Edit tour
Windows
Analysis Report
ConnectWiseControl.Client.exe
Overview
General Information
| Sample Name: | ConnectWiseControl.Client.exe |
| Analysis ID: | 849197 |
| MD5: | dbac4578027bb4fd75ac8b10312157d0 |
| SHA1: | f26b77dc1657cdb4ee10177d3e6c7c5c52726568 |
| SHA256: | 22ed0ca25db71cef62ab471c12ee0989c18a326dbc9b4e5518cfcd9678863bd3 |
| Infos: | |
 | |
Detection
| Score: | 36 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 80% |
Signatures
Multi AV Scanner detection for submitted file
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
PE file contains an invalid checksum
Drops certificate files (DER)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Stores large binary data to the registry
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Classification
- System is w10x64_ra
ConnectWiseControl.Client.exe (PID: 7024 cmdline: C:\Users\u ser\Deskto p\ConnectW iseControl .Client.ex e MD5: DBAC4578027BB4FD75AC8B10312157D0) - dfsvc.exe (PID: 6992 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\df svc.exe MD5: 60C91843ADCE3750F2A0835F0594D438)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
- • AV Detection
- • Compliance
- • Networking
- • E-Banking Fraud
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • Language, Device and Operating System Detection
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Static PE information: | ||
| Source: | Virustotal: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 2_2_00007FFF61D3DE06 | |
| Source: | Key value created or modified: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation | Path Interception | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Modify Registry | LSASS Memory | 21 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 11 Disable or Modify Tools | Security Account Manager | 1 Application Window Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 2 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 21 Virtualization/Sandbox Evasion | NTDS | 1 Remote System Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 3 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Process Injection | LSA Secrets | 13 System Information Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | 1 Obfuscated Files or Information | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 19% | Virustotal | Browse |
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | HEUR/AGEN.1363355 | Download File |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Virustotal | Browse |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| server-nix317f89b6-web.screenconnect.com | 145.40.105.166 | true | false | high | |
| fp2e7a.wpc.phicdn.net | 192.229.221.95 | true | false |
| unknown |
| connect.screenconnect.com | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| low | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| low | ||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 145.40.105.166 | server-nix317f89b6-web.screenconnect.com | Netherlands | 34108 | BREEDBANDDELFTNL | false |
| Joe Sandbox Version: | 37.0.0 Beryl |
| Analysis ID: | 849197 |
| Start date and time: | 2023-04-18 20:45:27 +02:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 4m 25s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
| Analysis system description: | Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip) |
| Number of analysed new started processes analysed: | 4 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 1 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample file name: | ConnectWiseControl.Client.exe |
| Detection: | SUS |
| Classification: | sus36.winEXE@3/8@6/1 |
| EGA Information: |
|
| HDC Information: | Failed |
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): dllhost.exe, SI HClient.exe - Excluded IPs from analysis (wh
itelisted): 192.229.221.95, 8. 248.115.254, 67.26.75.254, 8.2 53.95.249, 8.253.204.120, 67.2 7.158.126, 209.197.3.8 - Excluded domains from analysis
(whitelisted): client.wns.win dows.com, fg.download.windowsu pdate.com.c.footprint.net, log in.live.com, slscr.update.micr osoft.com, cacerts.digicert.co m, ctldl.windowsupdate.com, cd s.d2s7q6s2.hwcdn.net, wu-bg-sh im.trafficmanager.net - Report size getting too big, t
oo many NtAllocateVirtualMemor y calls found. - Report size getting too big, t
oo many NtDeviceIoControlFile calls found. - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtProtectVirtualMemory calls found. - Report size getting too big, t
oo many NtQueryValueKey calls found. - Report size getting too big, t
oo many NtReadVirtualMemory ca lls found.
| Time | Type | Description |
|---|---|---|
| 20:46:03 | API Interceptor | |
| 20:46:03 | API Interceptor |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| fp2e7a.wpc.phicdn.net | Get hash | malicious | Nymaim | Browse |
| |
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | CryptbotV2, MinerDownloader, Nymaim, RedLine, Xmrig | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | ScreenConnect Tool | Browse |
| ||
| Get hash | malicious | ScreenConnect Tool | Browse |
| ||
| Get hash | malicious | CryptbotV2, MinerDownloader, Nymaim, RedLine, Xmrig | Browse |
| ||
| Get hash | malicious | SmokeLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | DanaBot | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | ScreenConnect Tool | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| BREEDBANDDELFTNL | Get hash | malicious | ScreenConnect Tool | Browse |
| |
| Get hash | malicious | ScreenConnect Tool | Browse |
| ||
| Get hash | malicious | Mirai, Moobot | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | IPStorm | Browse |
| ||
| Get hash | malicious | IPStorm | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Wannacry | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | AgentTesla, zgRAT | Browse |
| |
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, zgRAT | Browse |
| ||
| Get hash | malicious | AgentTesla, zgRAT | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Snake Keylogger, StormKitty | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | AgentTesla, zgRAT | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, zgRAT | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, zgRAT | Browse |
| ||
| Get hash | malicious | AgentTesla, zgRAT | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
|
⊘No context
| Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 62582 |
| Entropy (8bit): | 7.996063107774368 |
| Encrypted: | true |
| SSDEEP: | 1536:Jk3XPi43VgGp0gB2itudTSRAn/TWTdWftu:CHa43V5p022iZ4CgA |
| MD5: | E71C8443AE0BC2E282C73FAEAD0A6DD3 |
| SHA1: | 0C110C1B01E68EDFACAEAE64781A37B1995FA94B |
| SHA-256: | 95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72 |
| SHA-512: | B38458C7FA2825AFB72794F374827403D5946B1132E136A0CE075DFD351277CF7D957C88DC8A1E4ADC3BCAE1FA8010DAE3831E268E910D517691DE24326391A6 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1428 |
| Entropy (8bit): | 7.688784034406474 |
| Encrypted: | false |
| SSDEEP: | 24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR |
| MD5: | 78F2FCAA601F2FB4EBC937BA532E7549 |
| SHA1: | DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 |
| SHA-256: | 552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988 |
| SHA-512: | BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 328 |
| Entropy (8bit): | 3.1106395177888357 |
| Encrypted: | false |
| SSDEEP: | 6:kKy8Nry/7UN+SkQlPlEGYRMY9z+4KlDA3RUecZUt:XRCvkPlE99SNxAhUext |
| MD5: | EE96586F17F74C5E42F9955A6075FF43 |
| SHA1: | D8F1CA1573598FAD9D22BA555EB42388E0F96FAD |
| SHA-256: | A5D88710A74D8F1074CAE3E09488A95BEAB0A29947E82F3E2524DA2359145E54 |
| SHA-512: | 76A1FA196EC7E8C61F260E674CDDE0E0C6DAA5086FEACEFF4D98F0874BD090C3939B43BFFCDE1BD906AE0700C59658A10F0651813DDE27FDED3B503A294728D5 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 254 |
| Entropy (8bit): | 3.0578008846792466 |
| Encrypted: | false |
| SSDEEP: | 6:kKskNLLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:EkNLLYS4tWOxSW0PAMsZp |
| MD5: | A72FA4B4F06DD1BC1571EB6EEDE37A1A |
| SHA1: | AC806D0FB07EED0BE2CA61D7AADDB99C106E196F |
| SHA-256: | 066CD39446E19F18E5FE6D75F28FDD42949497DFA5C04EA6E0168042D11384E5 |
| SHA-512: | 6F6804B5EB1F3651BCF89965FA6BC3BA3AB7AD7B95FC64A142FF1B2E0735E4C8DB63290E432D59644CD26207AC813ED1AF053DC515F920CA1292DEBC3B75BDAD |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 12652 |
| Entropy (8bit): | 3.83156145161052 |
| Encrypted: | false |
| SSDEEP: | 96:tEBtdf0wt4vTZgmBpdf0wt4vTZeISaOy0l6df0wt4vTZri3c/yI8///YgrxOiUeB:OzCTZgmtzCTZlXzCTZWMKTye1j3n |
| MD5: | B6DEFAF1EA2C887EF2FF43D922E0DEB7 |
| SHA1: | 0F317DCA739141D6AEFFE5A370072CEE72A27A09 |
| SHA-256: | 77DDC32A82362A915D760F88DDE731B61F0CB129ABCF7393D6F07B647827AA54 |
| SHA-512: | 678499D0C57C8F185D17AF09C81A0A1F91378A011364BE977AAE433AC08F66C9EB3211088D896BDFE9EF604771F9EA6CDC5581B5CA9388FB72739C796EEE5346 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 17059 |
| Entropy (8bit): | 5.976059030468437 |
| Encrypted: | false |
| SSDEEP: | 192:oRKeB4K8C982tl7B9UFU468QX8s8oBHJ2218s8ovN8s8oTN2x2QPIlFDL4EDh7BY:zeBt8M82fLaf6NX9/X9FX9R/QPIYM7Y7 |
| MD5: | 9165412EE08839B9702BD4971864A133 |
| SHA1: | A229E0582DC95272BC15ACD59B73B5B6C8C5ABCD |
| SHA-256: | 6BB1C1AA5663AD33EDA2256037DA8E7439502C206D4C0047270A2FD1F006BB50 |
| SHA-512: | 7B84CE7685DACA320545EC6A0DD55E7F4D85BB53F58F8FEB163439CC06357E17CBB4E021DD957A7AF6287FE34B3379DB85DD452EBE118CE4023394D5A18A62E5 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 147997 |
| Entropy (8bit): | 5.444247651158987 |
| Encrypted: | false |
| SSDEEP: | 3072:F+k0/nDw6APSIU6WV7WkrX/9yMidm2o9HuzhJOvP:slDw6AP6VCdmt8vOvP |
| MD5: | F1FFA28C9FB6D72CE24FAE50A5E75853 |
| SHA1: | 4C484FC1C671527494CF1E759B3648AA1A2839F7 |
| SHA-256: | 145DB2A5A3A2BB769D16C7C21B82ECDE4A740E8CD4084CC30F9876CB8578E59A |
| SHA-512: | 244F0710D253A5C6C2C5EB8436AE32CE86A092ABE0002A5E5FF7266501A01CC3CFA5F6859584BC7563B5A3F76F2BB5D91E0BC47665936379DA9A6829B9FB694A |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 87 |
| Entropy (8bit): | 3.463057265798253 |
| Encrypted: | false |
| SSDEEP: | 3:/lqlhGXKRjgjkFmURueGvx2VTUz:4DRPAx2Kz |
| MD5: | D2DED43CE07BFCE4D1C101DFCAA178C8 |
| SHA1: | CE928A1293EA2ACA1AC01B61A344857786AFE509 |
| SHA-256: | 8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050 |
| SHA-512: | A05486D523556C75FAAEEFE09BB2F8159A111B1B3560142E19048E6E3898A506EE4EA27DD6A4412EE56A7CE7C21E8152B1CDD92804BAF9FAC43973FABE006A2F |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.365735980719454 |
| TrID: |
|
| File name: | ConnectWiseControl.Client.exe |
| File size: | 86288 |
| MD5: | dbac4578027bb4fd75ac8b10312157d0 |
| SHA1: | f26b77dc1657cdb4ee10177d3e6c7c5c52726568 |
| SHA256: | 22ed0ca25db71cef62ab471c12ee0989c18a326dbc9b4e5518cfcd9678863bd3 |
| SHA512: | fa5dfc0cb16cc300dac0ee01845d135036353eaf4ffbbce5f2a12533680cd37d6f5432106e11e3b6238d4debac01152eb4a4a88cd458343aac6a1d3b604ee8ce |
| SSDEEP: | 1536:bazWlKzJVcNp++yQNS6xNNCT2l8NE8llbpTaCJRpsWr6cdaQTJSvYY27QkPx3s/:pFNpo6rIKlUE8fbkqRfbaQlaYY2Lx3K |
| TLSH: | C0835B13B5D18475E8B20E3118B1D9F4993F7E114E648EAB2398427E0F351D1AE3AE7B |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ll..-...-...-..Q....-..Q....-..Q....-..eV...-..eV...-..eV...-...U...-...-...-..kV...-..kV...-..kV...-..Rich.-................. |
 | |
| Icon Hash: | 00828e8e8686b000 |
| Entrypoint: | 0x4014ba |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6377E339 [Fri Nov 18 19:55:37 2022 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 7631a79a9071099fa4803e1c4c5df207 |
| Signature Valid: | true |
| Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
| Signature Validation Error: | The operation completed successfully |
| Error Number: | 0 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | AAE704EC2810686C3BF7704E660AFB5D |
| Thumbprint SHA-1: | 4C2272FBA7A7380F55E2A424E9E624AEE1C14579 |
| Thumbprint SHA-256: | 82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28 |
| Serial: | 0B9360051BCCF66642998998D5BA97CE |
| Instruction |
|---|
| call 00007F24C882FA0Ah |
| jmp 00007F24C882F4BFh |
| push ebp |
| mov ebp, esp |
| push 00000000h |
| call dword ptr [0040B058h] |
| push dword ptr [ebp+08h] |
| call dword ptr [0040B054h] |
| push C0000409h |
| call dword ptr [0040B05Ch] |
| push eax |
| call dword ptr [0040B060h] |
| pop ebp |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 00000324h |
| push 00000017h |
| call dword ptr [0040B064h] |
| test eax, eax |
| je 00007F24C882F647h |
| push 00000002h |
| pop ecx |
| int 29h |
| mov dword ptr [00411880h], eax |
| mov dword ptr [0041187Ch], ecx |
| mov dword ptr [00411878h], edx |
| mov dword ptr [00411874h], ebx |
| mov dword ptr [00411870h], esi |
| mov dword ptr [0041186Ch], edi |
| mov word ptr [00411898h], ss |
| mov word ptr [0041188Ch], cs |
| mov word ptr [00411868h], ds |
| mov word ptr [00411864h], es |
| mov word ptr [00411860h], fs |
| mov word ptr [0041185Ch], gs |
| pushfd |
| pop dword ptr [00411890h] |
| mov eax, dword ptr [ebp+00h] |
| mov dword ptr [00411884h], eax |
| mov eax, dword ptr [ebp+04h] |
| mov dword ptr [00411888h], eax |
| lea eax, dword ptr [ebp+08h] |
| mov dword ptr [00411894h], eax |
| mov eax, dword ptr [ebp-00000324h] |
| mov dword ptr [004117D0h], 00010001h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x10614 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x13000 | 0x1e0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x11800 | 0x3910 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x14000 | 0xde0 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0xfe40 | 0x70 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xfd80 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xb000 | 0x144 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x9d38 | 0x9e00 | False | 0.6047270569620253 | data | 6.5891945477373035 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0xb000 | 0x5d82 | 0x5e00 | False | 0.4187998670212766 | OpenPGP Secret Key | 4.852409164250541 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x11000 | 0x118c | 0x800 | False | 0.16357421875 | data | 1.9966704570134595 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x13000 | 0x1e0 | 0x200 | False | 0.52734375 | data | 4.703723272345726 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x14000 | 0xde0 | 0xe00 | False | 0.7806919642857143 | data | 6.505236561547605 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_MANIFEST | 0x13060 | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States |
| DLL | Import |
|---|---|
| CRYPT32.dll | CertCreateCertificateContext, CertDeleteCertificateFromStore, CertOpenSystemStoreA, CryptMsgClose, CertFreeCertificateContext, CertAddCertificateContextToStore, CryptQueryObject, CertCloseStore, CryptMsgGetParam |
| KERNEL32.dll | ReadFile, GetModuleFileNameW, SetFilePointer, LocalAlloc, CreateFileW, Sleep, LoadLibraryA, CloseHandle, GetProcAddress, LocalFree, WriteConsoleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, DecodePointer |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeDownload Network PCAP: filtered – full
- Total Packets: 58
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 18, 2023 20:46:09.004134893 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:09.004214048 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:09.004337072 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:09.477523088 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:09.477587938 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:09.863102913 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:09.863241911 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:09.934554100 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:09.934617043 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:09.935560942 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:09.978310108 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.132814884 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.178845882 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.384036064 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.384114981 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.384145975 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.384232044 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.384233952 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.384283066 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.384311914 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.384340048 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.384349108 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.384349108 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.384397984 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.384429932 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.384466887 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.384500980 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.384550095 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.494482040 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.494517088 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.494612932 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.494672060 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.494703054 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.494728088 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.495017052 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.495086908 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.495124102 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.495145082 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.495201111 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.535217047 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.617742062 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.617829084 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.617902994 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.617945910 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.617971897 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.618000984 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.618041992 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.618100882 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.618211031 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.618228912 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.618248940 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.618349075 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.658773899 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.728943110 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.729010105 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.729088068 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.729136944 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.729176998 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.729254007 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.729288101 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.729314089 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.729346991 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.729365110 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.729408026 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.729427099 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.729477882 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.770581961 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.852241039 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.852257013 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.852312088 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.852389097 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.852421999 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.852456093 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.852474928 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.852612019 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.852648020 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.852673054 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.852683067 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.852709055 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.893556118 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.962882042 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.962985992 CEST | 443 | 49731 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:12.963015079 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:12.963059902 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:13.014112949 CEST | 49731 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:25.464968920 CEST | 49734 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:25.465064049 CEST | 443 | 49734 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:25.465174913 CEST | 49734 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:25.465600967 CEST | 49734 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:25.465634108 CEST | 443 | 49734 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:25.719355106 CEST | 443 | 49734 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:25.728100061 CEST | 49734 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:25.728163958 CEST | 443 | 49734 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:26.105290890 CEST | 443 | 49734 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:26.105353117 CEST | 443 | 49734 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:26.105396032 CEST | 443 | 49734 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:26.105501890 CEST | 49734 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:26.105549097 CEST | 443 | 49734 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:26.105585098 CEST | 49734 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:26.105633020 CEST | 49734 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:26.105669022 CEST | 443 | 49734 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:26.105730057 CEST | 49734 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:26.105743885 CEST | 443 | 49734 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:26.105786085 CEST | 443 | 49734 | 145.40.105.166 | 192.168.2.3 |
| Apr 18, 2023 20:46:26.105865002 CEST | 49734 | 443 | 192.168.2.3 | 145.40.105.166 |
| Apr 18, 2023 20:46:26.109262943 CEST | 49734 | 443 | 192.168.2.3 | 145.40.105.166 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 18, 2023 20:46:08.799962997 CEST | 49735 | 53 | 192.168.2.3 | 1.1.1.1 |
| Apr 18, 2023 20:46:08.831942081 CEST | 53 | 49735 | 1.1.1.1 | 192.168.2.3 |
| Apr 18, 2023 20:46:08.861574888 CEST | 60255 | 53 | 192.168.2.3 | 1.1.1.1 |
| Apr 18, 2023 20:46:08.892779112 CEST | 53 | 60255 | 1.1.1.1 | 192.168.2.3 |
| Apr 18, 2023 20:46:25.377913952 CEST | 61624 | 53 | 192.168.2.3 | 1.1.1.1 |
| Apr 18, 2023 20:46:25.409537077 CEST | 53 | 61624 | 1.1.1.1 | 192.168.2.3 |
| Apr 18, 2023 20:46:25.431564093 CEST | 56375 | 53 | 192.168.2.3 | 1.1.1.1 |
| Apr 18, 2023 20:46:25.462487936 CEST | 53 | 56375 | 1.1.1.1 | 192.168.2.3 |
| Apr 18, 2023 20:47:02.429888964 CEST | 59296 | 53 | 192.168.2.3 | 1.1.1.1 |
| Apr 18, 2023 20:47:02.461617947 CEST | 53 | 59296 | 1.1.1.1 | 192.168.2.3 |
| Apr 18, 2023 20:47:02.465924978 CEST | 61173 | 53 | 192.168.2.3 | 1.1.1.1 |
| Apr 18, 2023 20:47:02.526011944 CEST | 53 | 61173 | 1.1.1.1 | 192.168.2.3 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Apr 18, 2023 20:46:08.799962997 CEST | 192.168.2.3 | 1.1.1.1 | 0xc40 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Apr 18, 2023 20:46:08.861574888 CEST | 192.168.2.3 | 1.1.1.1 | 0xc474 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Apr 18, 2023 20:46:25.377913952 CEST | 192.168.2.3 | 1.1.1.1 | 0xfe77 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Apr 18, 2023 20:46:25.431564093 CEST | 192.168.2.3 | 1.1.1.1 | 0x51f3 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Apr 18, 2023 20:47:02.429888964 CEST | 192.168.2.3 | 1.1.1.1 | 0xed9b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Apr 18, 2023 20:47:02.465924978 CEST | 192.168.2.3 | 1.1.1.1 | 0xbd02 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Apr 18, 2023 20:46:08.831942081 CEST | 1.1.1.1 | 192.168.2.3 | 0xc40 | No error (0) | server-nix317f89b6-web.screenconnect.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Apr 18, 2023 20:46:08.831942081 CEST | 1.1.1.1 | 192.168.2.3 | 0xc40 | No error (0) | 145.40.105.166 | A (IP address) | IN (0x0001) | false | ||
| Apr 18, 2023 20:46:08.892779112 CEST | 1.1.1.1 | 192.168.2.3 | 0xc474 | No error (0) | server-nix317f89b6-web.screenconnect.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Apr 18, 2023 20:46:08.892779112 CEST | 1.1.1.1 | 192.168.2.3 | 0xc474 | No error (0) | 145.40.105.166 | A (IP address) | IN (0x0001) | false | ||
| Apr 18, 2023 20:46:25.409537077 CEST | 1.1.1.1 | 192.168.2.3 | 0xfe77 | No error (0) | server-nix317f89b6-web.screenconnect.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Apr 18, 2023 20:46:25.409537077 CEST | 1.1.1.1 | 192.168.2.3 | 0xfe77 | No error (0) | 145.40.105.166 | A (IP address) | IN (0x0001) | false | ||
| Apr 18, 2023 20:46:25.462487936 CEST | 1.1.1.1 | 192.168.2.3 | 0x51f3 | No error (0) | server-nix317f89b6-web.screenconnect.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Apr 18, 2023 20:46:25.462487936 CEST | 1.1.1.1 | 192.168.2.3 | 0x51f3 | No error (0) | 145.40.105.166 | A (IP address) | IN (0x0001) | false | ||
| Apr 18, 2023 20:46:30.577485085 CEST | 1.1.1.1 | 192.168.2.3 | 0xba13 | No error (0) | fp2e7a.wpc.phicdn.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Apr 18, 2023 20:46:30.577485085 CEST | 1.1.1.1 | 192.168.2.3 | 0xba13 | No error (0) | 192.229.221.95 | A (IP address) | IN (0x0001) | false | ||
| Apr 18, 2023 20:47:02.461617947 CEST | 1.1.1.1 | 192.168.2.3 | 0xed9b | No error (0) | server-nix317f89b6-web.screenconnect.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Apr 18, 2023 20:47:02.461617947 CEST | 1.1.1.1 | 192.168.2.3 | 0xed9b | No error (0) | 145.40.105.166 | A (IP address) | IN (0x0001) | false | ||
| Apr 18, 2023 20:47:02.526011944 CEST | 1.1.1.1 | 192.168.2.3 | 0xbd02 | No error (0) | server-nix317f89b6-web.screenconnect.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Apr 18, 2023 20:47:02.526011944 CEST | 1.1.1.1 | 192.168.2.3 | 0xbd02 | No error (0) | 145.40.105.166 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.2.3 | 49731 | 145.40.105.166 | 443 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| 2023-04-18 18:46:12 UTC | 0 | OUT | |
| 2023-04-18 18:46:12 UTC | 0 | IN | |
| 2023-04-18 18:46:12 UTC | 0 | IN | |
| 2023-04-18 18:46:12 UTC | 16 | IN | |
| 2023-04-18 18:46:12 UTC | 29 | IN | |
| 2023-04-18 18:46:12 UTC | 45 | IN | |
| 2023-04-18 18:46:12 UTC | 57 | IN | |
| 2023-04-18 18:46:12 UTC | 73 | IN | |
| 2023-04-18 18:46:12 UTC | 85 | IN | |
| 2023-04-18 18:46:12 UTC | 101 | IN | |
| 2023-04-18 18:46:12 UTC | 113 | IN | |
| 2023-04-18 18:46:12 UTC | 129 | IN | |
| 2023-04-18 18:46:12 UTC | 141 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 1 | 192.168.2.3 | 49734 | 145.40.105.166 | 443 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| 2023-04-18 18:46:25 UTC | 145 | OUT | |
| 2023-04-18 18:46:26 UTC | 145 | IN | |
| 2023-04-18 18:46:26 UTC | 145 | IN | |
| 2023-04-18 18:46:26 UTC | 161 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 1 |
| Start time: | 20:46:02 |
| Start date: | 18/04/2023 |
| Path: | C:\Users\user\Desktop\ConnectWiseControl.Client.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xf60000 |
| File size: | 86288 bytes |
| MD5 hash: | DBAC4578027BB4FD75AC8B10312157D0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Target ID: | 2 |
| Start time: | 20:46:02 |
| Start date: | 18/04/2023 |
| Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x228288b0000 |
| File size: | 24112 bytes |
| MD5 hash: | 60C91843ADCE3750F2A0835F0594D438 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Reputation: | low |
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
| Execution Coverage: | 20.1% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 9 |
| Total number of Limit Nodes: | 0 |
Graph
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
