1:9d67c4960345e2aecb8cee06995f1120d8695ef9
                        SHA256:8167a4f6de980e5e3a3bfc09460de80c8d16f1a8bb4cdd6633d69d96c9a5e1fc
                        SHA512:b4fa448ebdffbb5a3f1272d56accfe4b2d21e27f2000612097d367eda0db53ef9c36a79d1fee0c851addd491c38077ad12701470575d97044ba556392e5c424c
                        SSDEEP:393216:tQatDHlsFjqdvnpm2VJkn6MWuc4EGch+0:aaPsFjwc2fnM5c4EGv0
                        TLSH:C8F63311F7BA6B78DE0F6730541693BE2DEE5CFCA25BAB24E08275819CF5516C242233
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8(da............................uC............@........................................... ............................

                        File Icon

                        Icon Hash:b0400631585858d8

                        Static PE Info

                        General

                        Entrypoint:0x404375
                        Entrypoint Section:.text
                        Digitally signed:true
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                        DLL Characteristics:TERMINAL_SERVER_AWARE
                        Time Stamp:0x61642838 [Mon Oct 11 12:04:08 2021 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:187b3ae62ff818788b8c779ef7bc3d1c

                        Authenticode Signature

                        Signature Valid:true
                        Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                        Signature Validation Error:The operation completed successfully
                        Error Number:0
                        Not Before, Not After
                        • 30/08/2023 18:05:05 30/08/2026 18:05:05
                        Subject Chain
                        • CN=Cendio AB, O=Cendio AB, L=LINK\xd6PING, S=\xd6STERG\xd6TLAND, C=SE, OID.1.3.6.1.4.1.311.60.2.1.3=SE, SERIALNUMBER=556450-2507, OID.2.5.4.15=Private Organization
                        Version:3
                        Thumbprint MD5:0366C76FE5BC8FBD70AE27F084410B0D
                        Thumbprint SHA-1:1C9EABCA0A8289856A4CDC6A112A9D8DD7EF36FC
                        Thumbprint SHA-256:621AF3161D7168CCC3191D47F6DD7476C174845F8B901BA7435467F06BA92604
                        Serial:3773981AD1CE969CE0BB7B70
                        Instruction
                        push ebp
                        mov ebp, esp
                        push edi
                        push esi
                        push ebx
                        sub esp, 000001ACh
                        mov dword ptr [esp], 00008001h
                        call dword ptr [0042D434h]
                        push ecx
                        call dword ptr [0042D3FCh]
                        cmp ax, 0006h
                        je 00007F7904D65A5Dh
                        mov dword ptr [esp], 00000000h
                        call 00007F7904D69937h
                        test eax, eax
                        push edx
                        je 00007F7904D65A4Ch
                        mov dword ptr [esp], 00000C00h
                        call eax
                        push edi
                        mov ebx, 0040B360h
                        cmp byte ptr [ebx], 00000000h
                        je 00007F7904D65A5Bh
                        mov dword ptr [esp], ebx
                        call 00007F7904D6988Bh
                        push ecx
                        mov dword ptr [esp], ebx
                        call dword ptr [0042D464h]
                        lea ebx, dword ptr [ebx+eax+01h]
                        push esi
                        jmp 00007F7904D65A24h
                        mov dword ptr [esp], 0000000Dh
                        call 00007F7904D698F9h
                        push ebx
                        mov dword ptr [esp], 0000000Bh
                        call 00007F7904D698ECh
                        push esi
                        mov dword ptr [0042BCA0h], eax
                        call dword ptr [0042D354h]
                        mov dword ptr [esp], 00000000h
                        call dword ptr [0042D474h]
                        mov dword ptr [0042BC18h], eax
                        push edi
                        lea eax, dword ptr [ebp-00000178h]
                        mov dword ptr [esp+10h], 00000000h
                        mov dword ptr [esp+0Ch], 00000160h
                        mov dword ptr [esp+08h], eax
                        mov dword ptr [esp+04h], 00000000h
                        mov dword ptr [esp], 0040B31Dh
                        call dword ptr [00000088h]
                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x2d0000x127c.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x450000x9098.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0xeba1e00x2240
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x110000x1c.buildid
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x8b240x8c00702d3d543204d4fb4fe35e694ce77af0False0.5350725446428571data5.945144099067416IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .data0xa0000xe00x2009b1e9ed6e39d94bf55388f5a8ca6e478False0.203125data1.6245412671003IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rdata0xb0000x5b300x5c00fdf7eef6c28fdcb6e1ce7d794d47652bFalse0.6998980978260869data7.119781812111815IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                        .buildid0x110000x350x2002c695e2751b3786ee67f1ae1d75fbd86False0.099609375data0.5532620960138599IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                        .bss0x120000x1ad000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata0x2d0000x127c0x140066f598127c5ff6539a01ca7e0b74fd5bFalse0.3705078125data5.153176056041349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .ndata0x2f0000x160000x4000f343b0931126a20f133d67c2b018a3bFalse0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x450000x90980x9200a1ababb878329d36ad81786916aef761False0.18672410102739725data3.7917976682578614IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0x454600x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3543 x 3543 px/mEnglishUnited States0.04066390041493776
                        RT_ICON0x47a080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 866 x 866 px/mEnglishUnited States0.07809568480300187
                        RT_ICON0x48ab00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 3543 x 3543 px/m, 256 important colorsEnglishUnited States0.09035181236673774
                        RT_ICON0x499580xc4dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8980628771038425
                        RT_ICON0x4a5a80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 3543 x 3543 px/mEnglishUnited States0.0930327868852459
                        RT_ICON0x4af300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 866 x 866 px/m, 256 important colorsEnglishUnited States0.1421480144404332
                        RT_ICON0x4b7d80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, resolution 3543 x 3543 px/m, 256 important colorsEnglishUnited States0.13076036866359447
                        RT_ICON0x4bea00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152, resolution 3543 x 3543 px/m, 16 important colorsEnglishUnited States0.1329268292682927
                        RT_ICON0x4c5080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 3543 x 3543 px/m, 256 important colorsEnglishUnited States0.12427745664739884
                        RT_ICON0x4ca700x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3543 x 3543 px/mEnglishUnited States0.14716312056737588
                        RT_ICON0x4ced80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512, resolution 866 x 866 px/m, 16 important colorsEnglishUnited States0.27419354838709675
                        RT_ICON0x4d1c00x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288, resolution 3543 x 3543 px/m, 16 important colorsEnglishUnited States0.33401639344262296
                        RT_ICON0x4d3a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, resolution 3543 x 3543 px/m, 16 important colorsEnglishUnited States0.4527027027027027
                        RT_DIALOG0x4d4d00x144dataEnglishUnited States0.5339506172839507
                        RT_DIALOG0x4d6180x246dataEnglishUnited States0.38316151202749144
                        RT_DIALOG0x4d8600x104dataEnglishUnited States0.6076923076923076
                        RT_DIALOG0x4d9680xa0dataEnglishUnited States0.60625
                        RT_DIALOG0x4da080x10adataEnglishUnited States0.5488721804511278
                        RT_DIALOG0x4db180xeedataEnglishUnited States0.6092436974789915
                        RT_GROUP_ICON0x4dc080xbcdataEnglishUnited States0.601063829787234
                        RT_MANIFEST0x4dcc80x3c9XML 1.0 document, ASCII text, with very long lines (969), with no line terminatorsEnglishUnited States0.52218782249742
                        DLLImport
                        ADVAPI32.dllRegCloseKey, RegCreateKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA, SetFileSecurityA
                        COMCTL32.DLLImageList_AddMasked, ImageList_Create, ImageList_Destroy, InitCommonControls
                        GDI32.dllCreateBrushIndirect, CreateFontIndirectA, DeleteObject, GetDeviceCaps, SelectObject, SetBkColor, SetBkMode, SetTextColor
                        KERNEL32.dllCloseHandle, CompareFileTime, CopyFileA, CreateDirectoryA, CreateFileA, CreateProcessA, CreateThread, DeleteFileA, ExitProcess, ExpandEnvironmentStringsA, FindClose, FindFirstFileA, FindNextFileA, FreeLibrary, GetCommandLineA, GetCurrentProcess, GetDiskFreeSpaceA, GetExitCodeProcess, GetFileAttributesA, GetFileSize, GetFullPathNameA, GetLastError, GetModuleFileNameA, GetModuleHandleA, GetPrivateProfileStringA, GetProcAddress, GetShortPathNameA, GetSystemDirectoryA, GetTempFileNameA, GetTempPathA, GetTickCount, GetVersion, GetWindowsDirectoryA, GlobalAlloc, GlobalFree, GlobalLock, GlobalUnlock, LoadLibraryExA, MoveFileA, MulDiv, MultiByteToWideChar, ReadFile, RemoveDirectoryA, SearchPathA, SetCurrentDirectoryA, SetErrorMode, SetFileAttributesA, SetFilePointer, SetFileTime, Sleep, WaitForSingleObject, WriteFile, WritePrivateProfileStringA, lstrcatA, lstrcmpA, lstrcmpiA, lstrcpynA, lstrlenA
                        ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
                        SHELL32.DLLSHBrowseForFolderA, SHFileOperationA, SHGetFileInfoA, SHGetPathFromIDListA, SHGetSpecialFolderLocation, ShellExecuteA
                        USER32.dllAppendMenuA, BeginPaint, CallWindowProcA, CharNextA, CharPrevA, CheckDlgButton, CloseClipboard, CreateDialogParamA, CreatePopupMenu, CreateWindowExA, DefWindowProcA, DestroyWindow, DialogBoxParamA, DispatchMessageA, DrawTextA, EmptyClipboard, EnableMenuItem, EnableWindow, EndDialog, EndPaint, ExitWindowsEx, FillRect, FindWindowExA, GetClassInfoA, GetClientRect, GetDC, GetDlgItem, GetDlgItemTextA, GetMessagePos, GetSysColor, GetSystemMenu, GetSystemMetrics, GetWindowLongA, GetWindowRect, InvalidateRect, IsWindow, IsWindowEnabled, IsWindowVisible, LoadBitmapA, LoadCursorA, LoadImageA, MessageBoxIndirectA, OpenClipboard, PeekMessageA, PostQuitMessage, RegisterClassA, ScreenToClient, SendMessageA, SendMessageTimeoutA, SetClassLongA, SetClipboardData, SetCursor, SetDlgItemTextA, SetForegroundWindow, SetTimer, SetWindowLongA, SetWindowPos, SetWindowTextA, ShowWindow, SystemParametersInfoA, TrackPopupMenu, wsprintfA

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States

                        Network Behavior

                        Download Network PCAP: filteredfull

                        Network Port Distribution

                        • Total Packets: 6
                        • 80 (HTTP)
                        • 53 (DNS)
                        TimestampSource PortDest PortSource IPDest IP
                        Feb 18, 2025 20:45:05.431147099 CET4983580192.168.2.6193.12.253.124
                        Feb 18, 2025 20:45:05.437225103 CET8049835193.12.253.124192.168.2.6
                        Feb 18, 2025 20:45:05.437463045 CET4983580192.168.2.6193.12.253.124
                        Feb 18, 2025 20:45:05.437463045 CET4983580192.168.2.6193.12.253.124
                        Feb 18, 2025 20:45:05.443958044 CET8049835193.12.253.124192.168.2.6
                        Feb 18, 2025 20:45:06.114604950 CET8049835193.12.253.124192.168.2.6
                        Feb 18, 2025 20:45:06.115484953 CET4983580192.168.2.6193.12.253.124
                        Feb 18, 2025 20:45:06.120737076 CET8049835193.12.253.124192.168.2.6
                        Feb 18, 2025 20:45:06.120831966 CET4983580192.168.2.6193.12.253.124
                        TimestampSource PortDest PortSource IPDest IP
                        Feb 18, 2025 20:45:05.253392935 CET6533153192.168.2.61.1.1.1
                        Feb 18, 2025 20:45:05.427000046 CET53653311.1.1.1192.168.2.6

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Feb 18, 2025 20:45:05.253392935 CET192.168.2.61.1.1.10x9b46Standard query (0)www.cendio.comA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Feb 18, 2025 20:45:05.427000046 CET1.1.1.1192.168.2.60x9b46No error (0)www.cendio.com193.12.253.124A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • www.cendio.com

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.649835193.12.253.124803180C:\Program Files\ThinLinc client\tlclient.exe
                        TimestampBytes transferredDirectionData
                        Feb 18, 2025 20:45:05.437463045 CET131OUTGET /downloads/clients/clientupdate.conf HTTP/1.1
                        Host: www.cendio.com
                        Keep-Alive:
                        Connection: TE, Keep-Alive
                        TE: trailers
                        Feb 18, 2025 20:45:06.114604950 CET596INHTTP/1.1 200 OK
                        Date: Tue, 18 Feb 2025 19:45:06 GMT
                        Server: Apache
                        Last-Modified: Fri, 27 Dec 2024 09:46:29 GMT
                        ETag: "120-62a3d565387dc"
                        Accept-Ranges: bytes
                        Content-Length: 288
                        Vary: Accept-Encoding
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/plain; charset=UTF-8
                        Data Raw: 57 49 4e 44 4f 57 53 49 4e 53 54 41 4c 4c 45 52 20 3d 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 65 6e 64 69 6f 2e 63 6f 6d 2f 64 6f 77 6e 6c 6f 61 64 73 2f 63 6c 69 65 6e 74 73 2f 74 6c 2d 6c 61 74 65 73 74 2d 63 6c 69 65 6e 74 2d 77 69 6e 64 6f 77 73 2e 65 78 65 0a 4c 49 4e 55 58 49 4e 53 54 41 4c 4c 45 52 20 3d 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 65 6e 64 69 6f 2e 63 6f 6d 2f 74 68 69 6e 6c 69 6e 63 2f 64 6f 77 6e 6c 6f 61 64 2f 0a 44 45 46 41 55 4c 54 49 4e 53 54 41 4c 4c 45 52 20 3d 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 65 6e 64 69 6f 2e 63 6f 6d 2f 74 68 69 6e 6c 69 6e 63 2f 64 6f 77 6e 6c 6f 61 64 2f 0a 4f 4b 56 45 52 53 49 4f 4e 53 20 3d 20 34 2e 31 38 2e 30 20 34 2e 31 38 2e 30 70 6f 73 74 20 34 2e 31 38 2e 31 20 34 2e 31 38 2e 32 20 34 2e 31 39 2e 30 20 34 2e 31 39 2e 31 20 34 2e 32 30 2e 30 20 34 2e 32 30 2e 31 20 35 2e 30 2e 30 0a
                        Data Ascii: WINDOWSINSTALLER = https://www.cendio.com/downloads/clients/tl-latest-client-windows.exeLINUXINSTALLER = https://www.cendio.com/thinlinc/download/DEFAULTINSTALLER = https://www.cendio.com/thinlinc/download/OKVERSIONS = 4.18.0 4.18.0post 4.18.1 4.18.2 4.19.0 4.19.1 4.20.0 4.20.1 5.0.0


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        • File
                        • Registry
                        • Network

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:14:44:38
                        Start date:18/02/2025
                        Path:C:\Users\user\Desktop\tl-4.18.0-client-windows.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\tl-4.18.0-client-windows.exe"
                        Imagebase:0x400000
                        File size:15'451'168 bytes
                        MD5 hash:168280AE119955B0E9EFF6716951E5DA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true
                        Show Windows behavior

                        File Activities

                        Show Windows behavior

                        Section Activities

                        Show Windows behavior

                        Registry Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Process Activities

                        Show Windows behavior

                        Thread Activities

                        Show Windows behavior

                        Memory Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Windows UI Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        General

                        Target ID:5
                        Start time:14:44:58
                        Start date:18/02/2025
                        Path:C:\Windows\regedit.exe
                        Wow64 process (32bit):false
                        Commandline:regedit.exe /s "C:\Program Files\ThinLinc client\settings.reg"
                        Imagebase:0x7ff641820000
                        File size:370'176 bytes
                        MD5 hash:999A30979F6195BF562068639FFC4426
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:true
                        Show Windows behavior

                        File Activities

                        Show Windows behavior

                        Section Activities

                        Show Windows behavior

                        Registry Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        Thread Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        Windows UI Activities


                        General

                        Target ID:7
                        Start time:14:45:03
                        Start date:18/02/2025
                        Path:C:\Program Files\ThinLinc client\tlclient.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files\ThinLinc client\tlclient.exe"
                        Imagebase:0x7ff7934f0000
                        File size:4'003'328 bytes
                        MD5 hash:96E3878B529F456C5C38E2F22EF6B53B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:false
                        Show Windows behavior

                        File Activities

                        Show Windows behavior

                        Section Activities

                        Show Windows behavior

                        Registry Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Thread Activities

                        Show Windows behavior

                        Memory Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Timing Activities

                        Show Windows behavior

                        Windows UI Activities

                        Network Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        Disassembly

                        No disassembly